Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: ISS Security Brief: 'MS Blast' MSRPC DCOM Worm Propagation (fwd)

From: "Daniele Muscetta" <daniele () muscetta com>
Date: Thu, 14 Aug 2003 12:36:23 +0200 (W. Europe Daylight Time)

Sorry, Errata on my words:


On its own it is harmful.


I MEANT: "IT IS *NOT* HARMFUL."


Daniele





svchost.exe listens on several ports on windows xp.
If microsoft is saying that it should never be on the
internet, couldn't there be more b0f's discovered in
the future? One peculiar service "DNS Client",
although listening on a few random ports just about
1024, also runs off of svchost.exe.


svchost is a "wrapper" for services that work as DLLs instead of being
implemented with their own .EXE.
On its own it is harmful.

It is RPC which should not listen on the internet. It's a very different
matter.

Anyway, "DNS Client" is the DNS RESOLVER, that component that queries
the DNS for you... and it does not listen, as far as I know.
It opens of course dynamic ports >1024 as SOURCE ports, to talk to DNS
server on target port 53... what would you expect it do otherwise ?

It also implements the dynamic record registration for DDNS, so it
REGISTERS the address of the client on the server (if instructed to do
so, and if the server supports it).


...if you don't want it, you might even want to remove resolv.conf from
your linux box.... since it might be just as harmful..... :)


Daniele




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: