RPC DCOM Vulnerability Issue

[AttaGirl42]

Hello Everyone!

I have a question regarding alerts I've been getting on my Sygate Proffessional Firewall.

I get alerts stating, "Inbound DCE BIND to potentially vulnerable RPC DCOM interface attempt detected."

I've run all of my virus detection programs and come up with nothing and I have the patches from Microsoft up to date and I'm just puzzled about this.

After I get the small pop up telling me about this, my Sygate icon down by the clock flashes to let me know there is an alert. Does anyone know what I can do about this vulnerability? I'm getting this alert sometimes three times an hour and when I get one, to get the icon to quit flashing, I double click on it and get the security log and it re-sets the icon. Is the firewall still protecting when it's flashing....before I get it re-set?

I've run a backtrace on alot of them and I see all the hops it has taken and then run a whois and they are coming from all over. Syracuse university, certain cable companies and etc.

Anyway, I would really appreciate any info you can give to help me know I'm protected from these attacks. I did run the free Sygate but bought the Professional version a couple of months ago. I've only had this frequent attack attempts in the past week or so.

I run XP home edition and connect via dial up. All my specs are listed below.

Thanks so much!!!!

[DuaneB]

This issue (RPC DCOM subsystem vulnerabilities) goes back to last August/September. The headlines revolved around the Blaster worm. Here's the famous Security Bulletin MS03-039.
http://www.microsoft.com/security/se...s/ms03-039.asp

If you have all of your Updates and Patches, you may want to check out this option called the DCOMbobulator by Steve Gibson, which "..... allows any Windows user to quickly check their system's DCOM vulnerability, then simply shut down the unnecessary DCOM security risk."
http://www.grc.com/dcom/


It's been recommended here.
http://discussions.virtualdr.com/sho...=DCOMbobulator
http://discussions.virtualdr.com/sho...=DCOMbobulator

[Atmelflash]

Duane ( as usual ) is SMACK dab on this one...

[AttaGirl42]

Thanks Guys!!!

I will go check all that out right now!

Yes, I have the automatic update set for all my patches and security issues, but I go in and scan my system regularly to check for new updates and I also keep my anti virus agents updated with new definitions. I will go this route and hopefully get a handle on this pain in butt!

Thanks for your help!!!! I appreciate it!!

[AttaGirl42]

Hi Duane and others,

I downloaded the software you mentioned above and it closed my DCOM for me and when I ran a check on my Port 135, it said it was stealthed. It said that if the port was not closed, it may be in use by Task Scheduler. I do not use the Task Scheduler and even checked and have no tasks scheduled. How do I disable it or whatever I need to do to close the Port?

I still had a couple of Alerts on my Firewall after closing the DCOM and even though the Port 135 is stealthed, it apparently is still being found.

If you could advise what I should do now, I would really appreciate it. I did a check of my Security patches again and windows update tells me there are none for me right now.

I read on Steve's DECOMbobulator site that the port needs to be closed, but it did not give directions on how to do this. In my settings and Task Scheduler, I clicked on the Advanced Tab at the top and clicked Stop Using Task Scheduler, but as I said, I had no tasks listed.


Thanks again!!

[Atmelflash]

Task Scheduler — Is also used by Windows XP and is part of the XP's "Prefetch" system for startup performance enhancement.

You must leave the Task Scheduler running. for this feature to work Your system may also depend upon Task Scheduler for anti-virus and other 3rd party updates.

So it may not be practical for you to shut down and disable the Task Scheduler which involes 135.

If your stealthed... Sometimes it's better to lay in a supply of rivotrill and take one a day instead of fretting about any and all possibilities on a home system.. RELAX and enjoy the web.

[kv]

Originally posted by AttaGirl42
I still had a couple of Alerts on my Firewall after closing the DCOM and even though the Port 135 is stealthed, it apparently is still being found.

Remember that the firewall is only reporting that people are attempting to connect to those ports, it doesn't mean your system is actually allowing them. Those ports are popular for exploits, and there are a ton of scripts out there that troll the internet looking for PC's responding to those connections. Since you've got port 135 stealth'd (meaning the firewall prevents your computer from responding) and DCOM closed, these warnings are nothing more than an FYI.

It's basically someone knocking on your door to see if anyone's home, and the firewall prevents your PC from answering.

Generally speaking, personal firewalls like Sygate will prevent all incoming connections from the internet, unless you've explicitly allowed an application to act as a server. The good thing is that even if your system was unpatched and you were vulnerable to the DCOM exploit (and similar ones), the firewall would still have prevented the connection from the internet and you would not have been exposed.

If it makes you feel better, the firewall I use on my home network blocks anywhere from 15-300 connection attempts from the internet to various ports, per *hour*. That can seem intimidating, but it just means the firewall is doing it's job.

Hope this helps...?

KV

[AttaGirl42]

Kv and everyone else,

Thanks for the advice and replies!!

Yes, it does make me feel alot better. I notice that the alerts are no longer critical after I closed the DCOM down and it is port scan alerts now. It says someone is scanning my computer. My firewall is blocking each IP address however.

Thanks for your help!!!!