COMMAND

    CPU attacks [DNS (port 1029), TPSVCS (1038), INETINFO (1031)]

SYSTEMS AFFECTED

    Win NT

PROBLEM

    Story with CPU utilization rising  goes on.  For now  on localhots
    only.  David Litchfield posted few more CPU attacks (some of  them
    known before).

    TPSVCS.EXE
    ==========
        Telnet to port 1038  and simply disconnect when  there...sends
        the processor running at 100%. (Some other ports are also open
        eg:  1032 but it varies. 1038 is always open to this attack it
        seems.)

    WINS.EXE
    ========
        Varies : try telnetting to port 1043 or 1091 (These two  ports
        have succeded on occasion.) Just connect and disconnect.

    DNS.EXE
    =======
        Telnet to  port 1029  and disconnect.  This port  seems always
        open to this attack.

    INETINFO.EXE
    ============
        Inetinfo.exe  (IIS)  can  be  attacked  on  port  1031.  David
        recently sent  out a  possible solution  to resolve  this (see
        'CPU utilization #5), but he  found it again on port  1035 and
        the  same  problem  occured.   After  a "successful" attack on
        this port...trying to reconnect after stopping and  restarting
        the  IIS  services  failed....but  then  he  found  it on port
        1033...later back on  port 1031...inetinfo hangs  around these
        ports like a bad smell......

    To find ports open and  of interest, run the "netstat  -a" command
    to  see  ports  that  are  listening.   It  seems  that this stuff
    works with telnet to localhost (127.0.0.1), except inetinfo.exe.

SOLUTION

    Nothing yet.   These attacks are  possible against localhost  only
    so  with  good  auditing  measures  at  least you will know who is
    playing with your system.