[60402] in North American Network Operators' Group
RE: RPC errors
daemon@ATHENA.MIT.EDU (Kevin Houle)
Mon Aug 11 17:34:27 2003
Date: Mon, 11 Aug 2003 17:33:33 -0400
From: Kevin Houle <kjh@cert.org>
To: Mike Damm <MikeD@irwinresearch.com>,
"'Jack Bates'" <jbates@brightok.net>, NANOG <nanog@merit.edu>
In-Reply-To: <4DE113389BCEB84C9434FA4EEBF40F71036E@mailserv.irwinresearch.com>
Errors-To: owner-nanog-outgoing@merit.edu
--On Monday, August 11, 2003 02:26:40 PM -0700 Mike Damm
<MikeD@irwinresearch.com> wrote:
> The DCOM exploit that is floating around crashes the Windows RPC service
> when the attacker closes the connection to your system after a successful
> attack. Best bet is to assume any occurrence of crashing RPC services to
> be signs of a compromised system until proven otherwise.
>
> http://www.cert.org/advisories/CA-2003-19.html
That's good advice. Many of the known exploits cause the RPC service
to crash after the exploit is successful. I'll point out that not all
exploits cause the service failure. So, the absence of an RPC service
failure is likewise not an indicator that a vulnerable machine has
escaped compromise.
Kevin
