Home page logo

nanog logo nanog mailing list archives

Re: RPC errors
From: John Dvorak <john () dvorak net>
Date: Mon, 11 Aug 2003 17:56:43 -0400

On Mon, 11 Aug 2003 17:33:33 -0400
 Kevin Houle <kjh () cert org> wrote:

--On Monday, August 11, 2003 02:26:40 PM -0700 Mike Damm
<MikeD () irwinresearch com> wrote:

The DCOM exploit that is floating around crashes the Windows RPC service
when the attacker closes the connection to your system after a successful
attack. Best bet is to assume any occurrence of crashing RPC services to
be signs of a compromised system until proven otherwise.


That's good advice. Many of the known exploits cause the RPC service
to crash after the exploit is successful. I'll point out that not all
exploits cause the service failure. So, the absence of an RPC service
failure is likewise not an indicator that a vulnerable machine has
escaped compromise.


Interestingly, we have clear examples of boxes which were not infected but on
which RPC services did crash.  This may suggest that the worm also takes
advantage of the unrelated RPC DOS vulnerability (2000 and XP) which I believe
MS has still not patched.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]