On Mon, 11 Aug 2003 17:33:33 -0400 Kevin Houle <kjh@cert.org> wrote:
--On Monday, August 11, 2003 02:26:40 PM -0700 Mike Damm <MikeD@irwinresearch.com> wrote:
The DCOM exploit that is floating around crashes the Windows RPC service when the attacker closes the connection to your system after a successful attack. Best bet is to assume any occurrence of crashing RPC services to be signs of a compromised system until proven otherwise.
That's good advice. Many of the known exploits cause the RPC service to crash after the exploit is successful. I'll point out that not all exploits cause the service failure. So, the absence of an RPC service failure is likewise not an indicator that a vulnerable machine has escaped compromise.
Kevin
Interestingly, we have clear examples of boxes which were not infected but on which RPC services did crash. This may suggest that the worm also takes advantage of the unrelated RPC DOS vulnerability (2000 and XP) which I believe MS has still not patched. John
I've seen similar behavior. I patch immediately and religiously, and on two of my patched boxes I've seen unusual svchost crashes yesterday and today. But no infection, knock on wood. Bob German Sr Systems Engineer Irides, LLC -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of John Dvorak Sent: Monday, August 11, 2003 5:57 PM To: NANOG Subject: Re: RPC errors On Mon, 11 Aug 2003 17:33:33 -0400 Kevin Houle <kjh@cert.org> wrote:
--On Monday, August 11, 2003 02:26:40 PM -0700 Mike Damm <MikeD@irwinresearch.com> wrote:
The DCOM exploit that is floating around crashes the Windows RPC service when the attacker closes the connection to your system after a successful attack. Best bet is to assume any occurrence of crashing
RPC services to be signs of a compromised system until proven otherwise.
That's good advice. Many of the known exploits cause the RPC service to crash after the exploit is successful. I'll point out that not all exploits cause the service failure. So, the absence of an RPC service failure is likewise not an indicator that a vulnerable machine has escaped compromise.
Kevin
Interestingly, we have clear examples of boxes which were not infected but on which RPC services did crash. This may suggest that the worm also takes advantage of the unrelated RPC DOS vulnerability (2000 and XP) which I believe MS has still not patched. John
Forwarded from isp-tech: Those of you having the issues of restarts, do the following: Go to Control Panel, then Administrative Tools, then Services. Under Services find the Remote Procedure Call option, and right click then go to Properties. Under Properties, go to the Recovery Tab, and you'll see the "At first failure..." "At Second Failure..." issue. Change those to "Take No Action" or "Restart The Service" instead of the the default "Reboot the Computer" option, and you should be able to stay on for the patch. -------------------------------------------------- Jon Catron RNet Inc. - Technical Support Systems Administrator http://www.rnetinc.net/ (765) 342-3554 (888) 349-3080 --------------------------------------------------
participants (3)
-
Bob German
-
John Dvorak
-
Michael Painter