Data
08-11-2003, 04:18 PM
Yes, we know about it.
Yes, it has happened to other people (a lot of them).
It's called the Windows DCOM RPC exploit.
Details can be found at the following links:
http://securityresponse.symantec .com/avcenter/security/Content/8205.html
http://microsoft.com/downloads/details.aspx?FamilyId=235 4406C-C5B6-44AC-9532-3DE40F69C074&displaylang=en
http://xforce.iss.net/xforce/alerts/id/147
(I will edit this post and update the list as needed.)
For now, if you're using Windows XP, you can abort the shutdowns with the command 'shutdown -a' (no quotes) at a command prompt, or in the Run dialog box. This will give you time to apply the patches and fixes listed below.
1.) Run Windows Update HERE (http://windowsupdate.microsoft.c om) and download ALL the Critical Updates. This site is getting HAMMERED right now. Here's a direct link to the XP (all versions) patch at Microsoft: PATCH YOUR SHIT, DUMBASS (http://download.microsoft.com/download/9/8/b/98bcfad8-afbc-458f-aaee-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe)
2.) Install a software firewall (at the very minimum) and block the following ports:
INBOUND TCP ON PORT 135
INBOUND TCP ON PORT 4444
INBOUND UDP ON PORT 69
Software firewalls can be found at Zone Alarm (http://www.zonealarm.com) and BlackICE (http://blackice.iss.net).
3.) Run a virus scan with the latest virus definitions using the scanner of your choice. FREE online virus scans can be found at both McAfee (http://www.mcafee.com) and Trend Micro (http://www.trendmicro.com).
4.) It's also very likely that a virus/trojan has been installed on your computer. The common variant going around is a worm called W32.Blaster.Worm that creates the file msblast.exe and sometimes(?) infects explorer.exe. Symantec has put up a tool for removing the worm HERE (http://securityresponse.symantec .com/avcenter/venc/data/w32.blaster.worm.removal. tool.html).
5.) When you've done all this, you can test your vulnerability to the exploit HERE (http://secur1ty.net/) (bottom link). You should see this:
Wait.. (could take up to 2 minutes).
[+] Connecting to [IP]
-- [IP] does not accept DCERPC protocol
Finished.
Another web-based test here: http://secur1ty.net/dcom.cgi
Results should be something like this:
Please wait, scanning your system...
[IP] does not appear to be vulnerable (unable to connect -- filtered?).
Gibson Research has his version of the test here: https://grc.com/x/portprobe=135
You can also download a small utility to check vulnerability HERE (http://www.iss.net/support/product_utilities/ms03-026rpc.php).
Yes, it has happened to other people (a lot of them).
It's called the Windows DCOM RPC exploit.
Details can be found at the following links:
http://securityresponse.symantec .com/avcenter/security/Content/8205.html
http://microsoft.com/downloads/details.aspx?FamilyId=235 4406C-C5B6-44AC-9532-3DE40F69C074&displaylang=en
http://xforce.iss.net/xforce/alerts/id/147
(I will edit this post and update the list as needed.)
For now, if you're using Windows XP, you can abort the shutdowns with the command 'shutdown -a' (no quotes) at a command prompt, or in the Run dialog box. This will give you time to apply the patches and fixes listed below.
1.) Run Windows Update HERE (http://windowsupdate.microsoft.c om) and download ALL the Critical Updates. This site is getting HAMMERED right now. Here's a direct link to the XP (all versions) patch at Microsoft: PATCH YOUR SHIT, DUMBASS (http://download.microsoft.com/download/9/8/b/98bcfad8-afbc-458f-aaee-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe)
2.) Install a software firewall (at the very minimum) and block the following ports:
INBOUND TCP ON PORT 135
INBOUND TCP ON PORT 4444
INBOUND UDP ON PORT 69
Software firewalls can be found at Zone Alarm (http://www.zonealarm.com) and BlackICE (http://blackice.iss.net).
3.) Run a virus scan with the latest virus definitions using the scanner of your choice. FREE online virus scans can be found at both McAfee (http://www.mcafee.com) and Trend Micro (http://www.trendmicro.com).
4.) It's also very likely that a virus/trojan has been installed on your computer. The common variant going around is a worm called W32.Blaster.Worm that creates the file msblast.exe and sometimes(?) infects explorer.exe. Symantec has put up a tool for removing the worm HERE (http://securityresponse.symantec .com/avcenter/venc/data/w32.blaster.worm.removal. tool.html).
5.) When you've done all this, you can test your vulnerability to the exploit HERE (http://secur1ty.net/) (bottom link). You should see this:
Wait.. (could take up to 2 minutes).
[+] Connecting to [IP]
-- [IP] does not accept DCERPC protocol
Finished.
Another web-based test here: http://secur1ty.net/dcom.cgi
Results should be something like this:
Please wait, scanning your system...
[IP] does not appear to be vulnerable (unable to connect -- filtered?).
Gibson Research has his version of the test here: https://grc.com/x/portprobe=135
You can also download a small utility to check vulnerability HERE (http://www.iss.net/support/product_utilities/ms03-026rpc.php).