[Dshield] Massive port 135 upswing?

Frank Knobbe frank at knobbe.us
Mon Jun 14 20:24:53 GMT 2004

On Mon, 2004-06-14 at 14:24, Robinson, Dennis A wrote:
> Sounds like Welchia to me...The DCOM RPC vulnerability (first described in
> Microsoft Security Bulletin MS03-026) using TCP port 135.

Uhm... how can you possibly say such a thing? It also could be one of a
bunch of other viruses and worms, or perhaps just harmless Popup Spam.

Without analysis of the payload (perhaps by comparing hashes of the data
section of the packet) one can not make conclusive statements about the
packet itself.

Slade was saying that he just drops this stuff at the router. Fine and
dandy, but this list is about communicating trends in port scans to make
subscribers aware of possible surges of old or new worms and other
nasties. Nels didn't ask what this could be, but he asked if others are
seeing the same trend.

This is about trending, not about identification of malware. That can
only be done by analyzing packet content.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040614/302907af/attachment.bin

More information about the list mailing list