 | reply to ghost16825
Re: New Worms scanning on 1025 and others said by ghost16825: Which RPC exploit is it?
Blake: My exact question too.
Everyone has been talking about this vector (tcp/1025) as an "RPC Exploit" but I haven't seen anyone discuss the specifics of the exploit and/or which MS patch is supposed to fix it.
Any idea? -- Lawrence Baldwin myNetWatchman The Internet Neighborhood Watch |
|
|
|
 pslossPremium join:2002-02-24 Alpharetta, GA | said by NetWatchMan: Everyone has been talking about this vector (tcp/1025) as an "RPC Exploit" but I haven't seen anyone discuss the specifics of the exploit and/or which MS patch is supposed to fix it.
Based on what it looks like, it's probably one of the DCOM exploits. Using port 1025 is one of the ports that Agobot tries to exploit this. But I haven't tried to determine whether the problem is MS03-026, MS03-039, or something that was covered in the cumulative MS04-012 patch in April.
It may be that this is the same vulnerability that Blaster exploited (MS03-026), except that tcp/1025 is less likely to be filtered by consumer ISPs than MSRPC the endpoint mapper port.
Philip Sloss -- Feedback? e-mail: stuff@lupwa.org |
|