[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] ISS Security Brief: 'MS Blast' MSRPC DCOM Worm Propagation (fwd)
- To: <daniele@muscetta.com>
- Subject: RE: [Full-Disclosure] ISS Security Brief: 'MS Blast' MSRPC DCOM Worm Propagation (fwd)
- From: "Daniele Muscetta" <daniele@muscetta.com>
- Date: Thu, 14 Aug 2003 12:36:23 +0200 (W. Europe Daylight Time)
Sorry, Errata on my words:
> On its own it is harmful.
I MEANT: "IT IS *NOT* HARMFUL."
Daniele
>> svchost.exe listens on several ports on windows xp.
>> If microsoft is saying that it should never be on the
>> internet, couldn't there be more b0f's discovered in
>> the future? One peculiar service "DNS Client",
>> although listening on a few random ports just about
>> 1024, also runs off of svchost.exe.
>
> svchost is a "wrapper" for services that work as DLLs instead of being
> implemented with their own .EXE.
> On its own it is harmful.
>
> It is RPC which should not listen on the internet. It's a very different
> matter.
>
> Anyway, "DNS Client" is the DNS RESOLVER, that component that queries
> the DNS for you... and it does not listen, as far as I know.
> It opens of course dynamic ports >1024 as SOURCE ports, to talk to DNS
> server on target port 53... what would you expect it do otherwise ?
>
> It also implements the dynamic record registration for DDNS, so it
> REGISTERS the address of the client on the server (if instructed to do
> so, and if the server supports it).
>
>
> ...if you don't want it, you might even want to remove resolv.conf from
> your linux box.... since it might be just as harmful..... :)
>
>
> Daniele
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html