Nessus Plugin and RPC Cleanup Webpage

Phil.Rodrigues at uconn.edu Phil.Rodrigues at uconn.edu
Wed Aug 13 18:43:42 GMT 2003


Hi all,

Two students here (Keith Bessette and Lina Pezzella) have tweaked Nessus 
plugin #11808 to more return more accurate info about RPC-DCOM 
vulnerabilities, especially when scanning Windows 95/98/ME computers (that 
Nessus previously reported as "vulnerable").  It now returns the same 
basic info as v1.04 of EEye's tool.  Find it at:

http://hogwash.uits.uconn.edu/msrpc.nasl

We have developed a webpage to help support staff respond to the 
Stealther.Trojan compromises, MS Blast infections, and RPC-DCOM 
vulnerabilities in our network.  It may be useful to other schools:

http://www.security.uconn.edu/rpc_procedure.html

We have noticed that a large number of our Windows 2000 hosts seems to 
have had TCP 135 close when RPC crashed after the worm tried 
unsuccessfully to use the Win XP offset to compromise them.  Since these 
hosts no longer have TCP 135 open they do not appear as "Vulnerable" to 
our scanners, and thus we are passing over them in our sweeps.  However, 
the guess is they will be vulnerable after they reboot and therefore are 
still at risk of being infected.  Anyone have a solution to this?

Phil

=======================================
Philip A. Rodrigues
Network Analyst, UITS
University of Connecticut

email: phil.rodrigues at uconn.edu
phone: 860.486.3743
fax: 860.486.6580
web: http://www.security.uconn.edu
=======================================



More information about the unisog mailing list