Event ID - 69

Port No69
Service NameBlaster Worm TFTP Backdoor
RFC Doc0
ProtocolUDP
DescriptionThis event indicates an attempt to TFTP the RPC DCOM worm msblast.exe from an infected computer.
Reference LinkPort Number:69 Service Name:Blaster Worm TFTP Backdoor Port:UDP
AttackAccording to Symantec

Resolution:
The following workaround has been suggested by the vendor.
The following ports should be blocked:
TCP/UDP Port 135
TCP/UDP Port 139
TCP/UDP Port 445
A reliable source has indicated that TCP port 593 is also a potential channel for attacks. Microsoft has not mentioned this port in their revised bulletin. Administrators are advised to filter access to it and any other ports that are not necessary.
The Internet Connection Firewall in Windows XP or Windows Server 2003 will, by default, block inbound RPC traffic.
Disable DCOM on all affected computers.
When a computer is part of a network, the DCOM wire protocol enables COM objects on that computer to communicate with COM objects on other computers. You can disable DCOM for a particular computer to help protect against this vulnerability, but doing so will disable all communication between objects on that computer and objects on other computers.
If you disable DCOM on a remote computer, you will not be able to remotely access that computer afterwards to re-enable DCOM. To re-enable DCOM, you will need physical access to that computer.
To manually enable (or disable) DCOM for a computer:
1. Run Dcomcnfg.exe.
If you are running Windows XP or Windows Server 2003, perform these additional steps:
* Click on the Component Services node under Console Root.
* Open the Computers sub-folder.
* For the local computer, right-click on My Computer and choose Properties.
* For a remote computer, right-click on the Computers folder and choose New > Computer. Enter the computer name. Right-click on that computer name, and then choose Properties.
2. Choose the Default Properties tab.
3. Select (or clear) the Enable Distributed COM on this Computer check box.
4. If you will be setting more properties for the computer, click Apply to enable (or disable) DCOM. Otherwise, click OK to apply the changes and exit Dcomcnfg.exe.
To test if ncacn_http is running on port 80 (which may be an additional attack vector), telnet to port 80 and enter:
RPC_CONNECT (ip address):593 HTTP/1.0

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.