APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

© August 2003 Michael Desrosiers

Windows RPC flaw

Email: mdesrosiers@m3ipinc.com Web: m3ipinc.com

More Articles

An attack tool, also known as an autorooter, is being used to compromise Windows servers. The tool can take commands that are sent through Internet relay chat (IRC) channels and is capable of scanning for and compromising systems vulnerable to the highly publicized recent Windows remote procedure call (RPC) vulnerability.

This vulnerability affects almost all versions of Windows and could enable a remote attacker to place and run malicious code on affected machines, giving them total control over the systems according to Microsoft.

After examining a clobbered together exploit package called Worm.Win32.Autorooter, it is obvious where this type of worm is heading. Because it requires no user interaction it is being compared to the buffer overflow vulnerability in Microsoft's Internet Information Server (IIS) that was exploited by the Code Red worm in July of 2001.

The major difference that I see, is that Code Red infected Windows servers only, this exploit has the capability of infecting servers AND workstations alike. Now we are talking millions of potential systems and not thousands.

I have seen a significant level of recon or scanning, since the Distributed Component Object Model (DCOM) exploit was found in the wild on July 25th, which once again brings up my major gripe. The current patching system is broke. What consumers should demand is that software vendors "start writing more secure applications." Only intense pressure from buyers appliance vendors to do the right thing for their customers by taking responsibility for the flaws they are putting in our computers and on our networks. If the Department of Homeland Security wants to improve cyber security it should demand that its vendors deliver secure configurations and automatically deliver patches that work, or pay the costs of cleaning up the messes caused by their failure to do so.

In the mean time, please take these steps to protect your environment. Block TCP port 135 (Windows RPC service), TCP port 139 (Windows NetBIOS network communication) and port 445 (Windows Server Message Block) on your local firewall. And apply the Microsoft patch found in regards to Microsoft Security Bulletin MS03-026: https://www.microsoft.com/security/security_bulletins/ms03-026.asp

Publish your articles, comments, book reviews or opinions here!

© August 2003 Michael Desrosiers All rights reserved

Got something to add? Send me email.

(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> Windows RPC flaw

Inexpensive and informative Apple related e-books:

Take Control of Numbers

Take Control of Apple Mail, Third Edition

Take Control of Parallels Desktop 12

Photos: A Take Control Crash Course

Take Control of Preview

More Articles by © Michael Desrosiers

Printer Friendly Version

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

Printer Friendly Version

If you just want to use the system, instead of hacking on its internals, you don't need source code. (Andrew S. Tanenbaum)

Linux posts

Troubleshooting posts

This post tagged:



Unix/Linux Consultants

Skills Tests

Unix/Linux Book Reviews

My Unix/Linux Troubleshooting Book

This site runs on Linode