> Paul, have you patched against this vunerability? > if so then be cool, most holes work as people didnt follow or have a clear > and present patching program, > With regards to slammer, again it was successful due to, as you put it rogue > machines that werent patched, but that to me was a program that caused the > issue, this is a standard port, on my firewall system port 135 isnt open, on > a VPN-ed laptop the patch has been released for folk, and laptop firewalls > amended. > > Again we have issue of rogue machine, but thats what I have perimeter > defenses for, NAT would effectively kill this exploit, same with sqlhack of > old, they maybe able to knock at the door, but they cant take the goods back > out the way they came... > > For the record we stopped slammer with a patch that we put on 6 months > earlier, and thus everyone that had sql had already been patched through > login script, others got the patch through our sms system as new released > patches are tested and integrated as soon as available. > I believe its about approach. > > Regards > > > ------------------------------------------------------------------------- > FIGHT BACK AGAINST SPAM! > Download Spam Inspector, the Award Winning Anti-Spam Filter > http://mail.giantcompany.com > > > ----- Original Message ----- > From: "Paul Schmehl" <[EMAIL PROTECTED]> > To: "Ron DuFresne" <[EMAIL PROTECTED]> > Cc: "Chris Paget" <[EMAIL PROTECTED]>; "Len Rose" <[EMAIL PROTECTED]>; > <[EMAIL PROTECTED]> > Sent: Sunday, July 27, 2003 5:20 AM > Subject: Re: [Full-Disclosure] DCOM RPC exploit (dcom.c) > > > > On Sat, 2003-07-26 at 22:29, Ron DuFresne wrote: > > > > > > I'm just trying to understand how corporate networks would/should be at > > > risk with this, why port 135 would not be filtered already limiting > > > exposure. Is there a reason why it would not be that I'm missing? > > > > Are you really serious? Recall Slammer? There were networks that were > > locked down pretty tight. Slammer couldn't get in, right? Then one > > developer who got his unpatched copy of SQL inside the network, by > > logging in through VPN with his infected laptop, took the entire network > > down. > > > > You can't get in to our network on those ports either - unless you're > > already in. But I can guarantee you that we'll be chasing infected > > boxes down for days after the worm hits. And we've already patched > > everything that we could patch. I scan for Slammer every week, because > > every week someone new decides to install SQL unpatched or some stupid > > app that has an unpatched copy of MSDE. Now I'll be chasing the RPC > > worm around too. > > > > You can't firewall 135 inside your network or you'd have no network. > > > > The only reason I read lists like this is because I need to know before > > it hits what the next stupid exploit is that I have to deal with. And > > every one is a royal PITA. I put virus and worm writers right there in > > the same pile with spammers. They're all the scum of the earth. Clear > > examples of the worst of human nature. > > > > -- > > Paul Schmehl ([EMAIL PROTECTED]) > > Adjunct Information Security Officer > > The University of Texas at Dallas > > AVIEN Founding Member > > http://www.utdallas.edu/~pauls/ > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > > > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html