Re: New attack against port 135?
Yes, we saw this yesterday and posted to full-disclosure. Here is a sample packet. 13:43:38.511675 xx:xx:xx:xx:xx:xx xx:xx:xx:xx:xx:xx 0800 62: 64.7.nn.yy.3512 > 16.181.zz.aa.135: S [tcp sum ok] 3772716186:3772716186(0) win 65340 (DF) (ttl 127, id 63248, len 48) 0x 4500 0030 f710 4000 7f06 e5d6 4007 975b[EMAIL PROTECTED]@..[ 0x0010 10b5 36c9 0db8 0087 e0df 149a ..6. 0x0020 7002 ff3c 6151 0204 05ac 0101 0402p.. ---Mike At 01:26 PM 10/10/2003, Peter John Hill wrote: I am seeing lots of scanning of port 135 on my network. 66 byte long packets. Anyone have a name for this? It is less aggressive than the welchia scans I have seen. Seems to scan at about 3000 or so flows per 5 minutes. Thanks Peter Hill Network Engineer Carnegie Mellon
Re: New attack against port 135?
The kiddies have finally exploited the RPC SS/RPC DCOMII exploits that microsoft patched after internal auditing. I first got word of a working exploit about a week ago, but no real confirmation, and I put very little creedance in " I hax0rz your b0x3n!" then scanning went exponentially through the roof. So it lookss like the kiddie's right, I doubt there's a virus perse, more like kiddies hunting for vulnerable boxes to install DDoS trojans on. Anyone who honeypots one of these scans and gets a trojan please notify me and forward it, it would be most helpful. (Also obviously forward to Symantec et al.) On Fri, 10 Oct 2003 13:26:58 -0400 Peter John Hill <[EMAIL PROTECTED]> wrote: > > I am seeing lots of scanning of port 135 on my network. 66 byte long packets. Anyone > have a name for this? It is less aggressive than the welchia > scans I have seen. Seems to scan at about 3000 or so flows per 5 minutes. > > Thanks > Peter Hill > Network Engineer > Carnegie Mellon > -- Andrew D Kirch | [EMAIL PROTECTED]| Security Admin | Summit Open Source Development Group | www.sosdg.org
New attack against port 135?
I am seeing lots of scanning of port 135 on my network. 66 byte long packets. Anyone have a name for this? It is less aggressive than the welchia scans I have seen. Seems to scan at about 3000 or so flows per 5 minutes. Thanks Peter Hill Network Engineer Carnegie Mellon