Re: RE:DCOM (RPC) problem

Subject: Re: RE:DCOM (RPC) problem
From: W.D. McKinney (deem@wdm.com)
Date: Mon Aug 11 2003 - 20:34:49 AKDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Jim Gribbin: "Re: Mulit-Card Reader"
• Previous message: tcv@ninjatech.cjb.net: "RE:Re: Greetings! and IT expo"
• In reply to: tcv@ninjatech.cjb.net: "RE:DCOM (RPC) problem"
• Next in thread: Dave Brown: "RE:DCOM (RPC) problem"
• Reply: W.D. McKinney: "Re: RE:DCOM (RPC) problem"
• Reply: W.D. McKinney: "Re: RE:DCOM (RPC) problem"

If you have a router....

    deny tcp any any eq 445 log (256936 matches)
    deny udp any any eq 445 log (1 match)
    deny tcp any any eq 135 (6984433 matches)
    deny udp any any eq 135 (147654 matches)
    deny udp any any eq netbios-ss
    deny tcp any any eq 139 log (378289 matches)

-Dee

On Mon, 2003-08-11 at 20:15, tcv@ninjatech.cjb.net wrote:
> If you have any microsoft machines residing behind the router:
>
> Click Start->Run
> Type "dcomcnfg.exe"
>
> disable DCOM
> then use ingress and egress filtering on port 135. I am sure the problem will get worse before it gets better.
>
> Also on IIS:
> Disable TCP port 593 (RPC-over-HTTP)
>
> IIS COM Internet Services are vulnerable as well.
>
> I am afraid this one could get nasty
>
> Here's a perliminary snort ruleset that may bring false positives:
>
> alert ip $EXTERNAL_NET any -> $HOME_NET 135 (msg:"SHELLCODE - DCOM";
> content:"|93 CD C2 94 EA 64 F0 21 8F 32 94 80 3A F2 EC 8C 34 72 98 0B CF
> 2E 39 0B D7 3A|"; classtype:shellcode-detect; sid:6666; rev:1;)
>
>
> Also , Todd Sabin, at Bindview, made note that theRPC/DCOM interface is accessible over any RPC protocol sequence that the endpoint mapper listens on.
>
> That includes:
>
> o ncacn_ip_tcp : TCP port 135
> o ncadg_ip_udp : UDP port 135
> o ncacn_np : \pipe\epmapper, normally accessible via SMB null
> session on TCP ports 139 and 445
> o ncacn_http : if active, listening on TCP port 593.
>
> Hope this helps anyone unfortunate enough to administer microyuck networks.
>
> ------------------------------------------------------------------------
> Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. - Rich Cook
> ------------------------------------------------------------------------
> pub 1024D/6F04299B 2003-08-10 T.C.V. (Postatem obscuri lateris nescitis) <tcv@ninjatech.cjb.net>
> Key fingerprint = 2E8F 57BF 31FC 1344 7BB3 2D08 AB33 1185 6F04 299B
> sub 2048g/431F3112 2003-08-10 [expires: 2004-08-09]
> ------------------------------------------------------------------------
>
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.

• Next message: Jim Gribbin: "Re: Mulit-Card Reader"
• Previous message: tcv@ninjatech.cjb.net: "RE:Re: Greetings! and IT expo"
• In reply to: tcv@ninjatech.cjb.net: "RE:DCOM (RPC) problem"
• Next in thread: Dave Brown: "RE:DCOM (RPC) problem"
• Reply: W.D. McKinney: "Re: RE:DCOM (RPC) problem"
• Reply: W.D. McKinney: "Re: RE:DCOM (RPC) problem"

This archive was generated by hypermail 2a23 : Mon Aug 11 2003 - 20:34:46 AKDT