RPC exploits/scans - dslreports.com

Author	All Replies
BangBang join:2000-07-05 West New York, NJ ·RoadRunner Cable	RPC exploits/scans Anyone else notice an explosion in scans from RR users? Over the past 5 hrs I've had over 700 individual IP hits from RR users in the 24.168 block. If you are in this block which includes NYC,NJ,Staten Island, please check your system and make sure someone hasnt dropped a scanner into your system.
	to forum · permalink · · 2003-08-11 19:45:29 ·
untroubled1 Redneck Dawg Premium join:2001-12-21 Omaha, NE	Here. »Get that firewall up! -- Using Cox Business Services (Rock "N" Roll)
	to forum · permalink · · 2003-08-11 19:50:24 ·
Straphanger Express is Back Premium,Mod join:2001-12-08 Jackson Heights, NY clubs: ·RoadRunner Cable Host: TV over IP New York Audio/Video Chat	reply to BangBang I would think most people with a NAT and firewall are fairly safe from what everyone is saying. The activity light on my router is pretty busy. -- Hope, it is the quintessential human delusion, simultaneously the source of your greatest strength, and your greatest weakness.
	to forum · permalink · · 2003-08-11 22:28:05 ·
Kip patterson Premium join:2000-10-23 Columbus, OH	reply to BangBang I am no longer getting hits, and the amount of ARP traffic is down to its usual 4/sec. I used Shields UP to check port 135, and it appears to have been blocked inbound by RR. Edit: I no sooner posted than I noticed that the activity light was on solid. The sniffer showed that it was an attack (60 per second) on the block (10.32.x.x) used locally for the cable-side modem IP addresses. It went away in a few minutes. [text was edited by author 2003-08-12 04:58:08]
	to forum · permalink · · 2003-08-12 04:40:33 ·
Mele20 Premium join:2001-06-05 Hilo, HI	reply to BangBang RR is not blocking port 135 here in Hawaii. That port is open on my W98SE box as of about a week ago. I have been closing it each time I boot using Trojan Hunter's Process Viewer to terminate RPCSS.exe. Since this all started yesterday, I have rebooted periodically and checked to see if the port is open before terminating RPCSS.exe. It is still open (after rebooting) as of about one-half hour ago so I know RR is not filtering it here. -- "Everything can be taken from a man or woman but one thing: the last of the human freedoms - to choose one's attitude in any given set of circumstances, to choose one's destiny." Victor Frankl - Man's Search for Meaning
	to forum · permalink · · 2003-08-12 08:49:49 ·
Straphanger Express is Back Premium,Mod join:2001-12-08 Jackson Heights, NY clubs:	I thought this exploit did not apply to Win 9x systems.
	to forum · permalink · · 2003-08-12 08:50:50 ·
Kip patterson Premium join:2000-10-23 Columbus, OH	reply to Mele20 I should have pointed out that the block was installed sometime late last night, between 10 pm and 4 am EDT. It would have to be blocked at the RDC, as there is no way to block it nationally at one place. I suppose it might be a local decision to do so.
	to forum · permalink · · 2003-08-12 08:55:15 ·
Bubba GIT-R-DONE Premium,MVM join:2002-08-19 Around, Us ·Comcast	reply to Straphanger said by Straphanger : I thought this exploit did not apply to Win 9x systems. According to MS....they may or may not be Microsoft Security Bulletin MS03-026 said by MS03-026: Tested Versions: Microsoft tested Windows Me, Windows NT 4.0, Windows NT 4.0 Terminal Services Edition, Windows 2000, Windows XP and Windows Server 2003, to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by this vulnerability. -- Hatred causes destruction....Love causes construction
	to forum · permalink · · 2003-08-12 11:00:32 ·
Straphanger Express is Back Premium,Mod join:2001-12-08 Jackson Heights, NY clubs:	Ah Microsoft loves to protect its consumers.
	to forum · permalink · · 2003-08-12 11:09:06 ·
Qumahlin Never Enough Time Premium,MVM join:2001-10-05 united state	reply to Mele20 said by Mele20 : RR is not blocking port 135 here in Hawaii. That port is open on my W98SE box as of about a week ago. I have been closing it each time I boot using Trojan Hunter's Process Viewer to terminate RPCSS.exe. Since this all started yesterday, I have rebooted periodically and checked to see if the port is open before terminating RPCSS.exe. It is still open (after rebooting) as of about one-half hour ago so I know RR is not filtering it here. Instead of terminating RPcss (you are still vuln even after terminating the process) If you know you don't need RPC then disable it from the administrative tools. -- Forum Posts:3100
	to forum · permalink · · 2003-08-12 11:30:04 ·
TheMetrix R.T.F.M. - P.E.B.K.A.C Premium join:2002-06-15 Utica, MI clubs:	reply to BangBang Re: RPC exploits FIX If you are having problems with the RPC Worm Virus please go to »RPC Exploit Explained and Remedied for a fix
	to forum · permalink · · 2003-08-12 12:08:50 ·
Straphanger Express is Back Premium,Mod join:2001-12-08 Jackson Heights, NY clubs:	reply to BangBang Re: RPC exploits/scans There's also a note about it on Neowin.net
	to forum · permalink · · 2003-08-12 12:09:50 ·
rr_tech join:2002-09-17 Orleans, ON	reply to BangBang ports 135-139 and 445 will now be filtered. it may take some time for us to get this to all divisions but i would recommend downloading the patch from windowsupdate.com and blocking those ports on your firewall.
	to forum · permalink · · 2003-08-12 17:05:57 ·
Mele20 Premium join:2001-06-05 Hilo, HI	reply to Qumahlin Said by Qumahlin: >Instead of terminating RPcss (you are still vuln even after terminating the process) If you know you don't need RPC then disable it from the administrative tools. Why would I still be vulnerable after terminating RPCSS as that closes port 135 and I have no other ports open? As far as I know, I don't need it. However, some application that I got recently must be using it, otherwise, why would port 135 suddenly have become open when it has always tested closed at GRC, PC Flank, HackerWhacker, etc.? I'm leery of changing the registry values until I can figure out how and why that port suddenly became open. I thought it was possibly the update for NOD32 which I just started using that was doing it, but I have been told no in the NOD32 official forum. I can't disable from the OLE/COM Object Viewer because I get a strange error message when I try to access the Viewer. So, I would have to change the two values associated with this manually in the registry which I have been reluctant to do since I don't know what or why the port suddenly became open. -- "Everything can be taken from a man or woman but one thing: the last of the human freedoms - to choose one's attitude in any given set of circumstances, to choose one's destiny." Victor Frankl - Man's Search for Meaning
	to forum · permalink · · 2003-08-12 17:07:30 ·
psloss Premium join:2002-02-24 Alpharetta, GA	reply to rr_tech said by rr_tech : ports 135-139 and 445 will now be filtered. it may take some time for us to get this to all divisions but i would recommend downloading the patch from windowsupdate.com and blocking those ports on your firewall. Do you know if the filtering is a permanent change? Thanks, Philip Sloss -- Feedback? e-mail: stuff@lupwa.org
	to forum · permalink · · 2003-08-12 17:36:21 ·
Bubba GIT-R-DONE Premium,MVM join:2002-08-19 Around, Us ·Comcast	reply to Mele20 said by mele20: I'm leery of changing the registry values until I can figure out how and why that port suddenly became open. I thought it was possibly the update for NOD32 which I just started using that was doing it, but I have been told no in the NOD32 official forum. You could consider downloading....Port Explorer ....made available as a 60 day evaluation. BTW....Gavin Coe\DiamondCS Analyst is a member at BBR.... Gavin_TH said by DiamondCS: What is Port Explorer? Port Explorer allows you to see all the open ports on your system and what programs own them (called Port to Process mapping). Along with this ability it also has many tools including a packet sniffer, bandwidth throttling and country detection to name just a few. Port Explorer has an intuitive GUI that allows you to quickly see all the network activity your computer is involved in, and thanks to its ease of use is allowing people everywhere to do advanced network activities. -- Hatred causes destruction....Love causes construction
	to forum · permalink · · 2003-08-12 17:53:34 ·
rr_tech join:2002-09-17 Orleans, ON	reply to psloss said by psloss : said by rr_tech : ports 135-139 and 445 will now be filtered. it may take some time for us to get this to all divisions but i would recommend downloading the patch from windowsupdate.com and blocking those ports on your firewall. Do you know if the filtering is a permanent change? Thanks, Philip Sloss looks like it right now, but that may change if it dies down. we will put special access lists up, if that will cause problems for your buisness account. i don't know what they will do about residential customers... probably nothing. to get your IP's on a special access lists, you can call and request it, if you're a buisness customer.
	to forum · permalink · · 2003-08-12 18:21:24 ·
Mele20 Premium join:2001-06-05 Hilo, HI	reply to BangBang I just called the National Help Desk and got a recorded message telling me that if I was affected by the worm to call 1-877-909-8333 for recorded instructions. The message went on to say that the call volume was extremely high and that if I had other reasons for calling that I should expect to be on hold for a long time. I still see no evidence of filtering here in Hawaii and no update from yesterday's notice about the worm on our status page. I am strongly opposed to the filtering on a PERMANENT basis. -- "Everything can be taken from a man or woman but one thing: the last of the human freedoms - to choose one's attitude in any given set of circumstances, to choose one's destiny." Victor Frankl - Man's Search for Meaning
	to forum · permalink · · 2003-08-12 18:55:04 ·
psloss Premium join:2002-02-24 Alpharetta, GA	reply to rr_tech said by rr_tech : looks like it right now, but that may change if it dies down. we will put special access lists up, if that will cause problems for your buisness account. i don't know what they will do about residential customers... probably nothing. to get your IP's on a special access lists, you can call and request it, if you're a buisness customer. Just a residential customer. Pretty much all the activity I've seen on the ports that are now blocked was malicious; the filters have caused all that to cease. Thanks, Philip Sloss -- Feedback? e-mail: stuff@lupwa.org
	to forum · permalink · · 2003-08-12 20:21:44 ·
rr_tech join:2002-09-17 Orleans, ON	reply to Mele20 said by Mele20 : I just called the National Help Desk and got a recorded message telling me that if I was affected by the worm to call 1-877-909-8333 for recorded instructions. The message went on to say that the call volume was extremely high and that if I had other reasons for calling that I should expect to be on hold for a long time. I still see no evidence of filtering here in Hawaii and no update from yesterday's notice about the worm on our status page. I am strongly opposed to the filtering on a PERMANENT basis. yeah, i know for sure that the filters are in place in almost all divisions other than midsouth. no word on hawaii but it wasn't mentioned. i would imagine it'll either happen soon or never. NHD lol, that used to be me. sure glad i'm not working there now, although there have been many calls about this on commercial. i've never seen a virus with an impact on this scale.
	to forum · permalink · · 2003-08-12 20:47:15 ·


Monday, 09-Nov 21:32:39	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. page compression OFF