安天 - 安全响应

    网络信息安全是一个博大精深的技术体系，安天将自己的注意力专注于主要矛盾，即计算机网络病毒问题。
    根据有关机构统计，全球超过80%的安全事件均与病毒有关，网络病毒是信息社会面临的主要安全挑战之一，因此，安天人将“天下无毒”作为自己追求的安全境界。
    安天将网络安全工作者的宏观视野与反病毒工程师的成熟细腻有机结合。将反病毒技术与网络监控技术、计算机犯罪取证技术、安全评估技术等进行了有机的结合，形成了自身的产品内涵。


	当前位置：首页 - 安全响应中心 -> 病毒预警

MS08-067漏洞网管处置简易指南

出处：安天实验室时间：2008年10月24日

1、威胁概述 　

Windows操作系统下的Server服务在处理RPC请求的过程中存在一个漏洞，远程攻击者可以通过发送恶意的RPC请求触发这个溢出，导致完全入侵用户系统，以SYSTEM权限执行任意指令并获取数据。该漏洞可导致蠕虫攻击，类似冲击波蠕虫。

2、端口策略

管理员可以通过防火墙和路由设备阻断TCP 139和445端口,制止蠕虫进入内网。

3、终端配置策略终端配置策略

请参考《安天Windows系统紧急安全配置指南》（PDF手册下载）。

4、扩展检测

使用安天AVL SDK反病毒引擎的防火墙和UTM厂商请联系获取RPCscan.so模块。

SNORT用户可添加规则：
(出处：http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067?rev=1.1)

#by Secureworks alert udp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (1)"; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008690; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (2)"; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"..\..\"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008691; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (3)"; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"../../; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008692; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (4)"; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008693; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (5)"; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008694; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (6)"; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008695; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (7)"; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"..\..\"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008696; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (8)"; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"../../; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008697; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (9)"; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008698; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (10)"; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008699; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 - Known Exploit Instance"; content:"|00 2e 00 2e 00 2f 00 2e 00 2e 00 2f 00 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 87|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008700; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (11)"; flow:established,to_server; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008701; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (12)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"\..\"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008702; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (13)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"/../; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008703; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (14)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008704; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (15)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008705; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (16)"; flow:established,to_server; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008706; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (17)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"..\..\"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008707; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (18)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"../../; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008708; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (19)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008709; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (20)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008710; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (21)"; flow:established,to_server; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008711; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (22)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"\..\"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008712; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (23)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"/../; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008713; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (24)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008714; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (25)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008715; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (26)"; flow:established,to_server; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008716; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (27)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"..\..\"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008717; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (28)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"../../; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008718; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (29)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008719; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (30)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008720; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 - Known Exploit Instance (2)"; flow:established,to_server; content:"|00 2e 00 2e 00 2f 00 2e 00 2e 00 2f 00 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 87|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; sid:2008721; rev:1;)