RPCwhore

Steve Bernard sbernard at gmu.edu
Mon Aug 18 17:35:53 GMT 2003


We are finding a lot of Microsoft boxes which are trying to join the IRC
channel #rpcwhore, but that show no other outward signs of compromise or
vulnerability. So far, all connection attempts have been to either
219.123.237.187 or 66.98.158.31. I can't find any mention of "rpcwhore" via
Google, Yahoo, etc.. Given that these boxes aren't being used for warez or
the like I am assuming that they are DDoS agents. I haven't gotten a box to
analyze yet. Has anyone else seen this before?


Regards,

Steve Bernard
Sr. Systems Engineer, NET
George Mason University
Fairfax, Virginia



More information about the unisog mailing list