RPC errors and latest worm

Scott Fendley scottf at uark.edu
Mon Aug 11 23:49:12 UTC 2003



As of a few moments ago the Executive Summary included your information

Executive Summary:

A worm has started spreading early afternoon EDT (evening UTC Time) and
is expected to continue spreading rapidly. This worms exploits the
Microsoft Windows DCOM RPC Vulnerability announced July 16, 2003. The SANS
Institute, and Incidents.org recommends the following Action Items:

 * Close port 135/tcp (and if possible 135-139, 445 and 593)
 * Monitor TCP Port 4444 and UDP Port 69 (tftp) which are used by the worm
for activity related to this worm.
 * Ensure that all available patches have been applied, especially the
patches reported in Microsoft Security Bulletin MS03-026.
 * This bulletin is available at
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
 * Infected machines are recommended to be pulled from the network pending
a complete rebuild of the system.


Scott Fendley
---
Scott Fendley                           scottf at uark.edu
Systems/Security Analyst                (479) 575-2022
University of Arkansas                  (479) 575-4753 fax

On Mon, 11 Aug 2003, Stewart, William C (Bill), RTSLS wrote:

>
> According to http://isc.sans.org/diary.html?date=2003-08-11 ,
> the worm uses the latest popular MS exploit ports, so
> "	 * Close port 135/tcp (and if possible 135-139, 445 and 593) ".
>
> It also uses TCP port 4444 and TFTP = UDP 69 to download its
> attack code after getting the initial bootstrap infection.
> So you probably want to be blocking TCP 4444 and (if appropriate,
> which it usually is, TFTP), and tracing any 4444 activity and TFTPs
> to detect attacks.
>
>
>
>




More information about the NANOG mailing list