From: Jay Sparks (sparks_at_newton.berkeley.edu)
Date: Tue Aug 05 2003 - 10:37:03 PDT
I like this one reco'd by Eric.
jay
---------- Forwarded message ----------
Date: Wed, 30 Jul 2003 14:01:12 -0700
From: "Eric Chamberlain, CISSP" <eric_at_uclink.berkeley.edu>
To: calnetad-admin_at_uclink.berkeley.edu
Cc: 'ucb-security' <ucb-security_at_uclink4.berkeley.edu>
Subject: [Security] Blocking RPC traffic to the DCs from off-campus
Due to attacks against the domain controllers from off-campus, TCP/135 RPC
traffic to the DCs has been blocked. This could impact some off-campus
users.
We've seen a large number of denial of service attacks, using the exploit in
Microsoft Security Bulletin MS03-26. If you have unpatched machines with
RPC ports open to the Internet, patch them as soon as possible.
Symptoms included users reporting error messages of RPC server unavailable.
Further examination revealed Event ID 7031, The RPC service has stopped
unexpectedly in the System Event Log. Checking our traffic logs revealed
numerous connections on TCP/135 from outside locations that match timestamps
with the service failure. There were numerous IP addresses, but the same
addresses would repeatedly try to connected to multiple machines from 7/25
to present.
A free tool is available to scan machines for the vulnerability.
http://www.eeye.com/html/Press/PR20030725.html
-- Eric Chamberlain, CISSP Campus Active Directory Architect Central Computing Services University of California, Berkeley http://calnetad.berkeley.edu ------------------------------------- Sent via the ucb-security mailing list. ------------------------------------------------------------------------ The following was automatically added to this message by the list server: For information about Micronet, including subscribing to or unsubscribing from its mailing list and finding out about upcoming meetings, please visit the Micronet Web site: <http://micronet.berkeley.edu/>.
This archive was generated by hypermail 2.1.5 : Tue Aug 05 2003 - 10:46:12 PDT