ghost16825Use security metricsPremium
join:2003-08-26 | reply to Link Logger
Re: New Worms scanning on 1025 and others Which RPC exploit is it? |
|
 DaDogsSemper VigilantisPremium
join:2004-02-28
Deltaville, VA | reply to Link Logger
Just reading this thread makes my head hurt... Worms on worms on trojans on viruses.. What's a poor old MS 98 SE, ME PC to do? What to do? I know... blow it away and install something free. So if the worm writer guys just get tired of playing this game and decide to take down all the systems they have already infected, how many systems will that be? How many of those old boxes are going to be able to run Win2K or the more heavy weight XP?
I don't mean to take the thread OT but I am interested in the idea that these guys might just decide to start formatting disks, expecially if they are anti-MS people... Naw, probably not... these kids like having access to so many zombies. They aren't going to take the playground apart, unless they already have other options?
Speculation... pure speculation.... Nice work on catching this one guys. I guess you all beat the virus companies this time. Just another reason to have Microsoft take over the virus scanner industry. |
|
 Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3
 ·Shaw
| None of my computers (Win2k, XP Pro, ME, W98SE, etc) are in any danger from these worms as my firewall prevents the attack from touching any of them. Doesn't really matter what your running anymore a firewall is pretty well mandatory.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
DaDogsSemper VigilantisPremium
join:2004-02-28
Deltaville, VA
1 edit | said by Link Logger:
None of my computers (Win2k, XP Pro, ME, W98SE, etc) are in any danger from these worms as my firewall prevents the attack from touching any of them. Doesn't really matter what your running anymore a firewall is pretty well mandatory.
Blake
You know that really isn't exactly true. I run a number of servers on multiple T-1's with no firewall on them. Some are MS and some are Linux and there is this sweet little BSD box, 'course she can't talk... she only has ears... but this is a Microsoft forum.... so.....
So, I have observed that if I set my virus scanner on the mail server to update once per hour (it is a MAIL server) and I set my other boxes to download and install once a day, though I do feel MS should give me the option to say check 2 or 3 or twenty times a day... still... if I do those things, my MS systems do remain secure so long as I am careful to pay attention to what MS has patched... and so long as MS is honest with me about those patches they know are necessary and have not shipped... ermmm... well so long as I pay attention to MS I'm safe and I am sure of it because I trust Microsoft implicitly to tell me if I need a patch.
Tongue in cheek taken away. My Microsoft servers have (as far as I can tell by sniffing my network and that is the ULTIMATE proof) remanined secure so long as I kept up with the patches. It is just that faith in a company is hard for me. |
|
 BubbaGIT-R-DONEPremium,MVM
join:2002-08-19
St. Andrews
 ·DIRECTV
·Pickwick Cablevi..
·Comcast
| reply to Link Logger
said by deltafox:
What's a poor old MS 98 SE, ME PC to do?....but this is a Microsoft forum.... so
Probably no more or less than any other MS OS owner....keeping the hatches buttoned down. BTW....this is the Security Forum 
 As always Blake wonderful drama in your port peekin 
--
"It's 5 o'clock somewhere" *Team Z* Member |
|
Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3 Reviews:
·Shaw
| reply to Link Logger
Not worried about zero day ploits on either Windows or Linux systems? The only zero day ploits I have to worry about are for the services that I choose to expose to the internet through the firewall, otherwise they could go nuts and I wouldn't see them other then bouncing off the firewall.
For example in the article that I posted concerning script kiddies the RPC exploit on 135 was in the wild much longer then previously thought (before the patch from Microsoft), so no firewall and you could have been had (depending on what services you were running of course).
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
DaDogsSemper VigilantisPremium
join:2004-02-28
Deltaville, VA | reply to Bubba
said by Bubba:
said by deltafox:
What's a poor old MS 98 SE, ME PC to do?....but this is a Microsoft forum.... so
Probably no more or less than any other MS OS owner....keeping the hatches buttoned down. BTW....this is the Security Forum
As always Blake wonderful drama in your port peekin
...erm... yeah. I knew it was a security forum Thanks for fixin' 'dis feller up on 'dat one...
-m- |
|
DaDogsSemper VigilantisPremium
join:2004-02-28
Deltaville, VA | reply to Link Logger
said by Link Logger:
Not worried about zero day ploits on either Windows or Linux systems? The only zero day ploits I have to worry about are for the services that I choose to expose to the internet through the firewall, otherwise they could go nuts and I wouldn't see them other then bouncing off the firewall.
For example in the article that I posted concerning script kiddies the RPC exploit on 135 was in the wild much longer then previously thought (before the patch from Microsoft), so no firewall and you could have been had (depending on what services you were running of course).
Blake
Don't want you to get the wrong idea. I completely agree with your perspective. You are dead on. One absolutely should run a firewall whenever possible. We are an ISP and we have a whole bunch of users running a whole bunch of poorly written and moronic software (NOT MS) such as PALTALK and only God himself knows ... that breaks when you firewall it... I suppose we could spend weeks and weeks trying to fiddle a BSD/*nix firewall to get it all working but every week the requirements would change... so we don't. We just use the systems the vendors provide to keep our servers secure... so far it has worked... and you folks who know how to defeat our security... PLEASE DON'T... WE RECOGNIZE THE PROBLEM BUT WE CAN'T DO MUCH ABOUT IT.
Thanks.
-m- |
|
| reply to ghost16825
said by ghost16825:
Which RPC exploit is it?
Blake: My exact question too.
Everyone has been talking about this vector (tcp/1025) as an "RPC Exploit" but I haven't seen anyone discuss the specifics of the exploit and/or which MS patch is supposed to fix it.
Any idea?
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch |
|
Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3 Reviews:
·Shaw
| reply to Link Logger
I have sample captures of two different exploits captured on TCP port 1025 here »www.linklogger.com/TCP1025.htm and I might have a couple of other captures saved somewhere on my system from my honey pots.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
pslossPremium
join:2002-02-24
Alpharetta, GA | reply to NetWatchMan
said by NetWatchMan:
Everyone has been talking about this vector (tcp/1025) as an "RPC Exploit" but I haven't seen anyone discuss the specifics of the exploit and/or which MS patch is supposed to fix it.
Based on what it looks like, it's probably one of the DCOM exploits. Using port 1025 is one of the ports that Agobot tries to exploit this. But I haven't tried to determine whether the problem is MS03-026, MS03-039, or something that was covered in the cumulative MS04-012 patch in April.
It may be that this is the same vulnerability that Blaster exploited (MS03-026), except that tcp/1025 is less likely to be filtered by consumer ISPs than MSRPC the endpoint mapper port.
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
|
|
