Port 10 traffic; 139 &1433 report; DCE RPC Vectors

Published: 2003-12-12. Last Updated: 2003-12-14 00:35:02 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
Port 10 Traffic

We do see a steep increase in number of hosts probed on port 10. While only a few sources participate, the number of hosts probes is very large.

At this point, we do not know what these probes try to accomplish.
http://www.dshield.org/port_report.php?port=10

139 and 1433

ISS raised its AlertCON to '2' (from 1) due to reports of an increase in port 139 and 1433 scans. We do not see a significant global increase. In our opinion, a scan for weak MSSQL passwords with file sharing component could be a possible reason. (e.g. like 'SQLSnake' ).

DCE RPC Vectors

Core Security technologies published a paper, outlining various ways to exploit DCE RPC DCOM via different vectors. This paper is another reminder that just blocking port 135 is not enough to protect your systems. Patching is the only real solutions, and firewall rules should be applied to all unsolicited inbound traffic if possible.
http://www.coresecurity.com/common/showdoc.php?idx=393&;;;idxseccion=10

Port 53 update

Earlier this week, Lurhq posted an analysis of a particular Trojan, which uses malformated 'DNS' queries to communicate:
http://www.lurhq.com/sinit.html

Keywords:
0 comment(s)

Comments


Diary Archives