[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] RPC DCOM footprints
- To: full-disclosure@lists.netsys.com
- Subject: [Full-Disclosure] RPC DCOM footprints
- From: "Michael De La Cruz" <delacruzma@msn.com>
- Date: Fri, 08 Aug 2003 13:31:29 -0500
Hello all,
Just in case some other security professionals are looking at
identifying if their boxes have been exploited, I've typed up some
occurences after a successful DCOM exploit.
- Windows XP SP 0 (haven't tried it on SP 1 yet)
Generates a System Shutdown message after a disconnect. The message
indicates that Windows must now restart because the RPC service terminated
unexpectedly.
- Windows 2000 Professional all SP's
A Service Control Manager error is reported on the Application Logs
with a message ID of 7031 indicating that RPC terminated unexpectedly. The
W2K boxes I've tested this on didn't allow me to view the event logs after
exploitation. A few mmc.exe error messages also appeared. A quick reboot
appeared alleviate the event log viewing issue.
*Note* This is using the final universal DCOM exploit that was found on
http://cyruxnet.com.ar/rpcxploit2.htm. I've heard there is an exploit that
does not crash the port though, so an error may not be generated with that
exploit.
I'll try to include any new effect I manage to gather from my tests.
Did anyone else experience these types of behaviors? Thanks.
Michael De La Cruz
Information Security Officer
delacruzma@msn.com
_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE*
http://join.msn.com/?page=features/virus
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html