Some more information for the community regarding the Windows DNS RPC vulnerability that we have been reporting on http://isc.sans.org/diary.html?storyid=2627. We have knowledge of a successful attack that occurred on April 4, 2007. This appears to be an opportunistic attack (instead of a targeted attack).
So it's likely that others have been compromised as well. If you have a vulnerable MS DNS server (Wik2K SP4 or Win2003 SP1 or SP2) accessible to the Internet and don't have ports above 1024 blocked, then you may have already been targeted in an attack.
At this point, there seems to be a very small number of known compromises. We are interested if other sites have seen it? Has your IDS been alerting on shellcode for DCOM signatures and the port is above 1024? Have you seen portscans above 1024? Has your DNS.exe service died recently? (Apparently the service does not restart by itself.) If so, then let us know. And as always, if you have any packet captures of this activity please send them in.
Update: If you have a large number of domain controllers and want to automate the disabling of RPC, check out this blog entry: http://msinfluentials.com/blogs/jesper/archive/2007/04/13/turn-off-rpc-management-of-dns-on-all-dcs.aspx
Apr 13th 2007
1 decade ago