nanog mailing list archives
RE: RPC errors
From: Mike Damm <MikeD () irwinresearch com>
Date: Mon, 11 Aug 2003 15:18:35 -0700
According to Symantec it doesn't know if the system has already been infected until it is running on the target machine, at which point the RPC crash is imminent. It shouldn't re-infect, but further attempts from other infected hosts will cause random reboots. On the plus side this one will be much easier to clean up than CodeRed, Nimda, etc. Random J. Clueless might actually look for patches if his box is rebooting on a regular basis. -Mike --- Michael Damm, MIS Department, Irwin Research & Development V: 509.457.5080 x298 F: 509.577.0301 E: miked () irwinresearch com -----Original Message----- From: Drew Weaver [mailto:drew.weaver () thenap com] Sent: Monday, August 11, 2003 2:53 PM To: 'Mike Damm' Cc: 'nanog () merit edu' Subject: RE: RPC errors Its bloody gorgeous too, my girlfriend's pc rebooted like 9 times, apparently the worm doesn't check to see if its already infected. -----Original Message----- From: Mike Damm [mailto:MikeD () irwinresearch com] Sent: Monday, August 11, 2003 5:27 PM To: 'Jack Bates'; NANOG Subject: RE: RPC errors The DCOM exploit that is floating around crashes the Windows RPC service when the attacker closes the connection to your system after a successful attack. Best bet is to assume any occurrence of crashing RPC services to be signs of a compromised system until proven otherwise. http://www.cert.org/advisories/CA-2003-19.html -Mike --- Michael Damm, MIS Department, Irwin Research & Development V: 509.457.5080 x298 F: 509.577.0301 E: miked () irwinresearch com -----Original Message----- From: Jack Bates [mailto:jbates () brightok net] Sent: Monday, August 11, 2003 1:12 PM To: NANOG Subject: RPC errors I'm showing signs of an RPC sweep across one of my networks that's killing some XP machines (only XP confirmed). How wide spread is this at this time. Also, does anyone know if this is just generating a DOS symptom or if I should be looking for backdoors in these client systems? -Jack
Current thread:
- RE: RPC errors, (continued)
- RE: RPC errors McBurnett, Jim (Aug 11)
- RE: RPC errors Mike Damm (Aug 11)
- RE: RPC errors Kevin Houle (Aug 11)
- RE: RPC errors Drew Weaver (Aug 11)
- RE: RPC errors Brennan_Murphy (Aug 11)
- Re: RPC errors John Dvorak (Aug 11)
- RE: RPC errors Bob German (Aug 11)
- Re: RPC errors Michael Painter (Aug 11)
- RE: RPC errors Brennan_Murphy (Aug 11)
- RE: RPC errors Rob Thomas (Aug 11)
- RE: RPC errors Mike Damm (Aug 11)
- RE: RPC errors Mark Segal (Aug 11)
- Re: RPC errors Jack Bates (Aug 11)
- Re: RPC errors Randy Bush (Aug 11)
- Re: RPC errors John Palmer (Aug 11)
- Re: RPC errors Jim Shankland (Aug 11)
- Re: RPC errors Jack Bates (Aug 12)
- Re: RPC errors Jack Bates (Aug 11)
- RE: RPC errors Dan Hollis (Aug 12)