North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: RPC errors
- From: Henry Linneweh
- Date: Tue Aug 12 18:10:21 2003
This should help some for people who are worried
"Steven M. Bellovin" <email@example.com> wrote:
In message ,
"Dominic J. Eidson" writes:
>On Mon, 11 Aug 2003, Jack Bates wrote:
>> Sean Donelan wrote:
>> > http://isc.sans.org/diary.html?date=2003-08-11
>> > The worm uses the RPC DCOM vulnerability to propagate. One it finds a
>> > vulnerable system, it will spawn a shell and use it to download the actual
>> > worm via tftp.
>> > The name of the binary is msblast.exe. It is packed with UPX and will self
>> > extract. The size of the binary is about 11kByte unpacked, and 6kBytes
>> > packed:
>Has anyone seen/heard of this virus propagating through email in any way?
>We appear to have been infected on a network that is very
>firewalled from the outside, and are trying to track down possibly entry
>methods the worm might have had...
A large number of networks have unknown and unauthorized back doors.
If it's a decent-sized network and you haven't audited it, don't assume
that the firewalling is effective. (My co-author on "Firewalls and
Internet Security" book, Bill Cheswick, is CTO of a startup that maps
intranets for just this reason.)
--Steve Bellovin, http://www.research.att.com/~smb