Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2003-08-05 InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

RPC DCOM Update: sdbot variant

Published: 2003-08-05
Last Updated: 2003-08-05 11:31:59 UTC
by Handlers (Version: 1)
0 comment(s)
Honeypots captured a number of attempts to install 'sdbot' variants via the
RPC DCOM vulnerability. In each case, 'dcom.c' was used to break in and issue
a tftp command to download the remainder of sdbot.

Sdbot is a very common 'IRC bot'. It allows remote control of infected machines
via IRC and provides a large set of functions like keystroke loggers, DDOS tools, and tools to scan and break into other machines.

In order to protect your systems against this threat, patch systems against the
RPC vulnerability. Possible firewall rules:

- block inbound port 135

- outbound/inbound port 69 (tftp)

- outbound 6667 (irc)

Note: in particular the IRC port is easily changed to a different port. TFTP should probably only be blocked at the perimeter of a private network (home network / small company), not by an ISP.

please notify about updates.
0 comment(s)
Diary Archives