Jump to content

The Worm is attacking!

Guest zerodamage

By Guest zerodamage, Guests
in Tech Reviews, Support and PC Builds

 Share

Recommended Posts

Guest zerodamage

Guest zerodamage

Guest zerodamage
Guest zerodamage
Guests

My firewall has recorded 5 pages of blocks in less than one minute. Port 135 is being hammered by this new worm. Anyone else seeing this on their router? I will post logs shortly, maybe you other geeks out there can do the same and we can see which major websites did NOT patch their system. Be fun.

 

(BTW, this is the same port used to get Windows Messing service spam, so if you are getting this.. you may already be infected)

 

http://www.foxnews.com/story/0,2933,94439,00.html

 

http://news.com.com/2100-1002-5062364.html?tag=nl

 

http://news.com.com/2100-1002-5062477.html?tag=nl

Link to comment
Share on other sites
dwEEziL Newbie

dwEEziL

Newbie
dwEEziL
dwEEziL
Member

This is the KB article regarding the vulnerability this worm uses to infect a system. I advise installing it immediately. Yale University stated that 1000-1500 systems were detected to have been compromised on Monday by another virus/worm that uses the same vulnerability.

 

Microsoft Security Bulletin MS03-026

Buffer Overrun In RPC Interface Could Allow Code Execution (823980)

http://www.microsoft.com/technet/treeview/...in/MS03-026.asp

Link to comment
Share on other sites
Guest zerodamage

Guest zerodamage

Guest zerodamage
Guest zerodamage
Guests
(edited)

Here are the logs I have so far. Notice how most of them are 24.48.x.y to 24.50.x.y

 

This is the subnet for Adelphia cable.

Time------------------------Message-----------------Source----------------------Destination-----------Note

Aug/12/2003 01:29:13 Drop TCP packet from WAN 24.49.105.4:4926 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 01:29:10 Drop TCP packet from WAN 24.49.105.4:4926 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 01:28:38 Drop TCP packet from WAN 24.48.202.184:2124 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 01:28:14 Drop TCP packet from WAN 24.49.206.245:3748 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 01:28:11 Drop TCP packet from WAN 24.49.206.245:3748 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 01:27:45 Drop TCP packet from WAN 24.50.43.133:2539 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 01:26:47 Drop TCP packet from WAN 24.49.159.128:1685 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 01:26:44 Drop TCP packet from WAN 24.49.159.128:1685 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 01:23:54 Drop TCP packet from WAN 24.50.39.6:4172 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 01:23:51 Drop TCP packet from WAN 24.50.39.6:4172 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 01:23:50 Drop TCP packet from WAN 24.48.157.144:3791 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 01:23:47 Drop TCP packet from WAN 24.48.157.144:3791 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 01:23:39 Drop TCP packet from WAN 24.49.225.134:1630 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 01:23:39 Drop TCP packet from WAN 24.50.35.160:1454 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 01:23:37 Drop TCP packet from WAN 24.49.225.134:1630 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 01:23:33 Drop TCP packet from WAN 24.50.35.160:1454 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 01:23:30 Drop TCP packet from WAN 24.50.35.160:1454 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 01:22:21 Drop TCP packet from WAN 24.48.248.170:3048 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 01:10:55 Drop TCP packet from WAN 66.14.161.74:4407 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 01:10:49 Drop TCP packet from WAN 66.14.161.74:4407 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 01:10:46 Drop TCP packet from WAN 66.14.161.74:4407 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 01:07:55 Drop TCP packet from WAN 24.50.43.133:2821 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 01:07:50 Drop TCP packet from WAN 24.50.43.133:2821 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 01:07:47 Drop TCP packet from WAN 24.50.43.133:2821 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 01:04:58 Drop TCP packet from WAN 24.49.97.157:4985 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 01:04:56 Drop TCP packet from WAN 24.49.97.157:4985 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 01:01:22 Drop TCP packet from WAN 24.49.186.210:4722 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 01:01:20 Drop TCP packet from WAN 24.49.66.166:4044 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 01:01:19 Drop TCP packet from WAN 24.49.186.210:4722 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 01:01:17 Drop TCP packet from WAN 24.49.66.166:4044 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 01:01:12 Drop TCP packet from WAN 24.48.252.65:4011 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 01:01:08 Drop TCP packet from WAN 24.49.96.113:2614 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 01:01:00 Drop TCP packet from WAN 24.48.218.75:4279 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 00:58:36 Drop TCP packet from WAN 24.50.39.6:3596 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 00:58:33 Drop TCP packet from WAN 24.50.39.6:3596 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 00:55:31 Drop TCP packet from WAN 24.49.158.131:4318 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 00:55:28 Drop TCP packet from WAN 24.49.158.131:4318 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 00:55:08 Drop TCP packet from WAN 24.50.35.160:4623 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 00:55:06 Drop TCP packet from WAN 24.50.35.160:4623 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 00:54:05 Drop TCP packet from WAN 81.50.193.222:2476 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 00:51:20 Drop UDP packet from WAN 218.15.192.64:30099 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 00:48:55 Drop TCP packet from WAN 24.50.49.62:3685 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 00:42:46 Drop TCP packet from WAN 24.50.40.239:3075 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 00:42:44 Drop TCP packet from WAN 24.50.40.239:3075 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 00:35:06 Drop TCP packet from WAN 65.219.150.61:3972 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 00:35:06 Drop TCP packet from WAN 65.219.150.61:3972 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 00:31:44 Drop TCP packet from WAN 24.48.224.166:1477 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 00:31:41 Drop TCP packet from WAN 24.48.224.166:1477 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 00:28:24 Drop TCP packet from WAN 24.50.40.163:3054 192.168.1.103:135 Rule: Default deny

Aug/12/2003 00:42:44 Drop TCP packet from WAN 24.50.40.239:3075 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 00:35:06 Drop TCP packet from WAN 65.219.150.61:3972 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 00:35:06 Drop TCP packet from WAN 65.219.150.61:3972 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 00:31:44 Drop TCP packet from WAN 24.48.224.166:1477 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 00:31:41 Drop TCP packet from WAN 24.48.224.166:1477 192.168.1.103:135 Rule: Block 135 deny

Aug/12/2003 00:28:24 Drop TCP packet from WAN 24.50.40.163:3054 192.168.1.103:135 Rule: Default deny

Aug/12/2003 00:28:21 Drop TCP packet from WAN 24.50.40.163:3054 192.168.1.103:135 Rule: Default deny

Aug/12/2003 00:24:11 Drop TCP packet from WAN 24.49.174.27:1386 192.168.1.103:135 Rule: Default deny

Aug/12/2003 00:24:08 Drop TCP packet from WAN 24.49.174.27:1386 192.168.1.103:135 Rule: Default deny

Aug/12/2003 00:24:01 Drop TCP packet from WAN 24.49.28.9:4488 192.168.1.103:135 Rule: Default deny

Aug/12/2003 00:24:01 Drop TCP packet from WAN 24.49.28.9:4488 192.168.1.103:135 Rule: Default deny

Aug/12/2003 00:23:58 Drop TCP packet from WAN 24.49.28.9:4488 192.168.1.103:135 Rule: Default deny

Aug/12/2003 00:23:56 Drop TCP packet from WAN 204.1.226.228:60181 192.168.1.103:135 Rule: Default deny

Aug/12/2003 00:23:56 Drop TCP packet from WAN 204.1.226.228:60181 192.168.1.103:135 Rule: Default deny

Aug/12/2003 00:23:55 Drop TCP packet from WAN 204.1.226.228:60181 192.168.1.103:135 Rule: Default deny

Aug/12/2003 00:23:55 Drop TCP packet from WAN 204.1.226.228:60181 192.168.1.103:135 Rule: Default deny

Aug/12/2003 00:23:55 Drop TCP packet from WAN 204.1.226.228:60181 192.168.1.103:135 Rule: Default deny

Aug/12/2003 00:23:54 Drop TCP packet from WAN 204.1.226.228:60181 192.168.1.103:135 Rule: Default deny

Aug/12/2003 00:23:54 Drop TCP packet from WAN 204.1.226.228:60181 192.168.1.103:135 Rule: Default deny

Aug/12/2003 00:23:53 Drop TCP packet from WAN 204.1.226.228:60181 192.168.1.103:135 Rule: Default deny

Aug/12/2003 00:23:53 Drop TCP packet from WAN 204.1.226.228:60181 192.168.1.103:135 Rule: Default deny

Aug/12/2003 00:23:52 Drop TCP packet from WAN 204.1.226.228:60181 192.168.1.103:135 Rule: Default deny

Aug/12/2003 00:14:53 Drop TCP packet from WAN 24.50.43.133:3639 192.168.1.103:135 Rule: Default deny

Aug/12/2003 00:14:50 Drop TCP packet from WAN 24.50.43.133:3639 192.168.1.103:135 Rule: Default deny

Edited by zerodamage
Link to comment
Share on other sites
redeyez Newbie

redeyez

Newbie
redeyez
redeyez
Member
(edited)

I just installed a new a few days and was too lazy to install a firewall (im on 56k, like i needed it)

 

Connected to the net after work and in 3 MINS! my system crashed...

 

It would run fine, but when I went on the net it would crash again, after 2 hours of this crap, and after a failed attempt to restore winxp, i decided to snoop around.

 

Found 1 program created at 12:40am (sametime eventlog stats error) called msblast.exe... deleted it...rebooted....it came back. So I ended the process via C-A-D. and my inet seemed fine...then it crashed agin in about 10 mins. So I installed ZoneAlarmPro4...deleted all programs created from 12:30am - 12:45 (amazing how crap there was). Edited my start up to stop loading this mysterious msblast.exe. Rebooted, connected...perfect...then I get about a 20 attacks to TCP135....guess i was lucky and caught it in time.

 

My advice this exploit sucks bad...get the ms update posted above, and get a good firewall.

 

EDIT: maybe you should stick this thread.

Edited by redeyez
Link to comment
Share on other sites
Guest zerodamage

Guest zerodamage

Guest zerodamage
Guest zerodamage
Guests

Notice what Red said.... HE IS ON DIALUP. No one is safe from this. Get a freakin firewall.

Link to comment
Share on other sites
Guest zerodamage

Guest zerodamage

Guest zerodamage
Guest zerodamage
Guests

BTW, 200 more port 135 hits in the past 1-1/2 hours.

Link to comment
Share on other sites
Guest zerodamage

Guest zerodamage

Guest zerodamage
Guest zerodamage
Guests

Over 3000 probes to 135 in 8 hours. I just woke up.

Link to comment
Share on other sites
Guest zerodamage

Guest zerodamage

Guest zerodamage
Guest zerodamage
Guests

Now rev.... go get a firewall. I am using D-Link's 40 dollar deal at Best Buy. Works great.

Link to comment
Share on other sites
NOFX Newbie

NOFX

Newbie
NOFX
NOFX
Member

I use D-links $40 janx, but Im not at my comp now, Im on dial up at home....So Zdamage, the IP address's that is trying to come in on port 135 is from who? Aldephia cable's machines? or is this worm on all the users from aldephia and their machines are the ones attacking yours? Im confused here, Im a comp sci major,(networking concentration). How could so many different IP's be attacking your machine?(unless the whole network you get your internet from is infected, then i could see) Im curious about this worm and how it really works. That would be cool if the program spammed you from the same machine, but the program just changed the source IP in the packet header to an arbitary one everytime.

 

This is kind of interesting, because Im on dial up here at my dads, and just a few days ago, his machine that connects to the net kept getting remote commands that would stop a critical program and make his machine shut down. I turn on the firewall in XP and problem solved..

Link to comment
Share on other sites
dwEEziL Newbie

dwEEziL

Newbie
dwEEziL
dwEEziL
Member
That would be cool if the program spammed you from the same machine, but the program just changed the source IP in the packet header to an arbitary one everytime.

Actually, it is better if there were many machines spamming one computer. Then the work would be more distributed, the impact would be more severe and less noticeable on the zombie machines (the attackers), and it would be more difficult to trace back to the hacker.

Link to comment
Share on other sites
Guest zerodamage

Guest zerodamage

Guest zerodamage
Guest zerodamage
Guests
(edited)

nofx, typically worms and what not like this usually probe those in the immediate subnet first. You know.... my ip starts with 24.50 so those in that area will be the first probed.

 

As for you having that problem the other day.... if you did not clean your system of the virus... it is still there. I would run that cleaning tool.

 

OH and yes, many on my Cable network have the virus. That is why the IP's are all similar. They are all Adelphia users.

Edited by zerodamage
Link to comment
Share on other sites
Slaphappy Newbie

Slaphappy

Newbie
Slaphappy
Slaphappy
Member

speaking of D-Link routers....I'm trying to make sure the firewall is working on mine...but i'm a noob when it comes to actualy tinkering with this stuff. As you can see in the pic here I've clicked enable but it won't let me do it...not really sure what i'm suppose to enter in those IP thingys

firewall2342.jpg

Link to comment
Share on other sites
Guest zerodamage

Guest zerodamage

Guest zerodamage
Guest zerodamage
Guests

Just use that link i provided in one of the threads (test your firewall) and you can see if it is blocking those ports. I think many IP's are now blocking port 135 on their end. This dial up here is.

 

 

Slap, I think port135 on yours is blocked by default, your setup is exactly the same as mine, so do this:

 

On the first option, put on Enable

Put in the name like: 'Block 135"

Put on Deny on the next one.

Under source, put WAN and put a * in the first bock on that line

Then on Destination put on LAN and then your IP address. I noticed putting in your Assigned IP address by the firewall works best. Then put in 135 on the first Port block. Do not put it on TCP on only, put on BOTH. Then last put on ALWAYS and hit apply. Then watch the denies on your log. You are probably already getting denies anyway. It is under the Status tab on top.

Link to comment
Share on other sites
THX1138 Newbie

THX1138

Newbie
THX1138
THX1138
Member

oops

Incoming Log Table

Source IP Destination Port Number

64.156.39.12 1026

68.170.200.205 135

68.170.219.68 135

68.168.249.94 135

68.169.87.130 135

68.169.114.31 135

68.169.95.164 135

68.169.86.65 135

68.170.221.164 135

68.169.86.65 135

68.170.221.164 135

68.169.91.17 135

68.169.76.164 135

68.170.221.128 135

68.170.221.128 135

68.169.89.167 135

68.170.219.111 135

68.169.87.73 135

68.170.217.115 135

68.170.204.138 135

68.169.95.166 135

68.169.86.44 135

68.169.92.127 135

68.168.253.99 135

200.76.135.118 1434

68.170.219.153 135

68.170.219.107 135

68.170.204.104 135

218.156.158.8 3410

203.239.171.182 3410

68.170.199.134 135

68.169.97.49 135

68.170.220.4 135

68.170.219.173 135

68.170.202.52 135

68.170.220.87 135

218.145.222.217 3410

68.169.107.181 135

68.170.222.136 135

219.240.20.82 3410

220.83.198.27 3410

211.104.85.17 3410

68.170.219.153 135

66.28.236.117 1434

68.170.219.136 135

68.169.94.76 135

68.170.193.156 135

68.169.94.76 135

68.170.193.229 135

68.170.201.10 135

68.170.193.229 135

68.170.193.156 135

68.170.201.10 135

68.169.100.99 135

68.169.80.173 135

68.170.210.157 135

68.170.219.173 135

12.222.68.97 27374

202.108.249.21 1434

68.170.199.175 135

68.169.97.33 135

68.170.210.20 135

64.27.19.26 1080

64.156.39.12 1026

68.169.80.11 135

68.169.86.65 135

68.169.110.109 135

68.169.86.65 135

68.169.85.156 135

68.170.192.182 135

how come zone alarm is not stopping these requests?

my machine is not having any problems its been on and off all day long.

Link to comment
Share on other sites
Guest zerodamage

Guest zerodamage

Guest zerodamage
Guest zerodamage
Guests

I am figuring those requests were blocked, but to make sure, go into your config and set zonealarm to block all requests for port 135 (this also stops windows messenging spam)

Link to comment
Share on other sites
Gond Newbie

Gond

Newbie
Gond
Gond
Member

Your router should block EVERY port attempting to access your network by default. You should not have to do anything. With my router the only thing I can do is open ports and block requests from inside out.

Link to comment
Share on other sites
Guest zerodamage

Guest zerodamage

Guest zerodamage
Guest zerodamage
Guests
Your router should block EVERY port attempting to access your network by default.  You should not have to do anything.  With my router the only thing I can do is open ports and block requests from inside out.

Typically that is the case, yes. Doesn't hurt to make the rule anyway.

 

what kind of router you got Gond?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...