Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: RPC errors

  • From: John Dvorak
  • Date: Mon Aug 11 17:58:42 2003

On Mon, 11 Aug 2003 17:33:33 -0400
 Kevin Houle <kjh@cert.org> wrote:
> 
> --On Monday, August 11, 2003 02:26:40 PM -0700 Mike Damm
> <MikeD@irwinresearch.com> wrote:
> 
> >The DCOM exploit that is floating around crashes the Windows RPC service
> >when the attacker closes the connection to your system after a successful
> >attack. Best bet is to assume any occurrence of crashing RPC services to
> >be signs of a compromised system until proven otherwise.
> >
> >http://www.cert.org/advisories/CA-2003-19.html
> 
> That's good advice. Many of the known exploits cause the RPC service
> to crash after the exploit is successful. I'll point out that not all
> exploits cause the service failure. So, the absence of an RPC service
> failure is likewise not an indicator that a vulnerable machine has
> escaped compromise.
> 
> Kevin

Interestingly, we have clear examples of boxes which were not infected but on
which RPC services did crash.  This may suggest that the worm also takes
advantage of the unrelated RPC DOS vulnerability (2000 and XP) which I believe
MS has still not patched.

John






Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.