HEADS UP - New Welchia worm based on RPC2
Page 1 of 3 123 LastLast
Results 1 to 10 of 25

Thread: HEADS UP - New Welchia worm based on RPC2

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883

    HEADS UP - New Welchia worm based on RPC2

    At approximately 4:42PM EST, I began tracking massive infections on my network. All of my triggers pointed to the W32.Welchia worm however this seems to be a new variant that the AV companies aren't aware of as of yet. Seems that boxes patched with the latest RPC patch are not affected.

    My external triggers and internal triggers are going insane. Looks like this is traveling across the internet very quickly. So far, the only footprints are port 707 TCP is open on infected hosts and my IDS is showing propigation source and destination as TCP 0 (which we know isnt happening).

    Keep your eyes open folks. This should be a fun evening.

    EDIT: 5:05 EST - Nachia IDS triggers are also going off on this one. This is gonna be ugly!
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #2
    Senior Member
    Join Date
    Mar 2003
    Posts
    372
    checking my firewall logs and IDS logs right now as we speak, but so far nothing has been triggered that looks like what you are seeing.

    If I find anything in my logs I'll be sure to add it here. Thanks for the heads up.

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

  3. #3
    Senior Member
    Join Date
    Jul 2002
    Posts
    123
    checked my firewall for any of those attacks, haven't seen any yet, but i will keep my eyes peeled, thanks for the heads up.

  4. #4
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Checked our stuff and things are quiet so far... 5:10 CST.

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  5. #5
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    All clear on the central front. 5:40cst
    =

  6. #6
    Banned
    Join Date
    Apr 2003
    Posts
    1,147
    At about the time thehorse13 mentions (calculating for PST) we were hit with about 30 minutes of hack attempts. Not on those ports. The source system was in Denver and I've already contacted the abuse@ISP for it.

    Odd. This has been a very strange Monday.

    Just updated my AV files from Symantec, nothing mentioned that matches what was described above.

  7. #7
    Senior Member
    Join Date
    Feb 2002
    Posts
    1,210
    thanks horse..

  8. #8
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    My boss posted this to bugtraq and I posted this here and to ntbugtraq. So far one other person has the same issue.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  9. #9
    Senior Member
    Join Date
    Sep 2003
    Posts
    101
    this along with the new ssh vuln will make for an interesting week
    chown -r us ./bases

  10. #10

    thanks

    TH13, thanks for the warning.
    I've already talked to my company's security officer, and we are gonna send out an alert on this. We have had 4 offices that had Welchia outbreaks, and I know some were before MS03-039 came out.

    If you and your boss get the credit as being the first ones to notify about this, any idea what you would call the worm?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •