RPC errors
Brennan_Murphy at NAI.com
Brennan_Murphy at NAI.com
Mon Aug 11 22:05:39 UTC 2003
does anyone know if the scanning is sequential once
a range is chosen or is it random within a range?
e.g.,
1.1.1.1
1.1.1.2
1.1.1.3
etc
or
1.1.1.89
1.1.1.33
1.1.1.12
etc
-----Original Message-----
From: John Dvorak [mailto:john at dvorak.net]
Sent: Monday, August 11, 2003 5:57 PM
To: NANOG
Subject: Re: RPC errors
On Mon, 11 Aug 2003 17:33:33 -0400
Kevin Houle <kjh at cert.org> wrote:
>
> --On Monday, August 11, 2003 02:26:40 PM -0700 Mike Damm
> <MikeD at irwinresearch.com> wrote:
>
> >The DCOM exploit that is floating around crashes the Windows RPC
> >service when the attacker closes the connection to your system after
> >a successful attack. Best bet is to assume any occurrence of crashing
> >RPC services to be signs of a compromised system until proven
> >otherwise.
> >
> >http://www.cert.org/advisories/CA-2003-19.html
>
> That's good advice. Many of the known exploits cause the RPC service
> to crash after the exploit is successful. I'll point out that not all
> exploits cause the service failure. So, the absence of an RPC service
> failure is likewise not an indicator that a vulnerable machine has
> escaped compromise.
>
> Kevin
Interestingly, we have clear examples of boxes which were not infected
but on which RPC services did crash. This may suggest that the worm
also takes advantage of the unrelated RPC DOS vulnerability (2000 and
XP) which I believe MS has still not patched.
John
More information about the NANOG
mailing list