Last Updated: 2007-04-14 14:30:08 UTC
by Kyle Haugsness (Version: 2)
So it's likely that others have been compromised as well. If you have a vulnerable MS DNS server (Wik2K SP4 or Win2003 SP1 or SP2) accessible to the Internet and don't have ports above 1024 blocked, then you may have already been targeted in an attack.
At this point, there seems to be a very small number of known compromises. We are interested if other sites have seen it? Has your IDS been alerting on shellcode for DCOM signatures and the port is above 1024? Have you seen portscans above 1024? Has your DNS.exe service died recently? (Apparently the service does not restart by itself.) If so, then let us know. And as always, if you have any packet captures of this activity please send them in.
Update: If you have a large number of domain controllers and want to automate the disabling of RPC, check out this blog entry: http://msinfluentials.com/blogs/jesper/archive/2007/04/13/turn-off-rpc-management-of-dns-on-all-dcs.aspx
Update 2: We have two confirmed sources that were attacked on April 4th and 5th. Both were universities in the US. The initial report was from the Information Security Office at Carnegie Mellon University. Nice catch guys! The attacking source IP was the same in both cases: 126.96.36.199
Here is the attack details from the Carnegie Mellon folks. First, a TCP port scan to ports 1024-2048. Then a TCP connection to the right TCP port running the vulnerable RPC service. Shellcode binds to TCP port 1100. Attacker uploads a VBscript on this port and then runs it. VBscript downloads an executable DUP.EXE (MD5: a5ae220fec052a1f2cd22b4eb89a442e) from 188.8.131.52/images/. Executable is self-extracting and contains PWDUMP v5 and an associated DLL.
Update 3: There is now a publicly available exploit for this
vulnerability in Metasploit 3