Aug 11 19:57:01.874102 rule 0/0(match): block in on fxp0: 68.52.37.142.3426 > 68.53.92.xxx.135: S 1299919011:1299919011(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Aug 11 19:57:02.674615 rule 0/0(match): block in on fxp0: 68.53.98.174.4155 > 68.53.92.xxx.135: S 3139873557:3139873557(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) [tos 0x80]
Aug 11 19:57:03.722571 rule 0/0(match): block in on fxp0: 68.53.7.188.1116 > 68.53.92.xxx.135: S 3262035504:3262035504(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Aug 11 19:57:05.062650 rule 0/0(match): block in on fxp0: 68.53.5.226.1175 > 68.53.92.xxx.135: S 1696369393:1696369393(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) [tos 0x80]
Aug 11 19:57:08.418757 rule 0/0(match): block in on fxp0: 68.53.66.113.1712 > 68.53.92.xxx.135: S 2091441069:2091441069(0) win 60352 <mss 1460,nop,wscale 2,nop,nop,sackOK> (DF) [tos 0x80]
Aug 11 19:57:13.742312 rule 0/0(match): block in on fxp0: 68.52.163.224.4442 > 68.53.92.xxx.135: S 267627870:267627870(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) [tos 0x80]
Aug 11 19:57:14.909797 rule 0/0(match): block in on fxp0: 68.52.223.69.2912 > 68.53.92.xxx.135: S 1144200691:1144200691(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Aug 11 19:58:02.864508 rule 0/0(match): block in on fxp0: 68.52.54.187.2017 > 68.53.92.xxx.135: S 2185633352:2185633352(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) [tos 0x80]
Aug 11 19:58:18.231718 rule 0/0(match): block in on fxp0: 68.53.99.191.2512 > 68.53.92.xxx.135: S 3558415532:3558415532(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) [tos 0x80]
Aug 11 19:58:27.627044 rule 0/0(match): block in on fxp0: 68.53.104.94.1434 > 68.53.92.xxx.135: S 1407060099:1407060099(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) [tos 0x80]
Aug 11 19:59:55.046381 rule 0/0(match): block in on fxp0: 218.15.192.64.30099 > 68.53.92.xxx.135: udp 371 (DF) [tos 0x80]
Aug 11 20:03:12.678476 rule 0/0(match): block in on fxp0: 68.53.77.59.2739 > 68.53.92.xxx.135: S 3906073230:3906073230(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) [tos 0x80]
Aug 11 20:03:15.684075 rule 0/0(match): block in on fxp0: 68.53.77.59.2739 > 68.53.92.xxx.135: S 3906073230:3906073230(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) [tos 0x80]
Aug 11 20:03:21.700400 rule 0/0(match): block in on fxp0: 68.53.77.59.2739 > 68.53.92.xxx.135: S 3906073230:3906073230(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) [tos 0x80]



:roll:

Heh, funny stuff, I'll have to keep an eye out for the number of scans...

it begain around last thursday for me...

it's amazing how many people are sill vulnrable..

i was sitting on a channel and some people asked me to portscan them so i did... and what did you know all of the 4 people i scanned were vulnrable and had sub7 arlready on there... :)

After the "Billy" worm was released today, i started getting all this crap... :wink:

Just started today on me. Gotta love that RPC vul though.

Same here. It started on Sunday night for me. I almost set my router to deny everything. But I figured this would be a perfect stress test for it.

That worm really light up my firewall on Monday and Thursday of this week. I got a heads up about it last week, so I just said screw it and started blocking those parts right at the Firewall level....

Sure did make my logs grow...
BTW, just out of curiosity for the people who blocked this at the firewall level, what ports did you start blocking? I added about 6 different ports and was just curious to see if people added just one or several.

T.

You Should have had all the ports being blocked by default =)

anyways, 135-139, 445, 69, 4444, and whatever port runs http over dcom...

setup portsentry on that port and laugh you ass off..

Yep bsdjunkie. I had that stuff closed already. I figure if i need access to my net from outside I'll setup a vpn. It was weird tho. Seeing all those scan flying across my 'wall

It only tried to get in on 135 for me. Gotta love watching the router logs denying every single attempt. This is what really stumped me. People where talking about businesses going down because of it, but really, 135-139,445 should be blocked be default, or at least out of habit. Same goes for egress traffic from the network. Don't need any stray broadcasts going outside.

Yeah, I was reading some reports of win98 boxes with .NET vulnerable to the RPC DCOM vuln (not the worm since it wasn't built for it) anyone heard this?

What I find very weird is that several large compaines in my area (Va.) got knocked completely off line. Long and FOster realtors, Va. DMV, and a local college adminissions office. You would think that these organizations require heavy data intergrity - and hence would have adequate protection. I guess not.

Yep. The dcom.c exploit was somewhat of a past time of mine for a bit.

:shock:

Yep. The dcom.c exploit was somewhat of a past time of mine for a bit.

i played with it myself.. on my local box of course..

It's awfully nice of microsoft to release the vulnrability scanner that allows you to scan entire subnets for vulnrable systems...

Yep. The dcom.c exploit was somewhat of a past time of mine for a bit.

Well I guess we don;t call you kernel killer for nothing then do we :!: :twisted:

Well I guess we don;t call you kernel killer for nothing then do we

Guess not. :D

Seems that the meaning has changed over the past year. :twisted: