Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: RPC errors and latest worm

  • From: Stewart, William C (Bill), RTSLS
  • Date: Mon Aug 11 19:39:23 2003

According to http://isc.sans.org/diary.html?date=2003-08-11 ,
the worm uses the latest popular MS exploit ports, so 
"	 * Close port 135/tcp (and if possible 135-139, 445 and 593) ".

It also uses TCP port 4444 and TFTP = UDP 69 to download its
attack code after getting the initial bootstrap infection.
So you probably want to be blocking TCP 4444 and (if appropriate,
which it usually is, TFTP), and tracing any 4444 activity and TFTPs
to detect attacks.





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.