Hosting Provided By

RE: attempt to launch a DCOM server?

From: Vincent Aikema <vaikema(at)hotmail.com>
Date: Wed Aug 13 2003 - 07:01:32 EDT

I've seen the same error that Geof reported. It appears on just one of my servers here...about 3 times per day. The error first appeared AFTER I patched the server over a week ago. In my case the "originating user" is in a seperate (country) network linked via a vpn with no firewall in between.

My initial obvious conclusion was that the user installed some exploit utility either intentionally or unintentionally and it is being run automatically. However the local admin there hasn't discovered any problem on that user's PC, but is still pursuing it. My main concern now is what did it do on the server BEFORE it was patched last week. I don't see anything abnormal, but...

If anyone has any info on this, I'd also like to know :-)

Ciao,
Vincent

-----Original Message-----
From: Geoffrey Shorter [mailto:geoffreyshorter@hotmail.com] Sent: Tuesday, August 12, 2003 9:36 PM
To: focus-ms@securityfocus.com
Subject: attempt to launch a DCOM server?

One of our machines, which we know is patched against the RPC DCOM vulnerability, reported this at 12:16:33 this afternoon:

System Error 10002
Access denied attempting to launch a DCOM Server.The server is:{<bunch of numbers here>}The user is <servicename>/<servername>, SID=S-1-5-21-00000000000-000000000-0000000000-0000. Names and numbers changed/removed to protect the innocent, of course... :)

Is the above an indication of someone attempting to exploit the RPC DCOM vulnerability?

Do you need help?

Anyone know?

Thanks.
geof

MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus

Your network firewall and IDS products do not prevent Web application attacks - the most common form of online exploitation- resulting in Web defacement, data theft, sabotage and fraud. KaVaDo is the only company that provides a complete suite of Web application security products.
Download a FREE whitepaper on "Security Policy Automation for Web Applications":http://www.securityfocus.com/Kavado-focus-ms

Received on Wed Aug 13 11:21:59 2003

This message: [ Message body ]
Next message: Mario Davids: "DCOM Worm"
Previous message: Geoff Shively: "DCOM Exploit / Worm Signatures"
Maybe in reply to: Geoffrey Shorter: "attempt to launch a DCOM server?"
Next in thread: runifoc: "RE: attempt to launch a DCOM server?"
Reply: runifoc: "RE: attempt to launch a DCOM server?"
Reply: Mike O'Toole: "RE: attempt to launch a DCOM server?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:35 EDT