[Dshield] New Microsoft Windows RPC vulnerability

Kenton Smith ksmith at chartwelltechnology.com
Wed Sep 17 19:56:59 GMT 2003


I'm having a little trouble making sense of this, maybe it's just the
mid-afternoon slowdown of my brain.

What do you mean by killing port 135? You must be doing something in the
O/S itself, yes? 

That really isn't necessary. The idea about blocking (not killing) port
135 to prevent infection by a DCom worm (or other such nasty traffic),
is to stop incoming traffic destined for this port. If you have a
firewall, you would block this port for all incoming traffic. There is
no way that this should have any effect on services running on your
local machine.

If you don't have a firewall (network based or host based) you should
patch for the vulnerability and then go get one.

Maybe you have a completely different meaning than what I have assumed.

Kenton

On Wed, 2003-09-17 at 12:43, Keith Bergen wrote:
> A friend of mine tried to make the argument that killing port 
> 135 was good. The other problem that I have seen with killing 
> it is that the Task Scheduler relies on port 135. I found 
> that one out the hard way. I killed 135, and killed my 
> DShield submissions! They were scheduled. Also, many 
> antivirus software rely on Task Scheduler to get updates, or 
> to run scans. Those would stop.
> 
> In short, I disagreed with my friend. Port 135 is a necessary 
> evil (in my house), and if you install your network behind a 
> NAT router, you should be more safe. Let's just hope that 
> we've seen the last vulnerability of DCOM.
> 
> Now, if you don't use Task Scheduler or Winfax, or anything 
> else that relies on RPC, you should be fine, right?
> 
> Keith.
> 
> ---- Original message ----
> >Date: Wed, 17 Sep 2003 13:58:56 -0400
> >From: "Guy Barnum" <GuyBarnum at Armscole.com>  
> >Subject: RE: [Dshield] New Microsoft Windows RPC 
> vulnerability  
> >To: "General DShield Discussion List" <list at dshield.org>
> >
> >I decided to follow up on one of these DCOMbobulator plugs.  
> Has anyone else tested their client server apps against 
> DCOMbob.exe?
> >
> >The grc.com web site indicates that basically no one but 
> hackers would use DCOM to violate your computer so everyone 
> should just shut it off.
> >
> >There is a small company by the name of Symantec which uses 
> DCOM and the RPC server for their Winfax client server 
> connection.  Arguably installing winfax software could still 
> be considered a system violation...  If I found an 
> application used as widely as Winfax, which won't work with 
> DCOM turned off, in the first 5 minutes of testing 
> DCOMbob.exe surely there are many more out there and it might 
> not be a good practice to tell everyone in the whole web-
> world to start turning off DCOM.
> >
> >I can picture IT support personnel trying to figure out why 
> their client server app of choice isn't working on x number 
> of systems and how they would figure out the users have read 
> articles like this and turned off their DCOM services.
> >
> >Guy
> >
> >-----Original Message-----
> >From: Rick Leske [mailto:rick at jaray.net]
> >Sent: Tuesday, September 16, 2003 11:24 PM
> >To: General DShield Discussion List
> >Subject: RE: [Dshield] New Microsoft Windows RPC 
> vulnerability
> >
> >
> >Well here's a better explanation: http://grc.com/default.htm
> >
> >hth,
> >
> >~Rick
> >
> >_______________________________________________
> >list mailing list
> >list at dshield.org
> >To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list