[THIN] Re: OT: RPC symptoms

• To: <thin@xxxxxxxxxxxxx>
• Date: Tue, 12 Aug 2003 13:19:39 -0400

Amazing...

This is all it takes. And I'm patched to date.

Wonder when they'll fix that!


[root@orbital root]# ./dcom 4 xxx.xxx.xxx.xxx (IP munged for security
purposes)

---------------------------------------------------------
- Remote DCOM RPC Buffer Overflow Exploit
- Using return address of 0x77f92a9b
- Dropping to System Shell...

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.


C:\WINNT\system32>


-----Original Message-----
From: Ryan Lambert 
Sent: Tuesday, August 12, 2003 8:36 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: OT: RPC symptoms

That's possible.

I was detailing the remote attack without infection from the worm.
Installer wasn't involved in my testing.

-----Original Message-----
From: Adam.Baum@xxxxxxxxxxxxxx [mailto:Adam.Baum@xxxxxxxxxxxxxx] 
Sent: Tuesday, August 12, 2003 8:29 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: OT: RPC symptoms


Yup, got this too.  Also found a bunch of failed MSI Installer events.
Maybe blaster tried to install, but was only partially successful.
adam



 

                      thin-bounce@freel

                      ists.org                 To:
<thin@xxxxxxxxxxxxx>

                                               cc:

                      08/12/2003 05:27         Subject:  [THIN] Re: OT:
RPC symptoms                                                   
                      AM

                      Please respond to

                      thin

 

 





Ron,

I have noticed three things in particular when running test attacks.

You will see on the console that svchost.exe has crashed. It has a
corresponding Event Log entry.

Event Type:       Information

Event Source:    DrWatson
Event Category: None
Event ID:           4097
Date:                DATE
Time:                TIME
User:                N/A
Computer:         COMPUTERNAME
Description:
The application, svchost.exe, generated an application error The error
occurred on DATE @ TIME. The exception generated was c000001d at address
77E8367A (<nosymbols>)


Also this:

Event Type:       Error
Event Source:    EventSystem
Event Category: Event System
Event ID:           4097
Date:                DATE
Time:                TIME
User:                N/A
Computer:         COMPUTERNAME
Description:
The COM+ Event System detected a bad return code during its internal
processing.  HRESULT was 800706BF from line 42 of .\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this error.







********************************************************
This Week's Sponsor:  RES PowerFuse, The Management Framework for
Windows
Eliminate Multiple Tools, Multiple Support Channels and Multiple Costs
Manage, Control, and Secure an Entire Windows environment with Ease,
including Real-time Reporting and Documenting Components
Validate a Meaningful ROI on All of your IT Investments with RES
PowerFuse.
http://www.respowerfuse.com/
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor:  RES PowerFuse, The Management Framework for
Windows
Eliminate Multiple Tools, Multiple Support Channels and Multiple Costs
Manage, Control, and Secure an Entire Windows environment with Ease,
including Real-time Reporting and Documenting Components
Validate a Meaningful ROI on All of your IT Investments with RES
PowerFuse.
http://www.respowerfuse.com/
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor:  RES PowerFuse, The Management Framework for Windows
Eliminate Multiple Tools, Multiple Support Channels and Multiple Costs
Manage, Control, and Secure an Entire Windows environment with Ease, including 
Real-time Reporting and Documenting Components
Validate a Meaningful ROI on All of your IT Investments with RES PowerFuse.
http://www.respowerfuse.com/
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

Other related posts:

• » [THIN] OT: RPC symptoms
• » [THIN] Re: OT: RPC symptoms
• » [THIN] Re: OT: RPC symptoms
• » [THIN] Re: OT: RPC symptoms
• » [THIN] Re: OT: RPC symptoms
• » [THIN] Re: OT: RPC symptoms
• » [THIN] Re: OT: RPC symptoms
• » [THIN] Re: OT: RPC symptoms
• » [THIN] Re: OT: RPC symptoms
• » [THIN] Re: OT: RPC symptoms
• » [THIN] Re: OT: RPC symptoms
• » [THIN] Re: OT: RPC symptoms
• » [THIN] Re: OT: RPC symptoms

1. Home
2. thin
3. Archive
4. 08-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---