Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: ISS Security Brief: 'MS Blast' MSRPC DCOM Worm Propagation (fwd)

From: "Daniele Muscetta" <daniele () muscetta com>
Date: Thu, 14 Aug 2003 11:47:55 +0200 (W. Europe Daylight Time)
svchost.exe listens on several ports on windows xp.
If microsoft is saying that it should never be on the
internet, couldn't there be more b0f's discovered in
the future? One peculiar service "DNS Client",
although listening on a few random ports just about
1024, also runs off of svchost.exe.


svchost is a "wrapper" for services that work as DLLs instead of being
implemented with their own .EXE.
On its own it is harmful.

It is RPC which should not listen on the internet. It's a very different
matter.

Anyway, "DNS Client" is the DNS RESOLVER, that component that queries the
DNS for you... and it does not listen, as far as I know.
It opens of course dynamic ports >1024 as SOURCE ports, to talk to DNS
server on target port 53... what would you expect it do otherwise ?

It also implements the dynamic record registration for DDNS, so it
REGISTERS the address of the client on the server (if instructed to do so,
and if the server supports it).


...if you don't want it, you might even want to remove resolv.conf from
your linux box.... since it might be just as harmful..... :)


Daniele




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: