I was just wondering if anyone else was noticing this. I got up today, went to school, and noticed that i was getting a bunch of rpc port probes. Now, this is the same type of traffic that blaster used to put out. While watching my IDS It seemed to be spreading to other hosts on the network at the college and they were probing me also. Has anyone else been seeing traffic like this? I checked my mailing lists and I didn't see any news on a new worm, although I did see some new MS exploits.
November 15th, 2003, 11:35 PM
Ive been getting those probes everyday almost on schedule ever since blaster. So i wouldnt have noticed any new waves of attacks.
November 16th, 2003, 12:52 AM
This is definately something new and not Blaster, very similar though. I believe it is attacking in a similar style.
November 16th, 2003, 02:06 AM
It wouldnt surprise me one bit. I will keep an eye on my logs.
November 16th, 2003, 02:12 AM
I see one of two probable answers here. The first being that your school systems were never patched and someone inadvertantly/purposely introduced blaster code into the network, thus the RPCs.
The second is that an exploit has been developed for the latest M$ exploit released last week. (Somewhere in the 48-50 range) From what I have read of the exploit it is very similar to the RPC exploit in blaster. That being the case, compiled with the fact that it uses UDP/TCP 138, 139, and 445, it should be quite easy to modify the existing blaster worm to attack the new exploit. Just a stab in the dark but it would not suprise me.
November 16th, 2003, 04:14 AM
have received similar increased traffic over the last week....
Thought it was ALOT of unpatched machines on the isp subnet?
November 17th, 2003, 11:50 PM
The school's systems were patched against Blaster and it wasn't just a scanning program doing probing for patches not being applied. I don't know, I guess I will have to wait till I go back. Thanks everyone for posting.