nanog mailing list archives
RE: RPC errors
From: Kevin Houle <kjh () cert org>
Date: Mon, 11 Aug 2003 17:33:33 -0400
--On Monday, August 11, 2003 02:26:40 PM -0700 Mike Damm <MikeD () irwinresearch com> wrote:
The DCOM exploit that is floating around crashes the Windows RPC service when the attacker closes the connection to your system after a successful attack. Best bet is to assume any occurrence of crashing RPC services to be signs of a compromised system until proven otherwise. http://www.cert.org/advisories/CA-2003-19.html
That's good advice. Many of the known exploits cause the RPC service to crash after the exploit is successful. I'll point out that not all exploits cause the service failure. So, the absence of an RPC service failure is likewise not an indicator that a vulnerable machine has escaped compromise. Kevin
Current thread:
- Re: RPC errors, (continued)
- Re: RPC errors Jack Bates (Aug 11)
- Re: RPC errors Dominic J. Eidson (Aug 12)
- Re: RPC errors Crist Clark (Aug 12)
- Re: RPC errors Dominic J. Eidson (Aug 12)
- Re: RPC errors Jack Bates (Aug 11)
- Re: RPC errors Chris Reining (Aug 11)
- Re: RPC errors /m (Aug 11)
- Re: RPC errors william (Aug 11)
- RE: RPC errors Drew Weaver (Aug 11)
- RE: RPC errors McBurnett, Jim (Aug 11)
- RE: RPC errors Mike Damm (Aug 11)
- RE: RPC errors Kevin Houle (Aug 11)
- RE: RPC errors Drew Weaver (Aug 11)
- RE: RPC errors Brennan_Murphy (Aug 11)
- Re: RPC errors John Dvorak (Aug 11)
- RE: RPC errors Bob German (Aug 11)
- Re: RPC errors Michael Painter (Aug 11)
- RE: RPC errors Brennan_Murphy (Aug 11)
- RE: RPC errors Rob Thomas (Aug 11)
- RE: RPC errors Mike Damm (Aug 11)
- RE: RPC errors Mark Segal (Aug 11)
- Re: RPC errors Jack Bates (Aug 11)