I just put an access list on one of our cores with some spare cpu cycles.. And 10% of the traffic looks like port 135 calls..... Anyone else see this? Did I break anything legitimate? Also I still some Slammer traffic.. Mark -- Mark Segal Director, Network Planning FCI Broadband Tel: 905-284-4070 Fax: 416-987-4701 http://www.fcibroadband.com Futureway Communications Inc. is now FCI Broadband -----Original Message----- From: Mike Damm [mailto:MikeD@irwinresearch.com] Sent: August 11, 2003 6:19 PM To: 'Drew Weaver' Cc: 'nanog@merit.edu' Subject: RE: RPC errors According to Symantec it doesn't know if the system has already been infected until it is running on the target machine, at which point the RPC crash is imminent. It shouldn't re-infect, but further attempts from other infected hosts will cause random reboots. On the plus side this one will be much easier to clean up than CodeRed, Nimda, etc. Random J. Clueless might actually look for patches if his box is rebooting on a regular basis. -Mike --- Michael Damm, MIS Department, Irwin Research & Development V: 509.457.5080 x298 F: 509.577.0301 E: miked@irwinresearch.com -----Original Message----- From: Drew Weaver [mailto:drew.weaver@thenap.com] Sent: Monday, August 11, 2003 2:53 PM To: 'Mike Damm' Cc: 'nanog@merit.edu' Subject: RE: RPC errors Its bloody gorgeous too, my girlfriend's pc rebooted like 9 times, apparently the worm doesn't check to see if its already infected. -----Original Message----- From: Mike Damm [mailto:MikeD@irwinresearch.com] Sent: Monday, August 11, 2003 5:27 PM To: 'Jack Bates'; NANOG Subject: RE: RPC errors The DCOM exploit that is floating around crashes the Windows RPC service when the attacker closes the connection to your system after a successful attack. Best bet is to assume any occurrence of crashing RPC services to be signs of a compromised system until proven otherwise. http://www.cert.org/advisories/CA-2003-19.html -Mike --- Michael Damm, MIS Department, Irwin Research & Development V: 509.457.5080 x298 F: 509.577.0301 E: miked@irwinresearch.com -----Original Message----- From: Jack Bates [mailto:jbates@brightok.net] Sent: Monday, August 11, 2003 1:12 PM To: NANOG Subject: RPC errors I'm showing signs of an RPC sweep across one of my networks that's killing some XP machines (only XP confirmed). How wide spread is this at this time. Also, does anyone know if this is just generating a DOS symptom or if I should be looking for backdoors in these client systems? -Jack
Mark Segal wrote:
I just put an access list on one of our cores with some spare cpu cycles.. And 10% of the traffic looks like port 135 calls..... Anyone else see this? Did I break anything legitimate?
There is legitimate use for 135, although normally it is not used in the wild much. From what I can see, the 10% traffic mark is about average and should mostly be infected systems. I've seen some tight-in network scans from one of my networks to the others (within the same /18). Still monitoring loads before I decide to crank in lists between networks to limit cross infection. Tomorrow starts the fun... EU contact. I plan to open up inbound first and let user's get infected, tracking and purifying my network for about a week, perhaps two. Then I'll reopen the network for full traffic if it looks clean enough. Emergency "Good Neighbor" policy. :) -Jack
must be fun out there on the net today. one minute of counter accumulation deny tcp any any eq 135 (5721 matches) deny tcp any any eq 137 deny tcp any any eq 138 deny tcp any any eq 139 (17 matches) deny tcp any any eq 445 (1137 matches) randy
45 seconds: deny tcp any any eq 135 (5445 matches) deny tcp any any eq 137 deny tcp any any eq 138 deny tcp any any eq 139 deny tcp any any eq 445 (207 matches) ----- Original Message ----- From: "Randy Bush" <randy@psg.com> To: <nanog@merit.edu> Sent: Monday, August 11, 2003 18:52 Subject: Re: RPC errors
must be fun out there on the net today. one minute of counter accumulation
deny tcp any any eq 135 (5721 matches) deny tcp any any eq 137 deny tcp any any eq 138 deny tcp any any eq 139 (17 matches) deny tcp any any eq 445 (1137 matches)
randy
On the bright side, when double-checking the firewall on my home cable modem setup, it appears that Comcast here in the SF Bay Area has started filtering out incoming port 135 SYN packets -- they get dropped before they hit my firewall. Thanks, Comcast! On the not so bright side, I'm getting a steady stream of port 135 SYNs from my fellow Comcast customers (i.e., presumably on my side of Comcast's filters), which may mean the horses have mostly already left the barn. Jim Shankland
Jim Shankland wrote:
On the not so bright side, I'm getting a steady stream of port 135 SYNs from my fellow Comcast customers (i.e., presumably on my side of Comcast's filters), which may mean the horses have mostly already left the barn.
You'll see a lot of this. Establishing blocks in the local networks is more time consuming than it's worth. Blocks are usually only in place temporarily while other business practices are carried out; as any good neighbor tries not to harrass fellow networks. Once decontamination starts and users are fixed or suspended from service, blocks will usually be removed and the world goes back to normal. My own network has a two week deadline, although I'm gunning for being done this week. -Jack
participants (5)
-
Jack Bates
-
Jim Shankland
-
John Palmer
-
Mark Segal
-
Randy Bush