Page 5 of 9 FirstFirst ... 34567 ... LastLast
Results 41 to 50 of 89

Thread: RPC/DCOM/mblast.exe thread discussions/notices

  1. #41
    Senior Member
    Join Date
    Mar 2002
    Location
    Snohomish WA
    Posts
    315
    Well hell.....Murphy's law has struck again.

    I just got my computer hooked back up and running again....unfortunately that included reformatting my hard-drive and reinstalling Windows XP Home.
    I use a free dial-up ISP that is scanned like crazy all the time, and now here I am with non of my updates and patches.

    I've managed to get the 60 second shutdown to stop through services.msc, but am still having trouble staying connected to windows update. I havn't managed to download any of my updates.
    I did download the patch mentioned above, I am wondering about the prerequisites.

    I'm sure if I search posts I could find these answers already posted somewhere...but I'm trying to limit the time I spend online until I figure out what to do with this.

    One last problem....I can't get a connection established from behind a firewall...I've tried with the xp firewall, as well as Nortons Firewall...both of those end up giving me "username or password is invalid on the domain" messages.


    This is very irritating! (lol)
    Faqt


    If you want to make God laugh....make plans.

  2. #42
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779
    Just as a heads up, one of our hony pots just caught a version of this worm that isn't picked up by the latest AV's (they are still picking up other versions.). So eather some jerk recompiled it, or its automorphic..I hope its the first....otherwise this is very bad news for people not behind firewalls(most home users.)
    Who is more trustworthy then all of the gurus or Buddha’s?

  3. #43
    Member
    Join Date
    May 2003
    Location
    Somewhere in Texas
    Posts
    76

    unusual activity on 4444

    Howdy,

    We all know that this thing is opening a listener on 4444. I have some administrators reporting that when they nmap for 4444 on their networks, they'll see several open, then on a second scan, they're all closed. "Like it's trying to hide from us..."

    Couple that with the postings here about people have a hard time removing it, make me wonder if the two aren't related.

    Has anyone seen signs that this is listening, then if it receives a "bad" tickle, it hides itself away for a while? Could this be using some kind of port knocking?

    Myk

  4. #44
    Yeah, the worm listens on port 4444, i scanned myself and i found that i to had port 4444 open.

  5. #45
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779
    Originally posted here by Maverick811




    Anyone feel free to correct me if I am wrong, but Windows Update doesn't really have anything to do with this worm - however, I'd advise against disabling Windows Update - ideally you are going to want to stay fully patched with updates as Microsoft releases them, using Windows Update. Microsoft has released a patch for this vulnerability and I would advise you strongly to apply it. The patch is available here: http://support.microsoft.com/?kbid=823980

    I have to disagree with one point here. I have had many systems broken by indows updates, so Iwould never tell anyone to have that auto update crap turned on...good patch managment and installing the patches you need is what is needed here. For this one I noted that family members didn't use any remote administration on their win2k/XP boxes so I disabled RPC months ago.(work is a difernt issue,we are hideing behind the firewall while the QA guys finish patch testing agenst our in house apps.)

  6. #46
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,021

    Re: unusual activity on 4444

    Originally posted here by Mykol
    Howdy,

    We all know that this thing is opening a listener on 4444. I have some administrators reporting that when they nmap for 4444 on their networks, they'll see several open, then on a second scan, they're all closed. "Like it's trying to hide from us..."

    Couple that with the postings here about people have a hard time removing it, make me wonder if the two aren't related.

    Has anyone seen signs that this is listening, then if it receives a "bad" tickle, it hides itself away for a while? Could this be using some kind of port knocking?

    Myk
    IMHO the scans are enough to cause the port to break - nessus found on the scan but then reported the port closed. Subsequent checking later (~1-2 hours) showed no signs of port 4444 reactivating (it only did after a reboot).

    What I think is more interesting are the ports open 2500 or therabouts

    WTF are they doing? - You can telnet to them but they seem to do nothing.

    <paranoid>Perhaps typing the correct sting in there will activate the DOS on windows update earlier</paranoid>

    Anyone know how M$ are going to protect themselves on Sunday?
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  7. #47
    I think this behaviour is more due to the worm exiting the shell. When the worm uses the dcom/rpc exploit and creates a shell on the remote system. It then tftp's a file down to the system, installs it in the registry, and starts it. It then exits the shell. This is all done pretty quickly.

    When the worm uses the exploit, RPC crashes and subsequent exploits to port 135 on that machine will not work till you reboot the pc.

    What you are seeing is most likely the port being opened and the worm doing its thing and then shutting the shell. When the worm opens the shell, its only open for the duration of it spreading. After the worm does it thing, you would not be able to connect to port 4444 and get a command prompt as if it was a listening port. When the worm shuts the shell, the port is subsequently closed.

  8. #48
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,021
    Originally posted here by Grinler
    What you are seeing is most likely the port being opened and the worm doing its thing and then shutting the shell. When the worm opens the shell, its only open for the duration of it spreading. After the worm does it thing, you would not be able to connect to port 4444 and get a command prompt as if it was a listening port. When the worm shuts the shell, the port is subsequently closed.
    My observations do not support this theory. From what I have observed port 4444 stays open after the tftp attemp until an attempt to connect is made
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  9. #49
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    In an effort to "streamline" the discussion, some of the threads on the RPC/DCOM/mblast (whatever it's called today) will be merged here.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  10. #50
    Steve,

    I have not seen that here in my lab nor have I heard anyone able to get into a shell on the exploits coat tails. Maybe im missing something.

    Are you saying after a machine that you know of gets infected, you can portscan and see the port 4444 still open, and when you portscan again its gone? Is it possible you portscanned the host as it was being exploited thus, the port was open?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •