|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: attempt to launch a DCOM server?
From: Vincent Aikema (vaikema
hotmail.com)
Date: Wed Aug 13 2003 - 06:01:32 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I've seen the same error that Geof reported. It appears on just one of my
servers here...about 3 times per day. The error first appeared AFTER I
patched the server over a week ago. In my case the "originating user" is in
a seperate (country) network linked via a vpn with no firewall in between.
My initial obvious conclusion was that the user installed some exploit
utility either intentionally or unintentionally and it is being run
automatically. However the local admin there hasn't discovered any problem
on that user's PC, but is still pursuing it. My main concern now is what
did it do on the server BEFORE it was patched last week. I don't see
anything abnormal, but...
If anyone has any info on this, I'd also like to know :-)
Ciao,
Vincent
-----Original Message-----
From: Geoffrey Shorter [mailto:geoffreyshorterhotmail.com]
Sent: Tuesday, August 12, 2003 9:36 PM
To: focus-mssecurityfocus.com
Subject: attempt to launch a DCOM server?
One of our machines, which we know is patched against the RPC DCOM
vulnerability, reported this at 12:16:33 this afternoon:
System Error 10002
Access denied attempting to launch a DCOM Server.The server is:{<bunch of
numbers here>}The user is <servicename>/<servername>,
SID=S-1-5-21-00000000000-000000000-0000000000-0000.
Names and numbers changed/removed to protect the innocent, of course... :)
Is the above an indication of someone attempting to exploit the RPC DCOM
vulnerability?
Anyone know?
Thanks.
geof
_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.
http://join.msn.com/?page=features/virus
---------------------------------------------------------------------------
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
---------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]