Port 1025/6000 Action (Part II)
As reported by Koon Tan yesterday we have seen, and are continuing to see, increased activity reported by more users now. The link below will show a graph that indicates activity over the past ~72 hours.
http://isc.sans.org/images/port1025tcp.png
We still need full packet captures to help nail this down, so if anybody has them please submit them via the 'Contact' link at the top of the page.
Core Security Technologies has an excellent article on this subject and RPC Vulnerabilities. One highlight from this article is that the "patches for these vulnerabilities ..... effectively fix the problem(s)" with the vunerabilities used in the discussion. All of the vulnerabilities are more than 18 months old; these fixed have been out for some time, giving lots of time for admins to perform testing and loading of said patches.
Comments