[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] ISS Security Brief: 'MS Blast' MSRPC DCOM Worm Propagation (fwd)
- To: <joey2cool@yahoo.com>
- Subject: RE: [Full-Disclosure] ISS Security Brief: 'MS Blast' MSRPC DCOM Worm Propagation (fwd)
- From: "Daniele Muscetta" <daniele@muscetta.com>
- Date: Thu, 14 Aug 2003 11:47:55 +0200 (W. Europe Daylight Time)
> svchost.exe listens on several ports on windows xp.
> If microsoft is saying that it should never be on the
> internet, couldn't there be more b0f's discovered in
> the future? One peculiar service "DNS Client",
> although listening on a few random ports just about
> 1024, also runs off of svchost.exe.
svchost is a "wrapper" for services that work as DLLs instead of being
implemented with their own .EXE.
On its own it is harmful.
It is RPC which should not listen on the internet. It's a very different
matter.
Anyway, "DNS Client" is the DNS RESOLVER, that component that queries the
DNS for you... and it does not listen, as far as I know.
It opens of course dynamic ports >1024 as SOURCE ports, to talk to DNS
server on target port 53... what would you expect it do otherwise ?
It also implements the dynamic record registration for DDNS, so it
REGISTERS the address of the client on the server (if instructed to do so,
and if the server supports it).
...if you don't want it, you might even want to remove resolv.conf from
your linux box.... since it might be just as harmful..... :)
Daniele
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html