/Rpc virtual directory in IIS - How did it get there?

Recently I was surprised to notice a new virtual directory on an Internet-facing IIS box of ours. It was called Rpc, and pointed to c:\winnt\system32 with Read and Execute permissions. Ding-ding-ding, alarm bells started going off in my head. As I investigated further, though, I was surprised to find that there could actually be pseudo-justifiable reasons for this. The box also had a new ISAPI filter installed called RPCProxy, which referenced c:\winnt\system32\rpcproxy.dll. Googling on rpcproxy.dll brought up, among other things, the WinNT SP4 Readme.txt, which describes how to set up COM Internet Services (CIS), aka DCOM tunneled over HTTP. The setup instructions are not too dissimilar to what I found on our IIS box, although MS recommends that you copy rpcproxy.dll to its own folder and point the virtual directory there rather than exposing all those other goodies in system32.

So, either way I'm left wondering - how the heck did the virtual directory and ISAPI filter end up on this box? The box was reasonably well patched, though it didn't have the latest round of hotfixes (like the MDAC one). Plus, we only allow SSL/TCP 443 traffic to it from the Internet, which generally wards off the most common IIS attacks. Regardless, does this match any known attack signatures that anyone can think of?

Alternately, does anyone know of 3rd-party software that might install COM Internet Services silently as part of its own installation routine?

Any other thoughts?

Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2

Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 Received on Fri Dec 6 13:21:08 2002