Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Port 10 traffic; 139 &1433 report; DCE RPC Vectors - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Port 10 traffic; 139 &1433 report; DCE RPC Vectors
Port 10 Traffic

We do see a steep increase in number of hosts probed on port 10. While only a few sources participate, the number of hosts probes is very large.

At this point, we do not know what these probes try to accomplish.
http://www.dshield.org/port_report.php?port=10

139 and 1433

ISS raised its AlertCON to '2' (from 1) due to reports of an increase in port 139 and 1433 scans. We do not see a significant global increase. In our opinion, a scan for weak MSSQL passwords with file sharing component could be a possible reason. (e.g. like 'SQLSnake' ).

DCE RPC Vectors

Core Security technologies published a paper, outlining various ways to exploit DCE RPC DCOM via different vectors. This paper is another reminder that just blocking port 135 is not enough to protect your systems. Patching is the only real solutions, and firewall rules should be applied to all unsolicited inbound traffic if possible.
http://www.coresecurity.com/common/showdoc.php?idx=393&;;;idxseccion=10

Port 53 update

Earlier this week, Lurhq posted an analysis of a particular Trojan, which uses malformated 'DNS' queries to communicate:
http://www.lurhq.com/sinit.html

I will be teaching next: Intrusion Detection In-Depth - SANS Boston Summer 2019

Johannes

3578 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!