Home page logo
/

nanog logo nanog mailing list archives

RE: RPC errors
From: <Brennan_Murphy () NAI com>
Date: Mon, 11 Aug 2003 15:05:39 -0700


does anyone know if the scanning is sequential once
a range is chosen or is it random within a range?

e.g.,
1.1.1.1
1.1.1.2
1.1.1.3
etc

or 

1.1.1.89
1.1.1.33
1.1.1.12
etc



-----Original Message-----
From: John Dvorak [mailto:john () dvorak net] 
Sent: Monday, August 11, 2003 5:57 PM
To: NANOG
Subject: Re: RPC errors



On Mon, 11 Aug 2003 17:33:33 -0400
 Kevin Houle <kjh () cert org> wrote:

--On Monday, August 11, 2003 02:26:40 PM -0700 Mike Damm 
<MikeD () irwinresearch com> wrote:

The DCOM exploit that is floating around crashes the Windows RPC 
service when the attacker closes the connection to your system after 
a successful attack. Best bet is to assume any occurrence of crashing

RPC services to be signs of a compromised system until proven 
otherwise.

http://www.cert.org/advisories/CA-2003-19.html

That's good advice. Many of the known exploits cause the RPC service 
to crash after the exploit is successful. I'll point out that not all 
exploits cause the service failure. So, the absence of an RPC service 
failure is likewise not an indicator that a vulnerable machine has 
escaped compromise.

Kevin

Interestingly, we have clear examples of boxes which were not infected
but on which RPC services did crash.  This may suggest that the worm
also takes advantage of the unrelated RPC DOS vulnerability (2000 and
XP) which I believe MS has still not patched.

John



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault