[Dshield] MS04-007 exploit

Johannes B. Ullrich jullrich at sans.org
Sun Feb 15 01:55:19 GMT 2004


port 135/445 scans can also be due to MyDoom-B. Did you see port 80 from
the same sources?

It will require full packet captures to figure out which toy hit you.


On Sat, 2004-02-14 at 19:39, Joseph Stahley 3rd wrote:
> Hmm looks like I got hammered with this exploit last nite (2-13) 9pm pst
> when I got a lot of probes from ports 135 and 445,averaged 400 probes per
> hour for about 3 hours then it died down to about 50, and finally about 10am
> pst this morning it was down to 5 or 6 an hour. It appeared mostly  from
> sites in asia (it would have been around 1pm or 2pm in some parts of asia).
> 
> Curious thing I live in San Diego, CA and got a lot of probing from Asia,
> was wondering if you east coast guys will get this from europe based or asia
> based ip addresses.
> 
> Joe
> 
> -----Original Message-----
> From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
> Of Johannes B. Ullrich
> Sent: Saturday, February 14, 2004 4:23 PM
> To: list at dshield.org
> Subject: [Dshield] MS04-007 exploit
> 
> 
> just a quick note that a DOS exploit is out for the ASN vulnerability.
> Works nicely. More will be posted to the diary at http://isc.sans.org
> shortly.
> 
> This is the last warning to patch your systems. The exploit is not far from
> "running arbitrary code". Looks like so far its mostly targeting port 445
> tcp.
-- 
CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 837 2807                          jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040214/e10fad5c/attachment.bin


More information about the list mailing list