bsdjunkie
August 11th, 2003, 21:13
Aug 11 19:57:01.874102 rule 0/0(match): block in on fxp0: 68.52.37.142.3426 > 68.53.92.xxx.135: S 1299919011:1299919011(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Aug 11 19:57:02.674615 rule 0/0(match): block in on fxp0: 68.53.98.174.4155 > 68.53.92.xxx.135: S 3139873557:3139873557(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) [tos 0x80]
Aug 11 19:57:03.722571 rule 0/0(match): block in on fxp0: 68.53.7.188.1116 > 68.53.92.xxx.135: S 3262035504:3262035504(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Aug 11 19:57:05.062650 rule 0/0(match): block in on fxp0: 68.53.5.226.1175 > 68.53.92.xxx.135: S 1696369393:1696369393(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) [tos 0x80]
Aug 11 19:57:08.418757 rule 0/0(match): block in on fxp0: 68.53.66.113.1712 > 68.53.92.xxx.135: S 2091441069:2091441069(0) win 60352 <mss 1460,nop,wscale 2,nop,nop,sackOK> (DF) [tos 0x80]
Aug 11 19:57:13.742312 rule 0/0(match): block in on fxp0: 68.52.163.224.4442 > 68.53.92.xxx.135: S 267627870:267627870(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) [tos 0x80]
Aug 11 19:57:14.909797 rule 0/0(match): block in on fxp0: 68.52.223.69.2912 > 68.53.92.xxx.135: S 1144200691:1144200691(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Aug 11 19:58:02.864508 rule 0/0(match): block in on fxp0: 68.52.54.187.2017 > 68.53.92.xxx.135: S 2185633352:2185633352(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) [tos 0x80]
Aug 11 19:58:18.231718 rule 0/0(match): block in on fxp0: 68.53.99.191.2512 > 68.53.92.xxx.135: S 3558415532:3558415532(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) [tos 0x80]
Aug 11 19:58:27.627044 rule 0/0(match): block in on fxp0: 68.53.104.94.1434 > 68.53.92.xxx.135: S 1407060099:1407060099(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) [tos 0x80]
Aug 11 19:59:55.046381 rule 0/0(match): block in on fxp0: 218.15.192.64.30099 > 68.53.92.xxx.135: udp 371 (DF) [tos 0x80]
Aug 11 20:03:12.678476 rule 0/0(match): block in on fxp0: 68.53.77.59.2739 > 68.53.92.xxx.135: S 3906073230:3906073230(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) [tos 0x80]
Aug 11 20:03:15.684075 rule 0/0(match): block in on fxp0: 68.53.77.59.2739 > 68.53.92.xxx.135: S 3906073230:3906073230(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) [tos 0x80]
Aug 11 20:03:21.700400 rule 0/0(match): block in on fxp0: 68.53.77.59.2739 > 68.53.92.xxx.135: S 3906073230:3906073230(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) [tos 0x80]



:roll:

v902
August 11th, 2003, 21:31
Heh, funny stuff, I'll have to keep an eye out for the number of scans...

soup4you2
August 11th, 2003, 22:03
it begain around last thursday for me...

it's amazing how many people are sill vulnrable..

i was sitting on a channel and some people asked me to portscan them so i did... and what did you know all of the 4 people i scanned were vulnrable and had sub7 arlready on there... :)

bsdjunkie
August 11th, 2003, 23:10
After the "Billy" worm was released today, i started getting all this crap... :wink:

Kernel_Killer
August 12th, 2003, 00:51
Just started today on me. Gotta love that RPC vul though.

cod3fr3ak
August 15th, 2003, 11:11
Same here. It started on Sunday night for me. I almost set my router to deny everything. But I figured this would be a perfect stress test for it.

tarballed
August 15th, 2003, 12:36
That worm really light up my firewall on Monday and Thursday of this week. I got a heads up about it last week, so I just said screw it and started blocking those parts right at the Firewall level....

Sure did make my logs grow...
BTW, just out of curiosity for the people who blocked this at the firewall level, what ports did you start blocking? I added about 6 different ports and was just curious to see if people added just one or several.

T.

bsdjunkie
August 15th, 2003, 18:01
You Should have had all the ports being blocked by default =)

anyways, 135-139, 445, 69, 4444, and whatever port runs http over dcom...

soup4you2
August 15th, 2003, 19:03
setup portsentry on that port and laugh you ass off..

cod3fr3ak
August 15th, 2003, 19:36
Yep bsdjunkie. I had that stuff closed already. I figure if i need access to my net from outside I'll setup a vpn. It was weird tho. Seeing all those scan flying across my 'wall

Kernel_Killer
August 18th, 2003, 01:20
It only tried to get in on 135 for me. Gotta love watching the router logs denying every single attempt. This is what really stumped me. People where talking about businesses going down because of it, but really, 135-139,445 should be blocked be default, or at least out of habit. Same goes for egress traffic from the network. Don't need any stray broadcasts going outside.

v902
August 18th, 2003, 01:22
Yeah, I was reading some reports of win98 boxes with .NET vulnerable to the RPC DCOM vuln (not the worm since it wasn't built for it) anyone heard this?

cod3fr3ak
August 18th, 2003, 19:40
What I find very weird is that several large compaines in my area (Va.) got knocked completely off line. Long and FOster realtors, Va. DMV, and a local college adminissions office. You would think that these organizations require heavy data intergrity - and hence would have adequate protection. I guess not.

Kernel_Killer
August 19th, 2003, 19:44
Yep. The dcom.c exploit was somewhat of a past time of mine for a bit.

v902
August 19th, 2003, 20:21
:shock:

soup4you2
August 20th, 2003, 09:01
Yep. The dcom.c exploit was somewhat of a past time of mine for a bit.

i played with it myself.. on my local box of course..

It's awfully nice of microsoft to release the vulnrability scanner that allows you to scan entire subnets for vulnrable systems...

elmore
August 20th, 2003, 10:43
Yep. The dcom.c exploit was somewhat of a past time of mine for a bit.

Well I guess we don;t call you kernel killer for nothing then do we :!: :twisted:

Kernel_Killer
August 21st, 2003, 00:09
Well I guess we don;t call you kernel killer for nothing then do we

Guess not. :D

Seems that the meaning has changed over the past year. :twisted: