LDAP scan increase
We are seeing a significant increase in scans for port 389. This port is
associated with LDAP. LDAP is used by a variety of different systems,
in particular Windows active directory. At this point, it is not clear
what these scans are attempting to accomplish. If you have any information,
in particular FULL PACKET CAPTURES (not just firewall logs), let us know.
The increase in port 389 scans is believed to be due to a new exploit
against the iMail LDAP server. The exploit has been posted here:
Windows 98 ASN.1 Patch
Readers reported to our handlers team that Microsoft is distributing a patch
for the ASN.1 issue to Windows 98 users per request. If you are running Windows
98, contact your Microsoft representative for the location of the patch.
As reported earlier, the ASN.1 advisory MS04-007 only covers newer versions of
Windows. Windows 98 is however still vulnerable.
Workaround: you may want to consider renaming or removing msasn1.dll. However, please test this fix carefully as it may break some software.
Careful! Do not trust any patches sent via e-mail.
MyDoom Remover release via Windows Update
Currently, Microsoft is offering a MyDoom virus remover via its Windows Update service.
Free Windows Patch CD
Microsoft offers a free patch CD for all currently supported versions of windows.
You can order a CD here:
Johannes Ullrich, SANS Institute jullrich_AT_sans.org
I will be teaching next: Defending Web Applications Security Essentials - SANS Security West 2019
Feb 23rd 2004
1 decade ago