Security Incidents mailing list archives
Re:
From: Gary Flynn <flynngn () jmu edu>
Date: Tue, 15 Oct 2002 18:02:06 -0400
"Hay,Daniel" wrote:
We are in the same boat, We have udp/tcp 135-139 and 445 blocked but we still see the spam.
Are you sure you have UDP 135 blocked? That is the way the DirectAdvertiser stuff comes in. I'm analyzing the packets now.
We have identified 2 hosts on campus 1 is a Linux box running RedHat 7.3 the other seems to be a Win2k box.
What do you mean by "identified"? That they sent messages or received them?
I've done a quick check of the Linux box but it doesn't appear to be compromised, one thing I did notice from external scanning is that RPC on the Linux box is not configured correctly and allows forwarding of RPC requests.
Excuse my ignorance, but how did you scan the box and in what way did it forward RPC requests? I'm not sure what you mean by "misconfigured RPC installation". Is the box running Samba? MS-RPC isn't the same as unix RPC. -- Gary Flynn Security Engineer - Technical Services James Madison University Please R.U.N.S.A.F.E. http://www.jmu.edu/computing/runsafe ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: Hay,Daniel (Oct 15)
- RE: Hugo van der Kooij (Oct 15)
- Cacheflow proxy abuse (was: no subject) Alain Fauconnet (Oct 16)
- Re: Cacheflow proxy abuse (was: no subject) Hugo van der Kooij (Oct 16)
- Cacheflow proxy abuse (was: no subject) Alain Fauconnet (Oct 16)
- RE: popup msg spamming Pavel Kankovsky (Oct 15)
- RPC-Spam issue, was => RE: H C (Oct 15)
- RE: T. Willner, Elitetraderz.com (Oct 16)
- Re: Gary Flynn (Oct 16)
- RE: Hugo van der Kooij (Oct 15)