FW: [Dshield] IRC port 135 attack

Johannes B. Ullrich jullrich at sans.org
Wed Aug 20 16:49:17 GMT 2003


port 4444 should close after the exploit is uploaded.


On Wed, 2003-08-20 at 12:31, Keith Bergen wrote:
> We continue to get attacked. I have a question.
> 
> Are exploited machines keeping TCP 4444 open? If so, then our port scanner
> bot can block infected users. We can't block TCP 135 since that is basically
> every Windows machine ever made.
> 
> I also heard that another strain had TCP 707 open. Is that true?
> 
> Keith.
> 
> -----Original Message-----
> From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
> Of Keith Bergen
> Sent: Tuesday, August 19, 2003 7:39 PM
> To: 'General DShield Discussion List'
> Subject: [Dshield] IRC port 135 attack
> 
> 
> Well, it looks like some folks have merged some of the more popular IRC
> attacks (fizzer etc) with the most popular exploit (DCOM RPC 135).
> 
> We have gotten attacked by thousands of "bots" on our network all day. They
> join the network, and then join various channels, change nicks, and
> generally obfuscate their hostmasks.
> 
> We're still battling them, but basically we still need our ISPS to block
> vulnerable systems at the routers. Otherwise, we're still taking the hit for
> them.
> 
> In short, 135 has mutated, and merged with other exploits.
> 
> Keith.
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
-- 
SANS - Internet Storm Center
http://isc.sans.org
PGP Key: http://isc.sans.org/jullrich.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20030820/f63ba0db/attachment.bin


More information about the list mailing list