Honeypots captured a number of attempts to install 'sdbot' variants via the
RPC DCOM vulnerability. In each case, 'dcom.c' was used to break in and issue
a tftp command to download the remainder of sdbot.
Sdbot is a very common 'IRC bot'. It allows remote control of infected machines
via IRC and provides a large set of functions like keystroke loggers, DDOS tools, and tools to scan and break into other machines.
In order to protect your systems against this threat, patch systems against the
RPC vulnerability. Possible firewall rules:
- block inbound port 135
- outbound/inbound port 69 (tftp)
- outbound 6667 (irc)
Note: in particular the IRC port is easily changed to a different port. TFTP should probably only be blocked at the perimeter of a private network (home network / small company), not by an ISP.
please notify isc_AT_sans.org about updates.
Aug 5th 2003
1 decade ago