Kevin Poulsen, SecurityFocus 2003-08-11
A malicious worm that exploits last month's RPC DCOM vulnerability struck the Internet Monday afternoon, targeting unpatched Windows 2000 and Windows XP machines.
Colapse all |
Post comment
RPC DCOM Worm Hits the Net
2003-08-11
Manu (4 replies)
Manu (4 replies)
RPC DCOM Worm Hits the Net
2003-08-12
Anonymous (3 replies)
Anonymous (3 replies)
I'm from Spain and I'm infected too. I've format both hard disk partitions and reinstalled everything, but the virus is again there. ...
[ more ] [ reply ]
[ more ] [ reply ]
RPC DCOM Worm Hits the Net
2003-08-12
Christopher Canova (2 replies)
Christopher Canova (2 replies)
Try reading SF's website more often. This was reported vulnerable a month ago. How come you post now? I wonder if someone in SF's Marketing units will figure out that viruses mean more webhits on security related websites... hmmmm. maybe i should sell the idea to them...
cc...
[ more ] [ reply ]
cc...
[ more ] [ reply ]
RPC DCOM Worm Hits the Net
2003-08-13
Tim Watkins (1 replies)
Tim Watkins (1 replies)
I particularily like the part where the guy rebuild the machine only to not patch it and he becomes infected again. Hmmmmmmm gee... at that point... you would think he would download the service packs and the patch and apply them before putting the machine online again!...
[ more ] [ reply ]
[ more ] [ reply ]
RPC DCOM Worm Hits the Net
2003-08-13
BroadBand Man
BroadBand Man
Didn't affect two Internet connected computers running Windows XP - with XP included Firewalling turned on. This allowed me to work through about 1/2 day Monday before patching the first, and to go home later and patch the second one.
The quickest I saw a BroadBand customer get infected was about...
[ more ] [ reply ]
The quickest I saw a BroadBand customer get infected was about...
[ more ] [ reply ]
RPC DCOM Worm Hits the Net
2003-08-12
Jean Debogue (1 replies)
Jean Debogue (1 replies)
I'm from Quebec, Canada and it touched us at 15h50 about. What I did is install a firewall and disable access to rpc port 135 and reinstall the file explorer.exe in c:\windows\system32 and delete too msblast...
Good luck...
[ more ] [ reply ]
Good luck...
[ more ] [ reply ]
You were warned and chose not to act.
2003-08-13
You_people_are_KILLING_me
You_people_are_KILLING_me
This vulnerability was even reported on CNN, Technet, SF, CNET, MSNBC and a MILLION other media outlets BEFORE the exploit/worm was active. Do you all live in a box? Espically the IT people crying on this forum, YOU WERE WARNED and chose not to act.
Removal of the worm is actually quite simple, s...
[ more ] [ reply ]
Removal of the worm is actually quite simple, s...
[ more ] [ reply ]
RPC DCOM Worm Hits the Net
2003-08-11
Conrad Longmore
Conrad Longmore
The worm seems to be concentrating on what I'd call a pseudo-class B subnet, i.e. if the infected PC is 12.34.56.78 then it will concentrate on scanning 12.34.x.x primarily, with some further scanning on 12.x.x.x and a much smaller amount of random scanning.
I guess it's doing this to compromise ...
[ more ] [ reply ]
I guess it's doing this to compromise ...
[ more ] [ reply ]
RPC DCOM Worm Hits the Net
2003-08-12
moonface (1 replies)
moonface (1 replies)
it try to infect me but firewall stoped it(i mean connection), but after reboot my system was crashed, i can't login, but i use linux to repair it and now it works good...
[ more ] [ reply ]
[ more ] [ reply ]
RPC DCOM Worm Hits the Net
2003-08-12
Anonymous (1 replies)
Anonymous (1 replies)
u have to change something in ur services.
u dont need to format or similar.
open the services and go to the point
RPC or written out.
change it back to "auto" and change the action to "dont do nothing" on errors. reboot and it should be fixed.
if not, try to close port 135.
thats all about ...
[ more ] [ reply ]
u dont need to format or similar.
open the services and go to the point
RPC or written out.
change it back to "auto" and change the action to "dont do nothing" on errors. reboot and it should be fixed.
if not, try to close port 135.
thats all about ...
[ more ] [ reply ]
RPC DCOM Worm Hits the Net
2003-08-12
Scott Miller <smiller (at) secureadmin (dot) ca [email concealed]>
Scott Miller <smiller (at) secureadmin (dot) ca [email concealed]>
RPC DCOM Worm Hits the Net
2003-08-12
Nrik (1 replies)
Nrik (1 replies)
thanx god this virus is a nice one....not doing anything bad to user's system....it could v been a lot worst...try imagining it sending email to all contact list, then infecting network, then deleting everything on the system.....now with this one, at least it will force ppl to update their windows ...
[ more ] [ reply ]
[ more ] [ reply ]
RPC DCOM Worm Hits the Net
2003-08-12
Scott Miller <smiller (at) secureadmin (dot) ca [email concealed]> (1 replies)
Scott Miller <smiller (at) secureadmin (dot) ca [email concealed]> (1 replies)
the sad part is, most people won't. they rely on companies such as AOL to block or firewall the active port involved. remmember sql bug, running off 1434 or whatver, isps had to block the port for some time to control the production of it.
cheers,
...
[ more ] [ reply ]
cheers,
...
[ more ] [ reply ]
RPC DCOM Worm Hits the Net
2003-08-12
KGB (1 replies)
KGB (1 replies)
I have been experiencing an attack that I suspect is related to this issue but does not completely fit the described profile. As I have not read anything with this behavior yet, I will describe it here and see if anyone has any thoughts.
First indicators of infection hit a Florida installation o...
[ more ] [ reply ]
First indicators of infection hit a Florida installation o...
[ more ] [ reply ]
RPC DCOM Worm Hits the Net
2003-08-12
Anonymous
Anonymous
A person in our company got hit with a variant, which operated in a similar manner to msblaster at noon PDT, but it installed the executable smsx.exe instead of msblaster.exe. It was much harder to deal with as it detected attempts to apply the fix from microsoft or install Norton AntiVirus and reb...
[ more ] [ reply ]
[ more ] [ reply ]
Took down our NT Network (500 Plus users)
2003-08-12
Anonymous (8 replies)
Anonymous (8 replies)
I spent all afternoon babying our NT and XP PCs and servers yet again, didn't affect Win98, Linux, VMS or NetWare. Sure the patch from MS works...I guess But here we go again...to little to late. MICROSOFT PRODUCTS SUCK!!!...
[ more ] [ reply ]
[ more ] [ reply ]
Took down our NT Network (500 Plus users)
2003-08-12
Anonymous (7 replies)
Anonymous (7 replies)
MS Sucks? Excuse me but YOU didn't patch your machines even after the warnings have been issued for a FULL Month and the patch is there and free on the same day it was announced. YOU are the idiot. YOU suck. You deserved to be hit; too bad someone can't hit you with a clue stick. A copy of that is...
[ more ] [ reply ]
[ more ] [ reply ]
who is what?
2003-08-12
Anonymous
Anonymous
Hm. How many security holes have there been in this service? And how many times has Microsoft "fixed" this problem?
So instead of running around badmouthing people, try to look where the problem really is located. And if you still want to run around screaming, please do that to Microsoft for n...
[ more ] [ reply ]
So instead of running around badmouthing people, try to look where the problem really is located. And if you still want to run around screaming, please do that to Microsoft for n...
[ more ] [ reply ]
Took down our NT Network (500 Plus users)
2003-08-12
SynDr0m (3 replies)
SynDr0m (3 replies)
maybe he was late to patch his computer ... but i have never seen such an exploit under a linux box...
you could ping death a win95
flood and freeze a win98
but know ... microsoft still improving ... you can take the control of a winXP / 2000 just after the default install.
Try to search a l...
[ more ] [ reply ]
you could ping death a win95
flood and freeze a win98
but know ... microsoft still improving ... you can take the control of a winXP / 2000 just after the default install.
Try to search a l...
[ more ] [ reply ]
Took down our NT Network (500 Plus users)
2003-08-14
Anonymous
Anonymous
Your right about linux systems. But I bet you accessed this site on a windows machine. I bet you game on a windows machine. Why? If you're such a big supporter of the non-M$ products why don't you use them. Because there isn't another systme out there tha can offer up the same compatibilty, flexibil...
[ more ] [ reply ]
[ more ] [ reply ]
Took down our NT Network (500 Plus users)
2003-08-12
Anonymous (3 replies)
Anonymous (3 replies)
He(she) is not idiot. He(she) is a customer what using MS products and pay money for them. And you think what he(she) must read ms security site 356 days in the year to track all ms vulnus and patches? You must be an idiot if you think so....
[ more ] [ reply ]
[ more ] [ reply ]
Took down our NT Network (500 Plus users)
2003-08-12
Anonymous (3 replies)
Anonymous (3 replies)
He(she) is payed to do *EXACTLY that. That's his(her) job to update/patch and make systems rum at all times. And You(you) are a looser if you think that windows is a magic thing that you install once in life and it runs forever, and you should be working at Burger King or something....
[ more ] [ reply ]
[ more ] [ reply ]
Took down our NT Network (500 Plus users)
2003-08-12
Anonymous (1 replies)
Anonymous (1 replies)
"He(she) is payed to do *EXACTLY that. That's his(her) job to update/patch and make systems rum at all times. And You(you) are a looser if you think that windows is a magic thing that you install once in life and it runs forever, and you should be working at Burger King or something"
Duh. You are...
[ more ] [ reply ]
Duh. You are...
[ more ] [ reply ]
Took down our NT Network (500 Plus users)
2003-08-13
Anonymous
Anonymous
Why shouldn't it run forever. there have been numerous Unix servers that are taken down for retirement that have been running for 20+, and in some cases even 30+ years straight never being taken down.
Although it is a stretch to assume you can run an OS that long without taking it down, but you ...
[ more ] [ reply ]
Although it is a stretch to assume you can run an OS that long without taking it down, but you ...
[ more ] [ reply ]
Took down our NT Network (500 Plus users)
2003-08-13
Anonymous
Anonymous
good one anonymous....i c improvements in windows products...if not for MS, u will not even have this forum to share ur views ......don blame others for ur ignorance....as a admin...its ur duty to find out abt exploits and patch them up....nothings perfect u noe....not even linux....t reason y pple...
[ more ] [ reply ]
[ more ] [ reply ]
Took down our NT Network (500 Plus users)
2003-08-12
Anonymous (1 replies)
Anonymous (1 replies)
Actually MS has emailed all their customers with details about the vulnerability and links where you can download the patch.
If you [IT admins] can't do your job properly, then let somebody else do it. ...
[ more ] [ reply ]
If you [IT admins] can't do your job properly, then let somebody else do it. ...
[ more ] [ reply ]
Reading sec forums
2003-08-13
Anonymous (1 replies)
Anonymous (1 replies)
Yes - a security tech MUST read sec forums every day. That's the whole point of the job - be alert to new vulnerabilities. Or pay someone else to manage your sec vulnerabilities, asset list and patch management (like Symantec etc.) so they do that and you don't have to:-)...
[ more ] [ reply ]
[ more ] [ reply ]
Reading sec forums
2003-08-15
Jagdwulfe
Jagdwulfe
AMEN! Hell I got deployed to Kosovo with the Army and I am still keeping abreast of the current crop of MS attacks. Then again that is why I work on Cisco equipment and not the Server side of the house. Granted Cisco is not perfect but there are far less problems for us WAN people in that regard....
[ more ] [ reply ]
[ more ] [ reply ]
Took down our NT Network (500 Plus users)
2003-08-12
Anonymous (2 replies)
Anonymous (2 replies)
Good Call. Anyone who got hit by this is has their head in the sand big time. If you're a sys admin and your site got hit, I give you credit for one thing only, fooling your employer big time on your credibility....
[ more ] [ reply ]
[ more ] [ reply ]
Took down our NT Network (500 Plus users)
2003-08-12
Anonymous
Anonymous
It amazes me the hostility people feel against Microsoft and how they feel they shouldn't have to keep up to date on security on Windows.
Anyone who doesn't keep up to date on Linux security alerts is called a fool.
Want to go back to the old days where Microsoft didn't release a fix till AFTE...
[ more ] [ reply ]
Anyone who doesn't keep up to date on Linux security alerts is called a fool.
Want to go back to the old days where Microsoft didn't release a fix till AFTE...
[ more ] [ reply ]
Took down our NT Network (500 Plus users)
2003-08-13
A clueful IT guy in Canada
A clueful IT guy in Canada
Woah wait a second ... for those of you that are screaming negligence - you're telling me that you applied this patch as soon as Micro$oft provided it? So before you yell and scream at others for not patching their systems as soon as the software giant provided it, I'm sure there are internal proce...
[ more ] [ reply ]
[ more ] [ reply ]
Took down our NT Network (500 Plus users)
2003-08-12
Anonymous (1 replies)
Anonymous (1 replies)
MS does suck. But he has a good point you did have a full month... If your an admin you should be up on these types of things....its piss poor how so many IT people are lazy. Its prolly incompetence...
[ more ] [ reply ]
[ more ] [ reply ]
Windows Update is FREAKING AUTOMATIC!
2003-08-12
Anonymous (6 replies)
Really, all you have to do is tell your Windows XP box "yeah, install stuff automatically."
The default install automatically downloads the patches and waits for your instruction to install.
I "patched" my home system without even noticing.
If a professional sysadmin isn't using the updat...
[ more ] [ reply ]
Anonymous (6 replies)
Really, all you have to do is tell your Windows XP box "yeah, install stuff automatically."
The default install automatically downloads the patches and waits for your instruction to install.
I "patched" my home system without even noticing.
If a professional sysadmin isn't using the updat...
[ more ] [ reply ]
Windows Update is FREAKING AUTOMATIC!
2003-08-12
Big Guys (2 replies)
Big Guys (2 replies)
You guys obviously work for small companies or don't work at all. We have a plethora of applications at our company and any change to the desktop could make any of those applications fail. Failure of an application translates directly into dollars lost. We are not allowed to roll out security update...
[ more ] [ reply ]
[ more ] [ reply ]
Windows Update is FREAKING AUTOMATIC!
2003-08-12
Anonymous (1 replies)
Anonymous (1 replies)
I agree. Anyone that runs the "Auto Update" on a corporate LAN is simply asking for problems. I administer over 10k workstations and 109 servers world wide. Patch testing is done for no less then a month before its rolled out to the client PCs and servers due to M$'s habit of releasing a patch th...
[ more ] [ reply ]
[ more ] [ reply ]
Windows Update is FREAKING AUTOMATIC!
2003-08-13
Anonymous (1 replies)
Anonymous (1 replies)
Corporate LAN's should be behind a firewall, and if you are allowing 135 to your network you should be fired. This should be a non-issue for corporate LANs. Just home users....
[ more ] [ reply ]
[ more ] [ reply ]
...on a frigging server? Are you NUTS!?
2003-08-12
Penguinisto (1 replies)
Penguinisto (1 replies)
Patching is certainly a good thing, but having Windows automatically install patches on 24/7 servers that at best require a reboot, and at worst will obliterate the box is stupid beyond belief!
When you patch any box (windows, Linux, Solaris, AIX, whatever), you test and evaluate the patch on som...
[ more ] [ reply ]
When you patch any box (windows, Linux, Solaris, AIX, whatever), you test and evaluate the patch on som...
[ more ] [ reply ]
Windows Update is FREAKING AUTOMATIC!
2003-08-12
AnotherAnonymous
AnotherAnonymous
Agreed. Too little too late!? That doesnt make any sense. The patch has been out 3 weeks now. I patched our 50 computers the day after it was released. I can't believe that anyone who doesn't read any type of security news or talk to people in the industry is relied upon to take care of 500+ PC...
[ more ] [ reply ]
[ more ] [ reply ]
Windows Update is FREAKING AUTOMATIC!
2003-08-13
HardKnox (1 replies)
HardKnox (1 replies)
I got a good one for ya Firewall your Networks, then you can do all the testing you want on Updates without getting fired before or even after the big one hits....
[ more ] [ reply ]
[ more ] [ reply ]
Took down our NT Network (500 Plus users)
2003-08-12
Anonymous (1 replies)
Anonymous (1 replies)
For those of us that work in larger organizations (30,000+ Workstations) it can take longer than a month to role out a patch, taking into account testing and fixing the 20 or 30 applications the patch is guaranteed to break. The vulnerabilities occur so frequently in Microsoft products that soon I w...
[ more ] [ reply ]
[ more ] [ reply ]
Took down our NT Network (500 Plus users)
2003-08-12
Anonymous (1 replies)
Anonymous (1 replies)
It's absolutely fair to note that it can take more than a month to roll out a patch in a large organization, though I would ask those of you in those cases: how far along were you in evaluating this very serious patch? I doubt many had even started.
The second question I'd ask is "where the hell ...
[ more ] [ reply ]
The second question I'd ask is "where the hell ...
[ more ] [ reply ]
Took down our NT Network (500 Plus users)
2003-08-13
Anonymous
Anonymous
I doubt that these large corporate networks have failed to have a firewall. The problem is that it only takes one infected machine from inside the firewall to take down the internal network. With many traveling executives carrying laptops back and forth between the internal LAN and an external conne...
[ more ] [ reply ]
[ more ] [ reply ]
to little to late
2003-08-12
Anonymous (2 replies)
Anonymous (2 replies)
500 users went home early, yet we paid them. MS SUCKS!
2003-08-12
Anonymous (1 replies)
Anonymous (1 replies)
Obviously it was the local sysadmins who were not working at the time, nor will they again with us! You people don?t get it-how many more times does this have to happen to open your eyes. The use of Microsoft products are a threat to any company or countries national security, BUYER BEWARE! Jus...
[ more ] [ reply ]
[ more ] [ reply ]
500 users went home early, yet we paid them. MS SUCKS!
2003-08-12
Anonymous (1 replies)
Anonymous (1 replies)
I know this may be a stretch but the underlying facts remain true: Even a Ferarri needs a tune-up every 3-6 months....
[ more ] [ reply ]
[ more ] [ reply ]
Took down our NT Network (500 Plus users)
2003-08-12
Anonymous (2 replies)
Anonymous (2 replies)
"to little to late" - You need to fix this ignorance.
MS released the patch back in July. To stop it happening again, you should: 1) come out of your box 2) enable Windows Automatic Updates....
[ more ] [ reply ]
MS released the patch back in July. To stop it happening again, you should: 1) come out of your box 2) enable Windows Automatic Updates....
[ more ] [ reply ]
Took down our NT Network (500 Plus users)
2003-08-13
Anonymous (1 replies)
Anonymous (1 replies)
And you need to turn your brain on.
M$ has been making OS's for how long now. And all they ever do is play re-active with their vulnerability fixing. You'd think after issuing patches for patches for service packs that patch a patch for the original OS, they would flip the on switch to their bra...
[ more ] [ reply ]
M$ has been making OS's for how long now. And all they ever do is play re-active with their vulnerability fixing. You'd think after issuing patches for patches for service packs that patch a patch for the original OS, they would flip the on switch to their bra...
[ more ] [ reply ]
Huh?!
2003-08-12
BLKMGK (1 replies)
BLKMGK (1 replies)
The patch was released July 16th, my company sent out a updates within days. Why did you wait until a worm was infecting your network to take action? Seems to me it was you not Microsoft that was too little too late! Do you not have a firewall? Is it not blocking 135, 139, and a zillion other incomi...
[ more ] [ reply ]
[ more ] [ reply ]
Huh?!
2003-08-13
vapour
vapour
Most companies block incoming 135/139/etc But they do nothing about the remote users that use dialup or vpn and then bring the infected pc into the network. Our network was hit slightly, but we routinely block ports between segments using acls or internal firewalls. I personally use BlackIce on my p...
[ more ] [ reply ]
[ more ] [ reply ]
Took down our NT Network (500 Plus users)
2003-08-12
Anonymous (1 replies)
Anonymous (1 replies)
christ! if u actually took time to patch this wouldn't of happened would it?
I work for a smallish ISP.. We haven't had any problems so far, and aren't expecting any, but then again, we patched as soon as we heard of the vuln..
Maybe if ppl patched when the vuln is first known, this wouldn't hap...
[ more ] [ reply ]
I work for a smallish ISP.. We haven't had any problems so far, and aren't expecting any, but then again, we patched as soon as we heard of the vuln..
Maybe if ppl patched when the vuln is first known, this wouldn't hap...
[ more ] [ reply ]
Took down our NT Network (500 Plus users)
2003-08-12
Anonymous (1 replies)
Anonymous (1 replies)
I am no expert and I have not been in the field for 20 plus years but whether it is a version of windows, Linux, Unix etc there will always be vulnerabilities. Nothing is perfect....if it was you and I would not be working. Yes it seems that most of the problems are Microsoft related products and wh...
[ more ] [ reply ]
[ more ] [ reply ]
Took down our NT Network (500 Plus users)
2003-08-13
whatever
whatever
well spoken!
"Nothing is foolproof because fools are so ingenious!" - some dude
Praise to the creators of the virus! They keep me (and thousands like me) in a job! They make programmers work harder and create more efficient code next time around! The virus is like the rot that eats away at a t...
[ more ] [ reply ]
"Nothing is foolproof because fools are so ingenious!" - some dude
Praise to the creators of the virus! They keep me (and thousands like me) in a job! They make programmers work harder and create more efficient code next time around! The virus is like the rot that eats away at a t...
[ more ] [ reply ]
Took down our NT Network (500 Plus users)
2003-08-12
Anonymous (1 replies)
Anonymous (1 replies)
Why is 135TCP traffic even allowed into your network? Maybe companies should start hiring people with real skills and experience, and not based on connections....
[ more ] [ reply ]
[ more ] [ reply ]
Took down our NT Network (500 Plus users)
2003-08-13
Anonymous
Anonymous
connection isn't the only thing. think about it. when pcs started to make it big in the business market, Computer Science was as common as biotech is today. It was brand new and few went into it and nobody was in the market for businesses to hire. Plus businesses didn't have a job description fo...
[ more ] [ reply ]
[ more ] [ reply ]
Why did you have port 135 open
2003-08-13
Anonymous (1 replies)
Anonymous (1 replies)
Why did you have port 135 open in your perimeter? That is just stupid. There is no reason why anyone should have been hit by this worm. Sort your peripheral security, patch when required and you'll be much better off. But I agree that MS sucks:-)...
[ more ] [ reply ]
[ more ] [ reply ]
RPC DCOM Worm Hits the Net
2003-08-12
Federico Lucifredi (2 replies)
Federico Lucifredi (2 replies)
Boston here. we have about 90% of machines in a 30-machine shop infected :''(
we have seen the buzzard come back after running the patch AND removing with Norton - this is quite confusing as the picture on the issue does not seem to be complete....
[ more ] [ reply ]
we have seen the buzzard come back after running the patch AND removing with Norton - this is quite confusing as the picture on the issue does not seem to be complete....
[ more ] [ reply ]
RPC DCOM Worm Hits the Net
2003-08-12
Cipherz (1 replies)
Cipherz (1 replies)
Ok I am not sure if it's due to this virus, but one of my friends got infected with a virus infecting some system files, my friend got rid of it but gets that rpc thing all the time now, the error log states something with a dll timing out or something I could paste something if anyone is able to sa...
[ more ] [ reply ]
[ more ] [ reply ]
need to follow removal directions to a 't'
2003-08-12
g00s (1 replies)
g00s (1 replies)
disable system restore, run remover, install patch... disable/block suspect ports at firewall and make sure that laptops have desktop firewalls doing the same
easy to understand this write-up: http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
happy hunt...
[ more ] [ reply ]
easy to understand this write-up: http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
happy hunt...
[ more ] [ reply ]
RPC DCOM Worm Hits the Net
2003-08-12
Wichita_KS_NETOPS (2 replies)
Wichita_KS_NETOPS (2 replies)
We have been able to stay ahead of it, probably 35 infestations out of a possible 10,000 worldwide.
Actively shut down switch ports leading to infested machines.
Activated our CIRT to contain and eradicate.
All quiet now, hope it stays that way.
Our point of infestation is remote (travel...
[ more ] [ reply ]
Actively shut down switch ports leading to infested machines.
Activated our CIRT to contain and eradicate.
All quiet now, hope it stays that way.
Our point of infestation is remote (travel...
[ more ] [ reply ]
RPC DCOM Worm Hits the Net
2003-08-12
Chris S (1 replies)
Chris S (1 replies)
Several users infected at my corporation. So far only ones that are mobile and not using a personal firewall. On my PC at home Zone Alarm has logged 600 since 4pm Monday Aug 11. Unknown yet on our corporate firewalls, but their processor usage has gone up about 8% today, so I'm sure its quite a few....
[ more ] [ reply ]
[ more ] [ reply ]
Single IP?
2003-08-12
BLKMGK
BLKMGK
You've likely got someone running a scanner against your network not some Worm. I'd shut that IP out of your network and consider notifying the ISP who hosts it. there are MANY tools other than this worm for taking advantage of this exploit - this is probably an instance of that. If he gets nito jus...
[ more ] [ reply ]
[ more ] [ reply ]
RPC DCOM Worm cleanup details
2003-08-12
Barry Irwin <bvi (at) moria (dot) org [email concealed]>
Barry Irwin <bvi (at) moria (dot) org [email concealed]>
Hi All here is some further infor , and in particular instructions for cleaning up.
Some further information
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A&VSect=T
http://isc.incidents.org/diary.html?date=2003-08-11
An Analysis of the worm
https://tms.symante...
[ more ] [ reply ]
Some further information
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A&VSect=T
http://isc.incidents.org/diary.html?date=2003-08-11
An Analysis of the worm
https://tms.symante...
[ more ] [ reply ]
RPC DCOM Worm Hits the Net
2003-08-12
Sunfire070
Sunfire070
RPC or what I call it, Skynet (from T3) cause it lays dormant with no payload waiting to strike on Judgement Day.
Today, it hit the Pacific early this morning. Approx. around 12pm this afternoon was the peak. I had estimate 45 calls about this, and only about 5 systems checked in so I can fix t...
[ more ] [ reply ]
Today, it hit the Pacific early this morning. Approx. around 12pm this afternoon was the peak. I had estimate 45 calls about this, and only about 5 systems checked in so I can fix t...
[ more ] [ reply ]
RPC DCOM Worm Hits the Net
2003-08-12
kl3675
kl3675
So there i was. Sitting on my XP box yesterday when a window pops up. Critical Error, it says. RPC has unexpectedly terminated. Hmm... I knew what it was right away, but i couldn't resist. I left my firewall down and watched as my computer was infected with the new virus. Its always awesome to see t...
[ more ] [ reply ]
[ more ] [ reply ]
RPC DCOM Worm Hits the Net
2003-08-12
Anonymous
Anonymous
Just an important note .... if you are using MSUPDATE to keep you up to date with patches etc, and you have Windows 2000 SP2 installed, you will NOT get the 823980 patch. For you to get it you need at least SP3 installed. MS dont actually support this patch on SP2 .... Nice, Not....
[ more ] [ reply ]
[ more ] [ reply ]
RPC DCOM Worm Hits the Net
2003-08-12
apsu_of_freshwater
apsu_of_freshwater
As the SF article suggests both "public and private exploit programs have already lead to mass compromising of PCs". This is likely the reason people are seeing differences in worm characteristics. I think you should all take solice in the fact that the "public" worm(s) has no malicious payload pe...
[ more ] [ reply ]
[ more ] [ reply ]
RPC DCOM Worm Hits the Net
2003-08-12
Jeff Serino (1 replies)
Jeff Serino (1 replies)
Anybody who is infected just has to install the security patch from microsoft.
There is a way to remove the virus/worm also.
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
two steps:
1 Patch
2 Remove
...
[ more ] [ reply ]
There is a way to remove the virus/worm also.
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
two steps:
1 Patch
2 Remove
...
[ more ] [ reply ]
RPC DCOM Worm Hits the Net
2003-08-12
Federico Lucifredi (1 replies)
Federico Lucifredi (1 replies)
I had a blast of an exercise in emergency response and recovery yesterday -- but only because the network involved was not mine ;-)
My network was patched/firewalled, so no issue was observed aside from an increase in probes.
the 30+ machine network I helped restore was 90% compromised. Inter...
[ more ] [ reply ]
My network was patched/firewalled, so no issue was observed aside from an increase in probes.
the 30+ machine network I helped restore was 90% compromised. Inter...
[ more ] [ reply ]
RPC DCOM Worm Hits the Net
2003-08-13
HardKnox
HardKnox
Joo musta done it wrong, with XP systems you need to disable "System Restore"
Also you have to isolate the infected systems (pull the network or modem cable) You end the "msblast" process in the Task Manager and then you do a search and delete of all "msblast" (should be two files, one PDF file a...
[ more ] [ reply ]
Also you have to isolate the infected systems (pull the network or modem cable) You end the "msblast" process in the Task Manager and then you do a search and delete of all "msblast" (should be two files, one PDF file a...
[ more ] [ reply ]
Anyone identified initial infection vector?
2003-08-12
Anonymous (1 replies)
Anonymous (1 replies)
Does this spread by any means other than 4444 and tftp?
I have a client with in infection even though the specified ports are blocked at the firewall.
All file-sharing ports (Kazaa, etc) are also blocked.
...
[ more ] [ reply ]
I have a client with in infection even though the specified ports are blocked at the firewall.
All file-sharing ports (Kazaa, etc) are also blocked.
...
[ more ] [ reply ]
Anyone identified initial infection vector?
2003-08-12
Anonymous (1 replies)
Anonymous (1 replies)
Check your users for webmail access such as Hotmail, Yahoo, etc.
It's pretty easy to execute those attachments even though you've firewalled them out....
[ more ] [ reply ]
It's pretty easy to execute those attachments even though you've firewalled them out....
[ more ] [ reply ]
Anyone identified initial infection vector?
2003-08-12
Chris S (2 replies)
Chris S (2 replies)
I'm sure you can also get infected by a user with a laptop disconnecting from your network, getting infected, then plugging back into your network. In that case if the user being infected and the infected laptop are behind the firewall, the worm would circumvent any blocking the firewall would provi...
[ more ] [ reply ]
[ more ] [ reply ]
That should be obvious to all these "IT" guys.
2003-08-13
You_people_are_KILLING_me (1 replies)
You_people_are_KILLING_me (1 replies)
HMMM, if I put something behind my firewall, the firewall won't filter the traffic? That is a far out concept. Good job to all you "MCSEs" out there. You really get it....
[ more ] [ reply ]
[ more ] [ reply ]
That should be obvious to all these "IT" guys.
2003-08-14
Anonymous
Anonymous
Yup....I agree with ya! I have NEVER seen so many freakin idiots that doesn't know what the hell their doing! How did they get their job anyway! Their company hires who they can BS the most of saying Oh yeah, I never went to college, and just took my freakin tests just to get the position with no...
[ more ] [ reply ]
[ more ] [ reply ]
Mixed Results (Utah)
2003-08-12
Penguinisto
Penguinisto
My own classroom is still pristine (I'd patched the 'doze workstation RIS image a month ago), and everything except the ports necessary for web browsing are shut off at the proxy. I thought the 2k3 server had been infected (I finally installed an MSDNAA copy last month), but that turned out to be a ...
[ more ] [ reply ]
[ more ] [ reply ]
Open letter to Bill Gates........
2003-08-12
Anonymous (1 replies)
Anonymous (1 replies)
Hmmmm.....
Which of the following free, generic MS tech solutions will solve the blaster issue?
Retry? Nope.
Reboot? Nope.
Reinstall? Yes, reinstall linux and forget about it.
You suck Bill Gates....
[ more ] [ reply ]
Which of the following free, generic MS tech solutions will solve the blaster issue?
Retry? Nope.
Reboot? Nope.
Reinstall? Yes, reinstall linux and forget about it.
You suck Bill Gates....
[ more ] [ reply ]
Open letter to Bill Gates........
2003-08-12
Anonymous (1 replies)
Anonymous (1 replies)
All this MS bashing is pretty ridiculous. Yes, their operating system is less secure/stable than a lot of UNIX options, and they wasted a lot of time resting on their laurels. But I think they're doing their best to secure an inherently insecure system. The vulnerability was mentioned a month ago, a...
[ more ] [ reply ]
[ more ] [ reply ]
Open letter to Bill Gates........
2003-08-12
Anonymous (3 replies)
Anonymous (3 replies)
"OS of choice"? Yes, you had a choice. Now live with that choice and it's consequences or reavaluate....
[ more ] [ reply ]
[ more ] [ reply ]
Open letter to Bill Gates........
2003-08-12
Anonymous (2 replies)
Anonymous (2 replies)
Yes the problem is in MS code, but so is EVERY other OS. What's a bigger problem is the lack of experienced admins with an ounce of initiative to actively monitor the security of their systems/infrastructure. With a small amount of security-minded planning, an infrastructure utilizing some system ...
[ more ] [ reply ]
[ more ] [ reply ]
Managing Your Security Profile
2003-08-13
Anonymous
Anonymous
As several have so accurately stated here, it is the *responsibility* of the netadmin to insure network security. Yes, M$ boxes are inherently more insecure than *nix boxes. No denying that. But whining about it doesn't change the fact that it is **your responsibility** to keep those boxes secur...
[ more ] [ reply ]
[ more ] [ reply ]
RPC DCOM Worm Hits the Net
2003-08-12
AnonymousAdmin (1 replies)
AnonymousAdmin (1 replies)
RPC DCOM Worm Hits the Net
2003-08-12
Anonymous (2 replies)
Anonymous (2 replies)
I am no expert and I have not been in the field for 20 plus years but whether it is a version of windows, Linux, Unix etc there will always be vulnerabilities. Nothing is perfect....if it was you and I would not be working. Yes it seems that most of the problems are Microsoft related products and wh...
[ more ] [ reply ]
[ more ] [ reply ]
RPC DCOM Worm Hits the Net
2003-08-12
Anonymous (1 replies)
Anonymous (1 replies)
"I am no expert..."
well - you said it. MOST INTERNET SERVERS do actually run *NIX. And they do have flaws, just not every frigging week!
But in the meantime M$ peddles their bull of lower TCO. sure. just count the number of ppl needed to keep one MS installation running versus the number o...
[ more ] [ reply ]
well - you said it. MOST INTERNET SERVERS do actually run *NIX. And they do have flaws, just not every frigging week!
But in the meantime M$ peddles their bull of lower TCO. sure. just count the number of ppl needed to keep one MS installation running versus the number o...
[ more ] [ reply ]
RPC DCOM Worm Hits the Net
2003-08-13
A clueful IT guy in Canada (2 replies)
A clueful IT guy in Canada (2 replies)
" But in the meantime M$ peddles their bull of lower TCO. sure. just count the number of ppl needed to keep one MS installation running versus the number of ppl needed to keep a *nix installation running. Typical factors are 2X or 3X. "
This is very true ... our windows team consists of 8 people...
[ more ] [ reply ]
This is very true ... our windows team consists of 8 people...
[ more ] [ reply ]
RPC DCOM Worm Hits the Net
2003-08-13
Fortune_50_IT_Manager
Fortune_50_IT_Manager
So, if you were running *nix at the desktop, and just using Windows for the backend, do you not think that those numbers would invert? Do you think you would need "15 guys in desktop just for day to day" if every mindless user had *nix? I think you would need more, and some trainers, and these peo...
[ more ] [ reply ]
[ more ] [ reply ]
RPC DCOM Worm Hits the Net
2003-08-13
AnonymousAdmin (1 replies)
AnonymousAdmin (1 replies)
I've been in this field for almost 20 years and still would not consider myself an expert. I do however believe the blackhats and kiddies are just scratching the surface of the vulnerabilites that lie within Bill's OS. As more backdoors are discovered, the more difficult it will become for anyone to...
[ more ] [ reply ]
[ more ] [ reply ]
What if the ratios were reversed?
2003-08-14
Fortune_50_IT_Manager
Fortune_50_IT_Manager
It's all been said before:
1. If MS OSes were were not the most popular, they would not be the most popular to exploit.
2. ALL OSes have security flaws, EVEN *nix and Cisco IOS.
3. MS makes a good products, you all want all of 10 million features, right now, but complain when MS asks you to put a...
[ more ] [ reply ]
1. If MS OSes were were not the most popular, they would not be the most popular to exploit.
2. ALL OSes have security flaws, EVEN *nix and Cisco IOS.
3. MS makes a good products, you all want all of 10 million features, right now, but complain when MS asks you to put a...
[ more ] [ reply ]
RPC DCOM Worm
2003-08-12
B
B
This evening (BST) my firewall has been blocking roughly two TCP Port 135 hits every minute; this afternoon it was about 4 per minute. It's also been blocking a significant number, though fewer, UDP Port 137 hits. The vast majority of the sources were boxes on the same ISP domain as mine....
[ more ] [ reply ]
[ more ] [ reply ]
RPC DCOM Worm Hits the Net - RPC in final stages of installation
2003-08-13
Sunfire070
Sunfire070
UPDATE!!! At 6:15pm pacific time. A system came in that was almost fully installed. Somewhere during the last portion of installation of the worm code. It screwed up, and it duplicates itself in multiple files.
msbb.exe
MSCONFIG.EXE (displayed twice - clocked from regedit)
Desktop (displa...
[ more ] [ reply ]
msbb.exe
MSCONFIG.EXE (displayed twice - clocked from regedit)
Desktop (displa...
[ more ] [ reply ]
RPC DCOM Worm Hits the Net
2003-08-13
Anonymous (1 replies)
Anonymous (1 replies)
Well you can imagine the number of systems that this security hole affects. I would say a good 20% - 50% of most home users on a normal adsl/cable isp and the figures maybe the same for some businesses. Pure speculation on the figures however this is huge. I have a theory call me a geek or whatever...
[ more ] [ reply ]
[ more ] [ reply ]
RPC DCOM Worm Hits the Net
2003-08-13
AnonymousAdmin
AnonymousAdmin
Another possibility could be that the whole fiasco is a dragnet set up by MS and some federal agency in an attempt to identify some of the less skilled script kiddies who sometimes don't adequately hide their tracks when they launch this type of attack. The patch could have code that captures data f...
[ more ] [ reply ]
[ more ] [ reply ]
RPC DCOM Worm Hits the Net
2003-08-13
Scott Moreau <smoreau (at) secureadmin (dot) ca [email concealed]>
Scott Moreau <smoreau (at) secureadmin (dot) ca [email concealed]>
RPC DCOM Worm Hits the Net
2003-08-13
Anonymous
Anonymous
Typical,
Just use users/sysadmins stupidity to bash on MS$ !
Some commen facts:
- NT is a just as good OS as you choose it to be.
- *NIX is a just as bad OS as you choose it to be.
Just follow the Bugtraq and you can have a go everyday on compromised *NIX systems or applications.
I...
[ more ] [ reply ]
Just use users/sysadmins stupidity to bash on MS$ !
Some commen facts:
- NT is a just as good OS as you choose it to be.
- *NIX is a just as bad OS as you choose it to be.
Just follow the Bugtraq and you can have a go everyday on compromised *NIX systems or applications.
I...
[ more ] [ reply ]
New Dell XP laptop was not installed with patch!
2003-08-13
Anti-Dell customer (1 replies)
Anti-Dell customer (1 replies)
I want to know why my Dell PC was built and shipped without the updated XP patch? Ordered on July 24, shipped first week of August. Of course you call tech support and you get a message to go to the MS website. Of course I cant get on the internet long enough to download it. Of course it's not...
[ more ] [ reply ]
[ more ] [ reply ]
RPC DCOM Worm Hits the Net
2003-08-13
Anonymous
Anonymous
I was alerted several weeks ago of the threat; I patched my machines using code from Microsoft web site. I made sure my firewall was denying port 135 (amongst most others) .. and this is my home network. (firewall has denied 85 attempts to access over port 135 in the last hour).
Needless to say ...
[ more ] [ reply ]
Needless to say ...
[ more ] [ reply ]
RPC DCOM Worm Hits the Net
2003-08-14
ButtCovered
ButtCovered
Hi
does anyone know how the Denial of service component works. ie does it grab the ip address from DNS and then blast away on port 80 or what ? (This is the MSBlast worm Im talking about)
Id like to try and protect the internal network as much as poss, where infected to hell becuase the admins ...
[ more ] [ reply ]
does anyone know how the Denial of service component works. ie does it grab the ip address from DNS and then blast away on port 80 or what ? (This is the MSBlast worm Im talking about)
Id like to try and protect the internal network as much as poss, where infected to hell becuase the admins ...
[ more ] [ reply ]
RPC DCOM Worm - treat it as a vaccin
2003-08-14
ultravioletu
ultravioletu
i believe that this worm, as it is noiw, should be welcome. the nature of the vulnerability allows for more destructive payload. good thing that the worm is (intentionylly?) poorly written and does not serious damage on the infected computers. it's a blessing more like.
as the "efforts" deployed ...
[ more ] [ reply ]
as the "efforts" deployed ...
[ more ] [ reply ]
RPC DCOM Worm Hits the Net - but without any executeable
2003-08-14
Anonymous (Lost user) that needs opinion (1 replies)
Since I live in a box, I need help on a strange issue. I assumed a firewall (ZoneAlarm) would protect me from the worm.
I got a DSL connection which is always up, directly connected (no router) to my PC (I've only got one). win2k I also used NAV.
My computer have been acting like I got the wor...
[ more ] [ reply ]
Anonymous (Lost user) that needs opinion (1 replies)
Since I live in a box, I need help on a strange issue. I assumed a firewall (ZoneAlarm) would protect me from the worm.
I got a DSL connection which is always up, directly connected (no router) to my PC (I've only got one). win2k I also used NAV.
My computer have been acting like I got the wor...
[ more ] [ reply ]
BIG Providers Decided to Turn Off Ports
2003-08-14
Scott Moulton
Scott Moulton
The biggest service providers have decided that they know what is best for all of us and have decided to turn off several ports on the internet world wide. While It might seem like a good idea to stop this worm, it takes away our freedom to use the net and make our own choices about what we want to...
[ more ] [ reply ]
[ more ] [ reply ]
Anti-virus prevention is not segregated to patches
2003-08-15
Canada (1 replies)
Canada (1 replies)
I apologize if I missed this in one of the previous postings, but whatever happened to anti-virus or simple ACL's on your core network to prevent propagation of the worm throughout your network? Or am I the only that realizes that virus prevention is not simply segregated to patch updates from vend...
[ more ] [ reply ]
[ more ] [ reply ]
Anti-virus prevention is not segregated to patches
2003-08-15
Anonymous
Anonymous
You forgot to mention management as one of your factors! An incompetent manager can undermine anything that his staff might try to do to prevent the outbreak. I witnessed a manager at a company with a written rule to never allow portable users to plug into the corporate network break this fundamenta...
[ more ] [ reply ]
[ more ] [ reply ]
[ more ] [ reply ]