[THIN] Re: OT: Weird behavior? RPC attack???

• From: "John Knightly" <jknightly@xxxxxxxxxxxxxxxxxx>
• To: <thin@xxxxxxxxxxxxx>
• Date: Mon, 11 Aug 2003 15:59:38 -0700

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSB
LAST.A

-----Original Message-----
From: Ryan Lambert [mailto:rlambert@xxxxxxxxxxxxxxx] 
Sent: Monday, August 11, 2003 3:26 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: OT: Weird behavior? RPC attack???


I don't know whether or not there was anything posted by them stating
this, but to a significant degree this is still a Denial of Service.

The program can bring Active Directory to it's knees.

-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] 
Sent: Monday, August 11, 2003 6:22 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: OT: Weird behavior? RPC attack???

Hey Brian,

The Microsoft patch for the DCOM exploit doesn't actually fix the entire
issue. I have some C code I've run against windows 2000 machines with
all levels of Service Pack. The RPC service on each crashes with
svchost.exe failing, a Dr. Watson alert in the Eventlog, in addition to
what you just posted. All three of those are symptoms of an attack. 

I spoke with Microsoft regarding this last week and provided them with
source code to duplicate the issue - I have not heard an answer back.

-----Original Message-----
From: Claus, Brian [mailto:BClaus@xxxxxxxxxxxxx] 
Sent: Monday, August 11, 2003 4:58 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: OT: Weird behavior? RPC attack???

We're maxed out on antivirus...I'm thinking it may be related to
823980's RPC exploit.  I have one Win2k SP2 user who just got 3 Event ID
7031's in the last 45 mins...other users are reporting this as well.

Details as we have them:

Event ID 4097: The COM+ Event System detected a bad return code during
its internal processing.  HRESULT was 800706BA from line 42 of
.\eventsystemobj.cpp.  Please contact Microsoft Product Support Services
to report this error.

Event ID 7031:  The Remote Procedure Call (RPC) service terminated
unexpectedly.  It has done this 1 time(s).  The following corrective
action will be taken in 0 milliseconds: No action. 

Seems to have started around 3:30 EST. 
 

  _____  

 
Brian Claus, A+, Network+, MCP
Network Administrator
WESCO Distribution, Inc.
225 West Station Square Drive, Suite 700
Pittsburgh, PA 15219-1122
Phone:  412-454-2412
Fax:  412-454-2540
bclaus@xxxxxxxxxxxxx <mailto:bclaus@xxxxxxxxxxxxx> 
  _____  



-----Original Message-----
From: Ryan Lambert [mailto:rlambert@xxxxxxxxxxxxxxx]
Sent: Monday, August 11, 2003 4:47 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: OT: Weird behavior?


Sounds like the recent DCOM exploit. 

Are you firewalled and patched (svchost.exe still crashes even if
patched)? If so, I'd be checking the integrity of the workstations. May
have a worm inside.

-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] 
Sent: Monday, August 11, 2003 4:40 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] OT: Weird behavior?

All,

Seeing very weird activity on my network...

SVCHOST.exe errors, RPC errors and EXCEL and Access errors are
abounding...

Event Viewer is crashing, etc...etc....

Anyone else have anything weird going on?
********************************************************
This Week's Sponsor:  RES PowerFuse, The Management Framework for
Windows Eliminate Multiple Tools, Multiple Support Channels and Multiple
Costs Manage, Control, and Secure an Entire Windows environment with
Ease, including Real-time Reporting and Documenting Components Validate
a Meaningful ROI on All of your IT Investments with RES PowerFuse.
http://www.respowerfuse.com/
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor:  RES PowerFuse, The Management Framework for
Windows Eliminate Multiple Tools, Multiple Support Channels and Multiple
Costs Manage, Control, and Secure an Entire Windows environment with
Ease, including Real-time Reporting and Documenting Components Validate
a Meaningful ROI on All of your IT Investments with RES PowerFuse.
http://www.respowerfuse.com/
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor:  RES PowerFuse, The Management Framework for
Windows Eliminate Multiple Tools, Multiple Support Channels and Multiple
Costs Manage, Control, and Secure an Entire Windows environment with
Ease, including Real-time Reporting and Documenting Components Validate
a Meaningful ROI on All of your IT Investments with RES PowerFuse.
http://www.respowerfuse.com/
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor:  RES PowerFuse, The Management Framework for
Windows Eliminate Multiple Tools, Multiple Support Channels and Multiple
Costs Manage, Control, and Secure an Entire Windows environment with
Ease, including Real-time Reporting and Documenting Components Validate
a Meaningful ROI on All of your IT Investments with RES PowerFuse.
http://www.respowerfuse.com/
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor:  RES PowerFuse, The Management Framework for
Windows Eliminate Multiple Tools, Multiple Support Channels and Multiple
Costs Manage, Control, and Secure an Entire Windows environment with
Ease, including Real-time Reporting and Documenting Components Validate
a Meaningful ROI on All of your IT Investments with RES PowerFuse.
http://www.respowerfuse.com/
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor:  RES PowerFuse, The Management Framework for Windows
Eliminate Multiple Tools, Multiple Support Channels and Multiple Costs
Manage, Control, and Secure an Entire Windows environment with Ease, including 
Real-time Reporting and Documenting Components
Validate a Meaningful ROI on All of your IT Investments with RES PowerFuse.
http://www.respowerfuse.com/
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

Other related posts:

• » [THIN] Re: OT: Weird behavior? RPC attack???
• » [THIN] Re: OT: Weird behavior? RPC attack???
• » [THIN] Re: OT: Weird behavior? RPC attack???
• » [THIN] Re: OT: Weird behavior? RPC attack???
• » [THIN] Re: OT: Weird behavior? RPC attack???

1. Home
2. thin
3. Archive
4. 08-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---