Slashdot Mirror

← Back to Stories (view on slashdot.org)

RPC DCOM Worm On The Loose

Posted by simoniker on from the uh-oh-spaghettios dept.

GPez writes "The first of I'm sure many RPC DCOM worms affecting Windows is on its way, according to the Internet Storm Center. Patch those systems!" According to the site, "The worm uses the RPC DCOM vulnerability [affects Win2k through Server 2003] to propagate. Once it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp."

8 of 604 comments (clear)

  1. Re:I have already patched my entire network. by Anonymous Coward · · Score: 5, Insightful

    I'm afraid you have a false sense of security. A firewall is only part of the solution.

    A complete solution includes patching your systems and deploying IDS systems. Still, this is only part of a complete security solution.

  2. Firewalls *may* not protect you here by venom600 · · Score: 5, Insightful

    Everybody keeps posting that they have this or that port blocked on their firewall, so they're safe. Not so. All it takes is one person inside your network to open the wrong file attachment, or one laptop that went outside the network and then came back in to infect your internal network.

  3. Re:Great by ciroknight · · Score: 4, Insightful

    Yes it will work, I know from experience. My community here in berea has been pretty slammed by this worm, and I've been telling everyone to just firewall off all the ports they dont use. It seems the virus can only connect on ports 135/445 though, so still no worries here. I've been running zonealarm, a great firewall for windows users, to help solve my problem.

    --
    "Victory means exit strategy, and it's important for the President to explain to us what the exit strategy is." G.W.Bush
  4. Re:On the way? by Sethb · · Score: 4, Insightful

    If any Windows shops actually get hit hard by this, the Sysadmins need to be reprimanded or fired. My Co-Worker and I manage about 375 PCs at a University which has no firewall, though the NetBIOS ports are blocked at the border router.

    You should have had auto-updates turned on for your boxes and/or been using SUS server to push these kind of updates out. We had autoupdates on, and then when the free scanner tool from eeye.com came out last week, we used that to scan the rest of our machines to identify any that didn't get the patch yet (not everyone has bene migrated into our domain yet, and there are some rogue NT 4 boxes around still).

    As a result, we had everything reasonbly secure last Monday, and AFAIK there are no vulnerable machines on any of our subnets, according to my scans.

    So, uh, what were you other Windows admins doing when you should have been doing your job?

    --
    When in danger or in doubt, run in circles, scream and shout. --Robert A. Heinlein
  5. Re:This is just sick. by The+Bungi · · Score: 5, Insightful

    That fix has been there for almost a month. So... shut up, please. There's nothing worse than going off on a "OMG, M$ suxx is teh gahyest!!1!!" rant when you're just plain wrong.

  6. Re:users being hit hard by Keeper · · Score: 4, Insightful


    I think it's pretty irresponsible of them not to allow the autoupdate really...

    That's like stealing a car, bring it back to the car dealership to get a warantee issue fixed, and then acting all miffed when they call the cops on you.

    If you steal something, don't expect the company you stole from to treat you like a customer.

  7. Re:I have already patched my entire network. by SCHecklerX · · Score: 4, Insightful
    Yup, that firewall is going to do all kinds of good when a sales droid connects their (company owned) laptop to your private network after having had it connected to the raw Internet via dialup or broadband, or after they received mail from their personal ISP and, of course, ran every attachment under the sun.

    Firewall != security.

  8. Re:On the way? by Loki_1929 · · Score: 5, Insightful

    "My Co-Worker and I manage about 375 PCs at a University which has no firewall,"
    "the Sysadmins need to be ... fired."

    "You should have had auto-updates turned on for your boxes"
    "the Sysadmins need to be ... fired."

    "We had autoupdates on,"
    "the Sysadmins need to be ... fired."

    Reasonable boarder security, strict firewall rules, roll-over security, implementing patchs and updates after they've been tested within a "sandbox" or other non-production machine, and constant security/threat analysis - these are the building blocks to a secure and operational infrastructure; not turning on "auto-update" for all your windows boxes. That's absolutely ridiculous. Next time a faulty patch comes down the line, it's going to take down some, most, or even all of your machines. I can remember Microsoft security patches causing anything from network connection problems to out-right system corruption requiring repair/reinstallation of the OS. Be very careful throwing stones at other admins when your own procedures are just plain laughable.

    "So, uh, what were you other Windows admins doing when you should have been doing your job?"

    Where was I? Reviewing the procedures I have in place to ensure that this type of vulnerablity never touches anything that would be vulnerable to it, and ensuring that all critical systems are buffered in case of internal infection through user stupidity. Where was I? Doing my job, correctly.

    --
    -- "Government is the great fiction through which everybody endeavors to live at the expense of everybody else."