搜狐网站
搜狐 ChinaRen 17173 焦点房地产 搜狗
搜狐数码-搜狐网站
搜狐数码频道 > 软件频道 > 病毒·安全 > 漏洞·补丁

MS08-067漏洞网管处置简易指南

  1、威胁概述

  Windows操作系统下的Server服务在处理RPC请求的过程中存在一个漏洞,远程攻击者可以通过发送恶意的RPC请求触发这个溢出,导致完全入侵用户系统,以SYSTEM权限执行任意指令并获取数据。

该漏洞可导致蠕虫攻击,类似冲击波蠕虫。

  2、端口策略

  管理员可以通过防火墙和路由设备阻断TCP 139和445端口,制止蠕虫进入内网。

  3、终端配置策略 终端配置策略请参考: 请参考《安天Windows系统紧急安全配置指南》(PDF手册下载)。

  4、扩展检测

  使用安天AVL SDK反病毒引擎的防火墙和UTM厂商请联系获取RPCscan.so模块。

  snort用户:可添加规则: (出处:https://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067?rev=1.1)

  #by Secureworks alert udp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (1)"; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008690; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (2)"; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"..\..\"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008691; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (3)"; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"../../; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008692; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (4)"; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008693; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (5)"; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008694; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (6)"; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008695; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (7)"; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"..\..\"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008696; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (8)"; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"../../; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008697; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (9)"; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008698; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (10)"; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008699; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 - Known Exploit Instance"; content:"|00 2e 00 2e 00 2f 00 2e 00 2e 00 2f 00 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 87|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008700; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (11)"; flow:established,to_server; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008701; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (12)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"\..\"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008702; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (13)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"/../; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008703; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (14)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008704; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (15)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008705; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (16)"; flow:established,to_server; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008706; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (17)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"..\..\"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008707; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (18)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"../../; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008708; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (19)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008709; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (20)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008710; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (21)"; flow:established,to_server; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008711; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (22)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"\..\"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008712; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (23)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"/../; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008713; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (24)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008714; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (25)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008715; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (26)"; flow:established,to_server; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008716; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (27)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"..\..\"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008717; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (28)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"../../; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008718; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (29)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008719; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (30)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008720; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 - Known Exploit Instance (2)"; flow:established,to_server; content:"|00 2e 00 2e 00 2f 00 2e 00 2e 00 2f 00 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 87|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008721; rev:1;)  

(责任编辑:韩建光)

我要发布

用户:  匿名  隐藏地址  设为辩论话题

*搜狗拼音输入法,中文处理专家>>

新闻 网页 博客 音乐 图片 说吧  
央视质疑29岁市长 邓玉娇失踪 朝鲜军事演习 日本兵赎罪
石首网站被黑 篡改温总讲话 夏日减肥秘方 日本瘦脸法
宋美龄牛奶洗澡 中共卧底结局 慈禧不快乐 侵略中国报告



说 吧更多>>

相 关 说 吧

安天

说 吧 排 行

茶 余 饭 后更多>>