PDA

View Full Version : RPC probe explosion.



Brian
08-11-2003, 01:31 PM
Hey check out your firewall logs. Loads of port 135 requests all over the place. Is this RPC worm out, or is it just a bunch of script kiddies scanning people?

If you don't know what RPC is, go to Windows Update, and get the patch. Now.

movzx
08-11-2003, 02:16 PM
You mean this stuff?



The firewall has blocked Internet access to your computer
(TCP Port 135) from *.*.*.* (TCP Port 4152) [TCP Flags: S].

User: default
Program: Distributed COM Services
Time: 8/11/2003 4:13:20 PM


I get quite a few of them since yesterday - and I've been wondering ... Thanks for the news.

ZerOrDie
08-11-2003, 02:29 PM
Is this RPC worm out, or is it just a bunch of script kiddies scanning people?


both the canned windows scanners are out and i have seen a couple worms floating about...

mart_man00
08-11-2003, 03:05 PM
Ive been getting more kiddies than usual.

I used to have a Linux box as a firewall, so i really never worried that much. But it over heated awhile ago. Maybe i can hack something up. I really dont feel like patching Windows every hour id something is up.

<edit>
Once it was in a game(Delta Force Black Hawk Down) and I did the Norton trace thing, it came back as Egypt. Any one else find out anything?

Brian
08-11-2003, 03:06 PM
http://developers.slashdot.org/developers/03/08/11/2048249.shtml?tid=126&tid=172&tid=185&tid=190&tid=201

guess its official

mart_man00
08-11-2003, 03:09 PM
New for nerds, stuff that matters, my home page :D

I didnt even notice that one....

Perspective
08-11-2003, 04:58 PM
how do external firewalls/routers fair against these things? My computer doesnt get along with windows patches that well...

Brian
08-11-2003, 05:03 PM
Originally posted by Perspective
how do external firewalls/routers fair against these things? My computer doesnt get along with windows patches that well...

Well you can block the ports, but if someone joins your network with an infected machine behind the firewall, you're screwed.

GSLR
08-11-2003, 05:45 PM
mmm been updating all our machines lately , this is a big prob.
good to be ahead and up to date though ,

confuted
08-11-2003, 05:55 PM
I have a webserver running on ports 473 and 474, leaving a hole in my router's firewall. Do I need to disable this temporarily? My ISP blocks incoming communications on ports 23, 80, and all the other ones that are used for standard services (webserver, mail server, etc. It violates the terms of service) I also have the router set to not respond to pings. I think I have all the windows updates, and I'm about to check. Am I safe, or do I need to lock it down more?

edit: WinXP

Brian
08-11-2003, 06:03 PM
As long as you're fully patched from windowsupdate you'll be okay.

mart_man00
08-11-2003, 06:17 PM
You should lock down everything you can normaly anyway.

Its kind of annoying(when you run a new program you might have update something), but you dont have to worry as much.

Im more worried of something getting in rather than something getting out(no vital info on my deskto).


Just out of curiosity, werent you playing with linux awhile ago?

confuted
08-11-2003, 06:18 PM
Yup, I have my computer set up to dual boot though. I run Windows well over 90% of the time, and my webserver is on Windows.

mart_man00
08-11-2003, 06:22 PM
If your like me and only angry at linux for no sound the webserver would be a kool thing to play with on linux.

But its kind of hard to switch completely for a desktop, I know.

confuted
08-11-2003, 06:38 PM
I could run the webserver off Linux easily enough, but then I would have to figure out how to keep the Linux and Windows versions of the site the same (I update frequently). Seems like a lot of work... and yeah, the sound thing is my #1 against Linux ;) I don't particularly care for GAIM either. And I can't program in DirectX on Linux/ I don't have Visual Studio on Linux either. The switch is tough. Perhaps when/if I get a laptop, I'll make that dual boot too (if I can... not sure.)

mart_man00
08-11-2003, 06:44 PM
Im not trying to convert anyone, but i gotta point out a couple things.

For programming, Kdevelop (http://www.kdevelop.org/index.html?filename=screenshots1.html) and Anjunta (http://anjuta.org/anjuta.php?page=picture_corner)

To keep your website up to date you could still use Linux, just throw in Samba. Then windows can see the Linux box.

Then you could either work in the folder on the server or setup rsysnc. Rsysnc would keep everything in sync for you.

DirectX, you could if you wanted to, but im sure its a pain :p
(run winex, for games. or use Bochs (http://bochs.sourceforge.net/) to use windows in linux, havent done it but heard it can be done, for free!)

Perspective
08-11-2003, 07:39 PM
[affects Win2k through Server 2003]

so am i safe with winME or can this still cause pain to my puter?

Brian
08-11-2003, 08:01 PM
Originally posted by Perspective
so am i safe with winME or can this still cause pain to my puter?

WinME is not affected.

gcn_zelda
08-11-2003, 08:08 PM
huzza! At least WinME is good for something!

JaWiB
08-11-2003, 09:12 PM
what about win98...

Perspective
08-11-2003, 09:26 PM
Originally posted by JaWiB
what about win98...

no, just win2k -> windows server 2003 (and everything in between)

Brian
08-12-2003, 05:52 AM
AFAIK it doesn't infect XP, it only infects some versions of 2k. It does however cause XP to reboot. Which I find rather amusing.

nvoigt
08-12-2003, 07:12 AM
Microsoft Security Bulletin MS03-026

Buffer Overrun In RPC Interface Could Allow Code Execution (823980)

Originally posted: July 16, 2003 (!)



Affected Software:

Microsoft Windows NT® 4.0
Microsoft Windows NT 4.0 Terminal Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server™ 2003

Not Affected Software:

Microsoft Windows Millennium Edition


Crashing systems with RPC errormessages are a sure sign of infection. Crashing systems due to other messages might be a sign of a failed intrusion attempt. Crashes can only be blocked by firewalls, because the patch does only hinder the infection, not the crashing itself.

Brian
08-12-2003, 07:39 AM
Originally posted by nvoigt
Microsoft Security Bulletin MS03-026

Buffer Overrun In RPC Interface Could Allow Code Execution (823980)

Originally posted: July 16, 2003 (!)



Crashing systems with RPC errormessages are a sure sign of infection. Crashing systems due to other messages might be a sign of a failed intrusion attempt. Crashes can only be blocked by firewalls, because the patch does only hinder the infection, not the crashing itself.

a crash means infection $$$$ed up. it means it tried to jump to the wrong EIP which means the exploit code never worked. but it also means the RPC process tries to access memory it isn't allowed to, so it crashes, causing a reboot.

cc0d3r
08-12-2003, 12:32 PM
RPC crashes both after the unsuccessful and successfull attempts. Compile the exploit, run it agains the unpatched box and you will see for yourself.

Somebody posted on bugtraq though, that it is possible to avoid the crash after the successful break-in. For that, the exploit has to be modified to exit via ExitThread().

Brian
08-12-2003, 12:47 PM
Originally posted by cc0d3r
RPC crashes both after the unsuccessful and successfull attempts. Compile the exploit, run it agains the unpatched box and you will see for yourself.

Somebody posted on bugtraq though, that it is possible to avoid the crash after the successful break-in. For that, the exploit has to be modified to exit via ExitThread().

yeah silly me.

JaWiB
08-12-2003, 05:22 PM
Yes...it can pay to use win 98...or to read Cboard :D

Xei
08-12-2003, 05:23 PM
Actually, I was infected by it last night. It was strange, because I turned off Zone Alarm and then all of a sudden windows said "This station is shutting down in 1:00 seconds. Activated by NT ADMINISTRATION\SYSTEM." I took a screenshot if anyone wants- this happened twice in a row. Afterwards there was a new msworm.exe trying to scan ports 135 of certain IP ranges. Norton didn't catch it, either. I have obtained source code to one of the RPC exploits, it is in Assembly and C, and it uses very large enumerator tables with values I havn't been able to put together, I think it's little-endian format, not sure. I'll post the code to get all of your input on how, exactly, it works.

confuted
08-12-2003, 05:36 PM
Xei... you compiled it? (there's an .exe in that .zip) Is that the worm thing, or is it safe?

edit: woot, my post count is 1337

Xei
08-12-2003, 05:41 PM
Originally posted by blackrat364
Xei... you compiled it? (there's an .exe in that .zip) Is that the worm thing, or is it safe?

edit: woot, my post count is 1337

The EXE is not the worm. If you compile the C-Code then you will get a release version of rpctest.exe. Then goto a DOS console and type in:

rpctest x.x.x.x (where x.x.x.x is an IP)

It will then attempt to create a virtual DOS shell on port 57005, where you can telnet into the computer. This is just an example of an exploit(the shell is limited though, some API is possible to execute through the shell if done manually). Many systems are patched against RPC exploits now, but I did find that most IP's where people are running file-sharing servers are exploitable about 3/5ths of the time. MS really needs to revise the RPC. Personally, I think the idea of RPC is kinda silly.

gcn_zelda
08-12-2003, 06:18 PM
heh. Blackrat. take a screenshot. It could come in handy later ;P

vasanth
08-13-2003, 08:21 AM
ohh boy.. suddenly my PC starts shuttin down.. installed zone alarm.. could not update windows without it...

Xei
08-13-2003, 01:16 PM
Originally posted by vasanth
ohh boy.. suddenly my PC starts shuttin down.. installed zone alarm.. could not update windows without it...

Same here. I'm not usually the person to be paranoid enough to warrant a firewall; however, I have recently discovered how vulnerable windows systems are with this RPC exploit. I looked at my log and within 30 minutes there were 3 TCP attempts on port 135(from 3 different systems), which proves how wide-spread this worm is. Oh, and I was wrong about the filename; it is msblast.exe, not msworm.exe. After an antivirus update norton found it, and deleted it.

Again, I will show you just how wide-spread it is. My computer has been turned on for about 15 minutes, and about every 30 seconds to 1 minute there is an attempt from a worm.
Click Here (http://www.geocities.com/xei712/alerts.html)

mart_man00
08-13-2003, 01:39 PM
I'm not usually the person to be paranoid enough to warrant a firewal
Than it couldnt of happened to a better person.

Ever hear of script kiddies?

Xei
08-13-2003, 02:15 PM
Originally posted by mart_man00
Than it couldnt of happened to a better person.

Ever hear of script kiddies?

Of course I have heard of the term Script Kiddie, everyone has. Why are you asking? Or are you implying something?

XSquared
08-13-2003, 02:39 PM
>>Again, I will show you just how wide-spread it is.

I know how wide-spread it is. I do tech support for a major ISP. Many, many calls. We've actually blocked 135-139 and 145 to stop it from spreading.

Xei
08-13-2003, 02:52 PM
Originally posted by XSquared
>>Again, I will show you just how wide-spread it is.

I know how wide-spread it is. I do tech support for a major ISP. Many, many calls. We've actually blocked 135-139 and 145 to stop it from spreading.

Yesterday Pan Canadian had to shut down all of their computers and servers for most of the working day to manually remove the infections. What ISP do you work for?

XSquared
08-13-2003, 02:55 PM
Can't say. Major US one though.

Xei
08-13-2003, 03:23 PM
Originally posted by XSquared
Can't say. Major US one though.
I'm curious, why cannot you disclose which ISP you work for? Did your ISP ask you not to disclose that information? Cause that would seem somewhat odd.

XSquared
08-13-2003, 03:32 PM
Never mind. I can say who I work for :p. RoadRunner.

mart_man00
08-13-2003, 08:42 PM
sorry im late.


Or are you implying something?
Yeah, you should have taken some messures to begin with.
(crack at you "I'm not usually the person to be paranoid enough to warrant a firewall" part, sorry but i couldnt resist. it took me awhile to get alot of people using firewalls).

Basicly a US state has been screwed over by this. Its doing some damage, but so far it seems like it was written for more a joke than anything else.


Never mind. I can say who I work for . RoadRunner.
Your kidding right? If not uncap my modem! And lower my bill alittle while your at it!

XSquared
08-13-2003, 09:08 PM
>>Your kidding right? If not uncap my modem! And lower my bill alittle while your at it!
No.