Full Disclosure mailing list archives
RE: RE: DCOM RPC exploit
From: "Steve W. Manzuik" <steve () entrenchtech com>
Date: Sun, 27 Jul 2003 08:54:43 -0700
Compare the number of boxes that have the bug Slapper exploited with the number of boxes that have DCOM open to the world....
Do you have a stat on the number of boxes with DCOM open? Do you really think that the number of organizations still not filtering 135 etc outnumber those running IIS. Yes, you can exploit this via IIS -- IF IT IS ENABLED (read: not default).
And of course, anybody who's got half a clue and writes a worm is going to have it drop off a trojan/backdoor... And then those boxes get used as spam relays, front-end boxes for porn websites, keyboard sniffers, etc etc. Gonna take a LONG time to clean that mess up.
Sure, but have there actually been any "good" worms yet?
Hell, we're *still* seeing Code Red traffic. And what we've *NOT* seen in the last 2 years is a CERT advisory of this magnitude against a Microsoft product that didn't spawn a "Holy Shit" scale worm.
Don't forget Nimda as well. But seriously, does Code Red or Nimda actually cause you connectivity issues? I see a ton of Code Red/Nimda like traffic on various logs and yet the effect is pretty much zero.
Unfortunately, we've gotten so lulled by the "Just another damned worm" scenario that maybe it's NOT a big deal anymore. And that's just as scary as the actual worm.
If your boxes are patched, Firewalls configured properly, IDS tuned and running -- why would this new worm be so scary? The only reason that yet another worm is going to be scary is that people don't patch their boxes or configure them to be "secure". Perhaps I am missing something but I think Code Red and the likes did everyone a huge favor -- forced people to patch systesm, put script kiddies and consultants alike out of business. Hell, maybe I will write one myself. ;-) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: DCOM RPC exploit Steve W. Manzuik (Jul 26)
- Re: RE: DCOM RPC exploit Valdis . Kletnieks (Jul 27)
- Re: RE: DCOM RPC exploit Ron DuFresne (Jul 27)
- RE: RE: DCOM RPC exploit Steve W. Manzuik (Jul 27)
- RE: RE: DCOM RPC exploit Paul Schmehl (Jul 27)
- RE: RE: DCOM RPC exploit Steve W. Manzuik (Jul 27)
- RE: RE: DCOM RPC exploit Nick FitzGerald (Jul 27)
- Re: RE: DCOM RPC exploit Valdis . Kletnieks (Jul 27)