[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] DCOM Worm released

To: Dennis Opacki <dopacki@adotout.com>
Subject: Re: [Full-Disclosure] DCOM Worm released
From: Jordan Wiens <jwiens@nersp.nerdc.ufl.edu>
Date: Mon, 11 Aug 2003 18:21:16 -0400 (EDT)

I can confirm that on our currently running network with IDS and flow
data.  TFTP is from the attacking source, not from any centralized
servers.

-- 
Jordan Wiens, CISSP
UF Network Incident Response Team
(352)392-2061

On Mon, 11 Aug 2003, Dennis Opacki wrote:

>
> Never mind. SANS now indicates:
>
> Infection sequence:
>
> 1. SOURCE sends packets to port 135 tcp with variation of dcom.c exploit
>    to TARGET
> 2. this causes a remote shell on port 4444 at the TARGET
> 3. the SOURCE now sends the tftp get command to the TARGET, using the
>    shell on port 4444,
> 4. the target will now connect to the tftp server at the SOURCE.
>
>
> On Mon, 11 Aug 2003, Dennis Opacki wrote:
>
> >
> > Can anyone confirm whether the tftp transfers appear to be solely from the
> > hosts listed in the initial sans.org note (which now appear to have been
> > taken down), or is the transfer done from the infecting host?
> >
> > TIA,
> >
> > -Dennis
> >
> > On Mon, 11 Aug 2003, Joey wrote:
> >
> > > They found a worm, but since it uses tftp servers that
> > > can be taken down and since tftp is slow, it shouldnt
> > > have much of an effect.
> > >
> > > "Scans sequentially for machines with open port 135,
> > > starting at a presumably random IP address" - very
> > > stupid way to spread!
> > >
> > > http://isc.sans.org/diary.html?date=2003-08-11
> > >
> > > __________________________________
> > > Do you Yahoo!?
> > > Yahoo! SiteBuilder - Free, easy-to-use web site design software
> > > http://sitebuilder.yahoo.com
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.netsys.com/full-disclosure-charter.html
> > >
> >
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] DCOM Worm released
  - From: Joey <joey2cool@yahoo.com>
- Re: [Full-Disclosure] DCOM Worm released
  - From: Dennis Opacki <dopacki@adotout.com>
- Re: [Full-Disclosure] DCOM Worm released
  - From: Dennis Opacki <dopacki@adotout.com>

Prev by Date: RE: [Full-Disclosure] rpc worm
Next by Date: RE: [Full-Disclosure] rpc worm
Prev by thread: Re: [Full-Disclosure] DCOM Worm released
Next by thread: RE: [Full-Disclosure] DCOM Worm released
Index(es):
- Date
- Thread