Subject: RE:DCOM (RPC) problem
tcv@ninjatech.cjb.net
Date: Mon Aug 11 2003 - 20:15:32 AKDT
If you have any microsoft machines residing behind the router:
Click Start->Run
Type "dcomcnfg.exe"
disable DCOM
then use ingress and egress filtering on port 135. I am sure the problem will get worse before it gets better.
Also on IIS:
Disable TCP port 593 (RPC-over-HTTP)
IIS COM Internet Services are vulnerable as well.
I am afraid this one could get nasty
Here's a perliminary snort ruleset that may bring false positives:
alert ip $EXTERNAL_NET any -> $HOME_NET 135 (msg:"SHELLCODE - DCOM";
content:"|93 CD C2 94 EA 64 F0 21 8F 32 94 80 3A F2 EC 8C 34 72 98 0B CF
2E 39 0B D7 3A|"; classtype:shellcode-detect; sid:6666; rev:1;)
Also , Todd Sabin, at Bindview, made note that theRPC/DCOM interface is accessible over any RPC protocol sequence that the endpoint mapper listens on.
That includes:
o ncacn_ip_tcp : TCP port 135
o ncadg_ip_udp : UDP port 135
o ncacn_np : \pipe\epmapper, normally accessible via SMB null
session on TCP ports 139 and 445
o ncacn_http : if active, listening on TCP port 593.
Hope this helps anyone unfortunate enough to administer microyuck networks.
------------------------------------------------------------------------
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. - Rich Cook
------------------------------------------------------------------------
pub 1024D/6F04299B 2003-08-10 T.C.V. (Postatem obscuri lateris nescitis) <tcv@ninjatech.cjb.net>
Key fingerprint = 2E8F 57BF 31FC 1344 7BB3 2D08 AB33 1185 6F04 299B
sub 2048g/431F3112 2003-08-10 [expires: 2004-08-09]
------------------------------------------------------------------------
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
This archive was generated by hypermail 2a23 : Mon Aug 11 2003 - 20:15:35 AKDT