Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: RPC errors

  • From: Steven M. Bellovin
  • Date: Tue Aug 12 16:55:01 2003

In message <Pine.LNX.4.33.0308121243210.814-100000@morannon.the-infinite.org>, 
"Dominic J. Eidson" writes:
>
>On Mon, 11 Aug 2003, Jack Bates wrote:
>
>> Sean Donelan wrote:
>>
>> > http://isc.sans.org/diary.html?date=2003-08-11
>> > The worm uses the RPC DCOM vulnerability to propagate. One it finds a
>> > vulnerable system, it will spawn a shell and use it to download the actual
>> > worm via tftp.
>> >
>> > The name of the binary is msblast.exe. It is packed with UPX and will self
>> > extract. The size of the binary is about 11kByte unpacked, and 6kBytes
>> > packed:
>
>Has anyone seen/heard of this virus propagating through email in any way?
>
>We appear to have been infected on a network that is very heavily
>firewalled from the outside, and are trying to track down possibly entry
>methods the worm might have had...

A large number of networks have unknown and unauthorized back doors.  
If it's a decent-sized network and you haven't audited it, don't assume 
that the firewalling is effective.  (My co-author on "Firewalls and 
Internet Security" book, Bill Cheswick, is CTO of a startup that maps 
intranets for just this reason.)


		--Steve Bellovin, http://www.research.att.com/~smb






Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.