The DCOM exploit that is floating around crashes the Windows RPC service when the attacker closes the connection to your system after a successful attack. Best bet is to assume any occurrence of crashing RPC services to be signs of a compromised system until proven otherwise. http://www.cert.org/advisories/CA-2003-19.html -Mike --- Michael Damm, MIS Department, Irwin Research & Development V: 509.457.5080 x298 F: 509.577.0301 E: miked@irwinresearch.com -----Original Message----- From: Jack Bates [mailto:jbates@brightok.net] Sent: Monday, August 11, 2003 1:12 PM To: NANOG Subject: RPC errors I'm showing signs of an RPC sweep across one of my networks that's killing some XP machines (only XP confirmed). How wide spread is this at this time. Also, does anyone know if this is just generating a DOS symptom or if I should be looking for backdoors in these client systems? -Jack
--On Monday, August 11, 2003 02:26:40 PM -0700 Mike Damm <MikeD@irwinresearch.com> wrote:
The DCOM exploit that is floating around crashes the Windows RPC service when the attacker closes the connection to your system after a successful attack. Best bet is to assume any occurrence of crashing RPC services to be signs of a compromised system until proven otherwise.
That's good advice. Many of the known exploits cause the RPC service to crash after the exploit is successful. I'll point out that not all exploits cause the service failure. So, the absence of an RPC service failure is likewise not an indicator that a vulnerable machine has escaped compromise. Kevin
participants (2)
-
Kevin Houle
-
Mike Damm