15-04-07

BLOCK RPC PORTS on WINDOWS DNS SERVERS

Following the report of the Internet Storm Center successfull attacks are taken place against DNS servers on Windows servers. They seem to use the port 1024 that you don't need anyway so you can close it down.

 

Source for the attack : 61.63.227.125
that does a TCP port scan to ports 1024-2048

Then a TCP connection to the right TCP port running the vulnerable RPC service. Shellcode binds to TCP port 1100. Attacker uploads a VBscript on this port and then runs it. VBscript downloads an executable DUP.EXE (MD5: a5ae220fec052a1f2cd22b4eb89a442e) from 203.66.151.92/images/. Executable is self-extracting and contains PWDUMP v5 and an associated DLL.

For bigger hosters or ISP's which want to automate this operation, more information is here.

 

This attack method is slowly developing. Automatic exploit attack code is now available on the web.

 

Those who do control the DNS servers, control all the traffic that goes through it. Your DNS servers are the brains of your network. If they are in the hands of gangs, they will use them as they see fit. And as it is a DNS servers (and port 53 traffic is always allowed) they would be able to do anything. With a little bit of DNS tunneling as trusted source......  Do I really have to spell it out loud ?

 

We"ll keep you posted.

01:06 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

De commentaren zijn gesloten.