tcp/135 and ICMP Continue to Decline; Solaris 8 Hacks

Published: 2004-01-04
Last Updated: 2004-01-05 03:54:58 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
tcp/135 and ICMP Traffic Continues to Decline. The decline in reported activity on tcp/135 (http://isc.sans.org/port_details.html?port=135) and ICMP (http://isc.sans.org/port_details.html?port=0) continues. This is due to the Nachi and Blaster worms expiring on January 1st. Many of our submitters are reporting that with the decrease in this activity they are able to see other attacks with a bit more clarity.

Solaris 8 Hacks. We've received a few reports of significant intrusions into networks of patched Solaris 8 machines. Initial analysis indicates what appears to be a multi-vector attack, using finger, rpcbind, and ftp. In one network, the systems that got broken into did not have tcpwrappers installed nor did they have the rpcbind from Wietse Venema and Casper Dik that has tcpwrapper support. However, there were Solaris 8 systems in the same machine room that are behind on patches, but have tcp wrappers installed and they were not broken into. If there have been other cases of similar intrusions in the past few days, the Storm Center would like to hear about it.
Marcus H. Sachs

The SANS Institute

Handler on Duty

http://isc.sans.org/contact.html
Keywords:
0 comment(s)

Comments


Diary Archives