|
Posted by Joseph Bittman MVP MCSD on December 20, 2005, 3:41 pm
If you were Registered and logged in, you could reply and use other advanced thread options
December 20, 2005
I just got alerted by Trend Micro that the software detected an XML RPC
attack against the network. I haven't been able to find out what exactly
this type of attach composes of... could anyone please explain what
encomposes this attack (including software, ports, specific virus
'requirements' for succeeding, etc)? I just want to make sure the rest of my
network is secure from this type of attack as I use XML a lot. Thanks!
--
Joseph Bittman
Microsoft Certified Solution Developer
Microsoft Most Valuable Professional -- DPM
Blog/Web Site: http://71.39.42.23/
|
|
Posted by David H. Lipman on December 20, 2005, 3:52 pm
If you were Registered and logged in, you could reply and use other advanced thread options
| December 20, 2005
|
| I just got alerted by Trend Micro that the software detected an XML RPC
| attack against the network. I haven't been able to find out what exactly
| this type of attach composes of... could anyone please explain what
| encomposes this attack (including software, ports, specific virus
| 'requirements' for succeeding, etc)? I just want to make sure the rest of my
| network is secure from this type of attack as I use XML a lot. Thanks!
|
Please post the exact contents of the report, excerpt of the log or other
message indicating
this event.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
|
|
Posted by Joseph Bittman MVP MCSD on December 20, 2005, 4:05 pm
If you were Registered and logged in, you could reply and use other advanced thread options
What is strange is it only said that it detected the attempt (under an
Emergency Alert), but when you click the link for more information about the
attack from Trend, it didn't pull up any known information. Therefore, I
really don't actually have more data about the attack... Any ideas?
--
Joseph Bittman
Microsoft Certified Solution Developer
Microsoft Most Valuable Professional -- DPM
Blog/Web Site: http://71.39.42.23/
>
> | December 20, 2005
> |
> | I just got alerted by Trend Micro that the software detected an XML
> RPC
> | attack against the network. I haven't been able to find out what exactly
> | this type of attach composes of... could anyone please explain what
> | encomposes this attack (including software, ports, specific virus
> | 'requirements' for succeeding, etc)? I just want to make sure the rest
> of my
> | network is secure from this type of attack as I use XML a lot. Thanks!
> |
>
> Please post the exact contents of the report, excerpt of the log or other
> message indicating
> this event.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
|
|
Posted by David H. Lipman on December 20, 2005, 4:13 pm
If you were Registered and logged in, you could reply and use other advanced thread options
| December 20, 2005
|
| What is strange is it only said that it detected the attempt (under an
| Emergency Alert), but when you click the link for more information about the
| attack from Trend, it didn't pull up any known information. Therefore, I
| really don't actually have more data about the attack... Any ideas?
|
The XML part makes it confusing. It could be some for of FireWall Heuristic
notification.
If you had pertinent information, I could contact my liaison at Trend Micro and
ask him.
Without the exact text, its just guess work.
RPC is usually associated with TCP port 135 unless it is RPC over HTML when it
is TCP port
593.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
|
|
Posted by Joseph Bittman MVP MCSD on December 20, 2005, 4:43 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Wow! The software is new to me and I didn't know it had other logs... I
have found the event logs where it shows more information. I'm getting hit
by the XML_RPC_Exploit description a LOT. It is coming in on port 80
(http -- this computer hosts a small personal web site which relies heavily
on XML stores)
Basically, there are blocks of 10-20 exploit attempts in 1 minute timespans,
and then it switches source IPs and trys again about 5 hours later... (it
also switches SourcePort every attempt --so each block from an IP will have
about 10-20 different sourceports)
IPs:
82.159.46.137
217.129.49.18 -- Also attempted some AWSTATS_CONFIGDIR_EXPLOIT attempts
203.172.162.242
61.145.142.189
209.152.181.152 - Also attempted some AWSTATS_CONFIGDIR_EXPLOIT attempts
221.228.241.222
What do you think about this? It is blocking them every time, although I
hate for my web server to get hit with this type of useless waste of CPU
power (Yes, I'm worried too about DoS.).... Any ideas? -- Also, are these
IPs something which Trend Micro or someone else might be interested in for a
'Banned/Suspect IP address list'? Thanks for your help!
--
Joseph Bittman
Microsoft Certified Solution Developer
Microsoft Most Valuable Professional -- DPM
Blog/Web Site: http://71.39.42.23/
>
> | December 20, 2005
> |
> | What is strange is it only said that it detected the attempt (under an
> | Emergency Alert), but when you click the link for more information about
> the
> | attack from Trend, it didn't pull up any known information. Therefore, I
> | really don't actually have more data about the attack... Any ideas?
> |
>
> The XML part makes it confusing. It could be some for of FireWall
> Heuristic notification.
>
> If you had pertinent information, I could contact my liaison at Trend
> Micro and ask him.
> Without the exact text, its just guess work.
>
> RPC is usually associated with TCP port 135 unless it is RPC over HTML
> when it is TCP port
> 593.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
|
| Similar Threads | Posted | | Arp virus attack? | August 15, 2006, 7:19 am |
| OT: ? Attack the Attackers ! | January 4, 2007, 2:14 pm |
| bloodhound packed 8 & zero day attack | December 16, 2006, 1:57 am |
| Attack unknown virus | December 26, 2006, 6:28 am |
| Attack Launched within Minutes of Signing on for First Time ... | August 7, 2007, 1:10 am |
| Daily virus attack and IE script error messages | July 19, 2005, 4:56 pm |
| Possible New Exploit??? | August 15, 2005, 3:45 pm |
| MSO..?..exploit / Well REALLY !! | February 12, 2006, 2:36 pm |
| Help ANI exploit | April 23, 2007, 7:56 pm |
| Re: WMF Exploit question | January 5, 2006, 3:31 pm |
|
XML site map