healtheworld
08-12-2003, 12:56 AM
RPC SHUTDOWN xp flaw..
Well experts,,
Thanks cnn for providing early alerts about the xp rpc flaw. I hv read the whole thread . Really impressed by response. I m working for Dell tech Support. Dell support lines are jammed becoz of issue. Nearly 85% of dell systems( Home and small business) are infected by this . Now we have received a lot of mails from dell experts . I just want to know from u guys which one of them is the best solution.
I KNOW DOWNLOADING THE LATEST PATCH, BUT WHICH ONE OF THEM IS BEST TO PREVENT ABNORMAL SHUTDOWN.
i hv gone thru these threads also
http://www.security-forums.com/foru...opic.php?t=7266
http://www.security-forums.com/foru...opic.php?t=7105
Some Fixes
========
1. <http://vil.mcafee.com/dispVirus.asp?virus_k=100499>
****
2.
****
Run Dcomcnfg.exe.
If you are running Windows XP or Windows Server 2003, perform these additional steps:
Under Console Root, click Component Services.
Open the Computers subfolder.
For a local computer, right-click My Computer, and then click Properties.
For a remote computer, right-click the Computers folder, point to New, and then click Computer. Type the computer name. Right-click the computer name, and then click Properties.
Click the Default Properties tab.
Click to select (or click to clear) the Enable Distributed COM on this Computer check box.
If you will be setting more properties for this computer, click the Apply button to enable (or to disable) DCOM. Otherwise, click OK to apply the changes.
3.
****
Try this goto safe mode disable all under startup and then also under services. Recheck Plug and play , RPC and RPC locater, and system restore services.
Then reboot to normal mode.
This is not a Virus it is a hacking attempt.
removing the cable for the cable modem and the phone line will help.
5.
*****
Disconnect the system from the internet.
Reboot the system
Enable the Internet Connection Firewall ( XPs inbuilt firewall-- Advanced settings in the properties of the LAN or the Dial up connection)
Reconnect to the internet
Then download the patch from http://microsoft.com/technet/treevi...in/MS03-026.asp
Apply the patch.
6
*****
http://securityresponse.symantec.co...aster.worm.html
7
*******
Boot in Safe Mode-->Go to Start>Control Pannel.
Click on the Switch to Classic veiw.
Goto Administrative tools
Go to Service.
Select the Remote Procedure Call and Double click on the service.
Go to Recovery.
Go to First Failure: Change it to take no action.
Click on Apply and ok.
Click on the network connections
right click on the LAN or the dial up Connection.
Click on the Properties.
Click on the check box which enables the XP-Firewall.
Click on Apply and Ok.
Reboot the system in the normal mode.
Then Guide the customer to download the patch from microsoft site.
http://microsoft.com/downloads/deta...&displaylang=en
==============================================
Sometimes it gives an error regarding TFTP
*******************************************************
Any answer for tftp error
Some IMP Info from a newsgroup
=====================
FYI, the presence of the files Dcomx.exe or the other files mentioned below along with a "Remote Procedure Call" or TFTP popup message on your system and/or system lockups or reboots are signs you may have been hacked by a tool such as Autorooter. [TFTP.EXE is a normal file that comes with many versions of Windows, but it should usually not be running on most systems.]
To fix this:
4. Click on "Start, Find/Search, Files or Folders" to search your hard drive
for any of the following file names. If any of the files below are found,
you may need additional help getting rid of them and determining what else
if anything was changed on your computer.
rpc.exe
rpctest.exe
tftpd.exe
dcomx.exe
lolx.exe
worm.exe
I do believe there may be new variants of Autorooter that possibly have not yet been fully discovered. Unlike an automated event like a worm, this event may indicate that someone personally ran a tool against you and may have done things to your computer.
There are a number of posts mentioning a quick "registry fix" to close "port 135." This does very little to secure your computer, as it only closes one of the 130,000 ports on your computer. Get a firewall first, even a free one.
Also, note that the presence of new files such as TFTPxxxx or DCOMX.EXE etc. means that just installing the latest Microsoft patches, editing the registry, etc. may no longer be sufficient. Installing the Microsoft patch, editing the registry, closing ports, disabling services, etc. do absolutely nothing to block the back door that has probably now been installed, so that your computer can still be compromised using other ports.
Once your computer has been hacked, these are some things I might recommend
doing are here:
http://securityadmin.info/faq.htm#hacked
http://securityadmin.info/faq.htm#re-secure
http://securityadmin.info/faq.htm#harden
The Autorooter Trojan has been given several different names by various
anti-virus
companies [although I believe some people are being attacked by something
that is similar but not exactly the same as Autorooter]:
RPC Worm (F-Secure)
Downloader-DM (McAfee)
Autorooter (Panda)
Worm.Win32.Autorooter (AVP)
Backdoor.IRC.Cirebot (Symantec)
References:
http://www.europe.f-secure.com/v-descs/rpc.shtml
http://vil.nai.com/vil/content/v_100524.htm
http://securityresponse.symantec.co...oor.irc.cirebot
..html
http://news.com.com/2100%2D1009%2D5059263.html
http://www.microsoft.com/technet/se...in/MS03-026.asp
http://www.microsoft.com/security/s...ns/MS03-026.asp
http://support.microsoft.com/?kbid=823980
Here are some signs of infection, though these do not necessarily match all
the variants that might be out there:
"Signs of infection:
- the existence of one or more of the following files:
rpc.exe
rpctest.exe
tftpd.exe
dcomx.exe
lolx.exe
worm.exe
Signs that a network is being attacked:
- traffic on port 445 to sequential IP addresses.
Signs that an attack has succeeded (allowing a remote shell and downloading
of the backdoor):
- port 57005 open;
- an ftp [tftp] connection on port 69."
Well experts,,
Thanks cnn for providing early alerts about the xp rpc flaw. I hv read the whole thread . Really impressed by response. I m working for Dell tech Support. Dell support lines are jammed becoz of issue. Nearly 85% of dell systems( Home and small business) are infected by this . Now we have received a lot of mails from dell experts . I just want to know from u guys which one of them is the best solution.
I KNOW DOWNLOADING THE LATEST PATCH, BUT WHICH ONE OF THEM IS BEST TO PREVENT ABNORMAL SHUTDOWN.
i hv gone thru these threads also
http://www.security-forums.com/foru...opic.php?t=7266
http://www.security-forums.com/foru...opic.php?t=7105
Some Fixes
========
1. <http://vil.mcafee.com/dispVirus.asp?virus_k=100499>
****
2.
****
Run Dcomcnfg.exe.
If you are running Windows XP or Windows Server 2003, perform these additional steps:
Under Console Root, click Component Services.
Open the Computers subfolder.
For a local computer, right-click My Computer, and then click Properties.
For a remote computer, right-click the Computers folder, point to New, and then click Computer. Type the computer name. Right-click the computer name, and then click Properties.
Click the Default Properties tab.
Click to select (or click to clear) the Enable Distributed COM on this Computer check box.
If you will be setting more properties for this computer, click the Apply button to enable (or to disable) DCOM. Otherwise, click OK to apply the changes.
3.
****
Try this goto safe mode disable all under startup and then also under services. Recheck Plug and play , RPC and RPC locater, and system restore services.
Then reboot to normal mode.
This is not a Virus it is a hacking attempt.
removing the cable for the cable modem and the phone line will help.
5.
*****
Disconnect the system from the internet.
Reboot the system
Enable the Internet Connection Firewall ( XPs inbuilt firewall-- Advanced settings in the properties of the LAN or the Dial up connection)
Reconnect to the internet
Then download the patch from http://microsoft.com/technet/treevi...in/MS03-026.asp
Apply the patch.
6
*****
http://securityresponse.symantec.co...aster.worm.html
7
*******
Boot in Safe Mode-->Go to Start>Control Pannel.
Click on the Switch to Classic veiw.
Goto Administrative tools
Go to Service.
Select the Remote Procedure Call and Double click on the service.
Go to Recovery.
Go to First Failure: Change it to take no action.
Click on Apply and ok.
Click on the network connections
right click on the LAN or the dial up Connection.
Click on the Properties.
Click on the check box which enables the XP-Firewall.
Click on Apply and Ok.
Reboot the system in the normal mode.
Then Guide the customer to download the patch from microsoft site.
http://microsoft.com/downloads/deta...&displaylang=en
==============================================
Sometimes it gives an error regarding TFTP
*******************************************************
Any answer for tftp error
Some IMP Info from a newsgroup
=====================
FYI, the presence of the files Dcomx.exe or the other files mentioned below along with a "Remote Procedure Call" or TFTP popup message on your system and/or system lockups or reboots are signs you may have been hacked by a tool such as Autorooter. [TFTP.EXE is a normal file that comes with many versions of Windows, but it should usually not be running on most systems.]
To fix this:
4. Click on "Start, Find/Search, Files or Folders" to search your hard drive
for any of the following file names. If any of the files below are found,
you may need additional help getting rid of them and determining what else
if anything was changed on your computer.
rpc.exe
rpctest.exe
tftpd.exe
dcomx.exe
lolx.exe
worm.exe
I do believe there may be new variants of Autorooter that possibly have not yet been fully discovered. Unlike an automated event like a worm, this event may indicate that someone personally ran a tool against you and may have done things to your computer.
There are a number of posts mentioning a quick "registry fix" to close "port 135." This does very little to secure your computer, as it only closes one of the 130,000 ports on your computer. Get a firewall first, even a free one.
Also, note that the presence of new files such as TFTPxxxx or DCOMX.EXE etc. means that just installing the latest Microsoft patches, editing the registry, etc. may no longer be sufficient. Installing the Microsoft patch, editing the registry, closing ports, disabling services, etc. do absolutely nothing to block the back door that has probably now been installed, so that your computer can still be compromised using other ports.
Once your computer has been hacked, these are some things I might recommend
doing are here:
http://securityadmin.info/faq.htm#hacked
http://securityadmin.info/faq.htm#re-secure
http://securityadmin.info/faq.htm#harden
The Autorooter Trojan has been given several different names by various
anti-virus
companies [although I believe some people are being attacked by something
that is similar but not exactly the same as Autorooter]:
RPC Worm (F-Secure)
Downloader-DM (McAfee)
Autorooter (Panda)
Worm.Win32.Autorooter (AVP)
Backdoor.IRC.Cirebot (Symantec)
References:
http://www.europe.f-secure.com/v-descs/rpc.shtml
http://vil.nai.com/vil/content/v_100524.htm
http://securityresponse.symantec.co...oor.irc.cirebot
..html
http://news.com.com/2100%2D1009%2D5059263.html
http://www.microsoft.com/technet/se...in/MS03-026.asp
http://www.microsoft.com/security/s...ns/MS03-026.asp
http://support.microsoft.com/?kbid=823980
Here are some signs of infection, though these do not necessarily match all
the variants that might be out there:
"Signs of infection:
- the existence of one or more of the following files:
rpc.exe
rpctest.exe
tftpd.exe
dcomx.exe
lolx.exe
worm.exe
Signs that a network is being attacked:
- traffic on port 445 to sequential IP addresses.
Signs that an attack has succeeded (allowing a remote shell and downloading
of the backdoor):
- port 57005 open;
- an ftp [tftp] connection on port 69."