RPC errors

• Previous message (by thread): RPC errors
• Next message (by thread): RPC errors
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I just put an access list on one of our cores with some spare cpu cycles..
And 10% of the traffic looks like port 135 calls.....  Anyone else see this?
Did I break anything legitimate?

Also I still some Slammer traffic..

Mark


--
Mark Segal 
Director, Network Planning
FCI Broadband 
Tel: 905-284-4070 
Fax: 416-987-4701 
http://www.fcibroadband.com

Futureway Communications Inc. is now FCI Broadband


-----Original Message-----
From: Mike Damm [mailto:MikeD at irwinresearch.com] 
Sent: August 11, 2003 6:19 PM
To: 'Drew Weaver'
Cc: 'nanog at merit.edu'
Subject: RE: RPC errors



According to Symantec it doesn't know if the system has already been
infected until it is running on the target machine, at which point the RPC
crash is imminent. It shouldn't re-infect, but further attempts from other
infected hosts will cause random reboots. 

On the plus side this one will be much easier to clean up than CodeRed,
Nimda, etc. Random J. Clueless might actually look for patches if his box is
rebooting on a regular basis.

	-Mike

---
Michael Damm, MIS Department, Irwin Research & Development
V: 509.457.5080 x298 F: 509.577.0301 E: miked at irwinresearch.com


-----Original Message-----
From: Drew Weaver [mailto:drew.weaver at thenap.com] 
Sent: Monday, August 11, 2003 2:53 PM
To: 'Mike Damm'
Cc: 'nanog at merit.edu'
Subject: RE: RPC errors

Its bloody gorgeous too, my girlfriend's pc rebooted like 9 times,
apparently the worm doesn't check to see if its already infected.

-----Original Message-----
From: Mike Damm [mailto:MikeD at irwinresearch.com] 
Sent: Monday, August 11, 2003 5:27 PM
To: 'Jack Bates'; NANOG
Subject: RE: RPC errors


The DCOM exploit that is floating around crashes the Windows RPC service
when the attacker closes the connection to your system after a successful
attack. Best bet is to assume any occurrence of crashing RPC services to be
signs of a compromised system until proven otherwise.

http://www.cert.org/advisories/CA-2003-19.html

	-Mike

---
Michael Damm, MIS Department, Irwin Research & Development
V: 509.457.5080 x298 F: 509.577.0301 E: miked at irwinresearch.com


-----Original Message-----
From: Jack Bates [mailto:jbates at brightok.net] 
Sent: Monday, August 11, 2003 1:12 PM
To: NANOG
Subject: RPC errors


I'm showing signs of an RPC sweep across one of my networks that's 
killing some XP machines (only XP confirmed). How wide spread is this at 
this time. Also, does anyone know if this is just generating a DOS 
symptom or if I should be looking for backdoors in these client systems?

-Jack

• Previous message (by thread): RPC errors
• Next message (by thread): RPC errors
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]