Port 10 Traffic
We do see a steep increase in number of hosts probed on port 10. While only a few sources participate, the number of hosts probes is very large.
At this point, we do not know what these probes try to accomplish.
139 and 1433
ISS raised its AlertCON to '2' (from 1) due to reports of an increase in port 139 and 1433 scans. We do not see a significant global increase. In our opinion, a scan for weak MSSQL passwords with file sharing component could be a possible reason. (e.g. like 'SQLSnake' ).
DCE RPC Vectors
Core Security technologies published a paper, outlining various ways to exploit DCE RPC DCOM via different vectors. This paper is another reminder that just blocking port 135 is not enough to protect your systems. Patching is the only real solutions, and firewall rules should be applied to all unsolicited inbound traffic if possible.
Port 53 update
Earlier this week, Lurhq posted an analysis of a particular Trojan, which uses malformated 'DNS' queries to communicate:
I will be teaching next: Intrusion Detection In-Depth - SANS Boston Summer 2019
Dec 14th 2003
1 decade ago