[Dshield] Massive port 135 upswing?

Robinson, Dennis A Dennis.Robinson at ArvinMeritor.com
Mon Jun 14 19:24:43 GMT 2004


Sounds like Welchia to me...The DCOM RPC vulnerability (first described in
Microsoft Security Bulletin MS03-026) using TCP port 135.

http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.c.worm.h
tml

Thanks,
Dennis A. Robinson
Senior Messaging Administrator
Corporate Network Services
ArvinMeritor
Troy, MI USA
(248) 435-1795


-----Original Message-----
From: Nels Lindquist [mailto:nlindq at maei.ca] 
Sent: Monday, June 14, 2004 2:58 PM
To: list at lists.dshield.org
Subject: [Dshield] Massive port 135 upswing?


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Okay, something's going on.

Anyone else seeing a massive increase in port 135 hits?  Our firewall 
is currently seeing 35% CPU utilization from syslogd just keeping up 
with dropped packets; the last hourly DShield submission bounced from 
the submission queue due to size throttling on the MTA.

Looks like worm traffic--loads of different IP addresses from all 
over the place, all hitting TCP port 135.  If it's *not* worm 
traffic, could it be a DDOS attack?

- ----
Nels Lindquist <*>
Information Systems Manager
Morningstar Air Express Inc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)

iD8DBQFAzfUsbxRqvNchgLQRAkFEAKCWdCs1tweB7wfIG1jhFfXCfOijjACg2BOt
j7DjPdD/sKLQvrk5gDumScs=
=iJSO
-----END PGP SIGNATURE----- _______________________________________________
list mailing list
list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list