[Brew]

Yes, there's another RPC vulnerability. If you don't want to deal with all the headaches that came with the worms last time, get patched NOW.


Here's the MS security bullitin:
http://www.microsoft.com/technet/sec...n/MS03-039.asp


Here's direct links to the patches:

Direct Link to the Windows XP Patch:
http://download.microsoft.com/downlo...46-x86-ENU.exe


Direct Link to the Windows 2000 Patch:
http://download.microsoft.com/downlo...46-x86-ENU.exe


Direct Link to the Windows NT 4.0 Workstation Patch:
http://download.microsoft.com/downlo...46-x86-ENU.EXE


Direct Link to the Windows Server 2003 Patch:
http://download.microsoft.com/downlo...46-x86-ENU.exe

 

[chain777]

It's funny you post this now.


My WinXPpro machine just popped up with a "critcal update available for download"


*goes to install the 10,000th (or so) security patch to Windows...

 

[phishstics]

I'm really beginning to hate being an IT guy...

 

[toots]

Well, so much for 36 days of uptime on the office PeeCee.


I really hate having to reboot.


I have all these windows and stuff all warmed up and happy, and now I have to reset the whole mess.

 

[red_racer]

Quote:

Originally posted by phishstics I'm really beginning to hate being an IT guy...

I agree...the last one that went through was a nightmare...still finding workstations that have not been patched. Oh goodie...another round. Hopefully around here they wont wait til the last minute.

 

[bholio]

Thanks for the warning...

 

[Reden]

When MSBLAST first hit, I set up WallWatcher to monitor attacks against my SWBELL DSL attached Llinksys router.


Not much happened for a few days, than *BAM* it hit and hasn't stopped. MSBLAST (and variants) are the hits against port 135 (red) in the chart below.

http://www.ese-cad.com/xfer/chart.jpg


The Y axis is # of attacks/day. X is date.


I have no idea what the yellow was. I was getting thousands of hits an hour after getting a new IP. I got a fresh IP and those hits went away.


At work, we've had dialup folks get hit by MSBLAST... it's mean.


Robert

 

[leesweet]

We get tens of thousands of 135-139 hits a day, and have for years. People with messed up MS boxes on the Internet and/or attacks... the logs from the firewall and the overload got so large, we moved the blocks for them to the external router to drop them on the floor!


As for the 27649 (I think that what it says...) can't find any info on that. I'm waiting for the next Blaster or SoBig (what with the last one stopping today...). Sigh....



Edit: WallWatcher is great, thanks for the link. I bet 27649 is some sort of net game-server port, what with all the Quake server ports around it.

 

[mpsan]

Well, we use Solaris... no problems!

 

[Slack]

Thanks for the link to WallWatcher...

This board is a constant source of neato shtuff.

 

[Lee Thompson]

It's also a just good practice to block the RPC ports at the firewall TCP/UDP 135-139, 443, 593.


As for port scan info, you guys should check out www.incidents.org