RE: attempt to launch a DCOM server?

From: runifoc (runifoc_at_bellsouth.net)
Date: 08/14/03

  • Next message: Rolf Penzel: "Error Message: User Interface Failure: The Logon User Interface DLL Msgina.dll Failed to Load" 
    To: <focus-ms@securityfocus.com>
Date: Thu, 14 Aug 2003 06:32:05 -0500

    http://support.microsoft.com/default.aspx?scid=%2Fservicedesks%2Fbin%2Fkbsea
    rch.asp%3FArticle%3D303685

    http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:
    80/support/kb/articles/Q298/0/95.ASP&NoWebContent=1

    The first article claims this problem was fixed with Windows2000SP3. The
    second states that the error messages are benign and can be safely ignored.
    Apparently, it is caused by certain DCOM services starting in the wrong
    order.

    James

    -----Original Message-----
    From: Vincent Aikema [mailto:vaikema@hotmail.com]
    Sent: Wednesday, August 13, 2003 6:02 AM
    To: geoffreyshorter@hotmail.com
    Cc: focus-ms@securityfocus.com
    Subject: RE: attempt to launch a DCOM server?

    I've seen the same error that Geof reported. It appears on just one of my
    servers here...about 3 times per day. The error first appeared AFTER I
    patched the server over a week ago. In my case the "originating user" is in
    a seperate (country) network linked via a vpn with no firewall in between.

    My initial obvious conclusion was that the user installed some exploit
    utility either intentionally or unintentionally and it is being run
    automatically. However the local admin there hasn't discovered any problem
    on that user's PC, but is still pursuing it. My main concern now is what
    did it do on the server BEFORE it was patched last week. I don't see
    anything abnormal, but...

    If anyone has any info on this, I'd also like to know :-)

    Ciao,
    Vincent

    -----Original Message-----
    From: Geoffrey Shorter [mailto:geoffreyshorter@hotmail.com]
    Sent: Tuesday, August 12, 2003 9:36 PM
    To: focus-ms@securityfocus.com
    Subject: attempt to launch a DCOM server?

    One of our machines, which we know is patched against the RPC DCOM
    vulnerability, reported this at 12:16:33 this afternoon:

    System Error 10002
    Access denied attempting to launch a DCOM Server.The server is:{<bunch of
    numbers here>}The user is <servicename>/<servername>,
    SID=S-1-5-21-00000000000-000000000-0000000000-0000.

    Names and numbers changed/removed to protect the innocent, of course... :)

    Is the above an indication of someone attempting to exploit the RPC DCOM
    vulnerability?

    Anyone know?

    Thanks.
    geof

    _________________________________________________________________
    MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.
    http://join.msn.com/?page=features/virus

    ---------------------------------------------------------------------------
    Your network firewall and IDS products do not prevent Web application
    attacks - the most common form of online exploitation- resulting in Web
    defacement, data theft, sabotage and fraud.
    KaVaDo is the only company that provides a complete suite of Web
    application security products.
    Download a FREE whitepaper on "Security Policy Automation for Web
    Applications":http://www.securityfocus.com/Kavado-focus-ms
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Your network firewall and IDS products do not prevent Web application
    attacks - the most common form of online exploitation- resulting in Web
    defacement, data theft, sabotage and fraud.
    KaVaDo is the only company that provides a complete suite of Web
    application security products.
    Download a FREE whitepaper on "Security Policy Automation for Web
    Applications":http://www.securityfocus.com/Kavado-focus-ms
    ---------------------------------------------------------------------------

  • Next message: Rolf Penzel: "Error Message: User Interface Failure: The Logon User Interface DLL Msgina.dll Failed to Load"

    Relevant Pages

    • RE: What the heck is this msblast.exe
      ... The RPC exploit itself leaves the server open to any action at all. ... |Your network firewall and IDS products do not prevent Web application ... |attacks - the most common form of online exploitation- resulting in Web ... |Download a FREE whitepaper on "Security Policy Automation for Web ...
      (Focus-Microsoft)
    • RE: attempt to launch a DCOM server?
      ... One intersting thing on one my servers, in the event veiwer, the user attempting to use DCOM is the IUSR account, all my applications that use DCOM are assigned specific accounts to use.I am very curious about this. ... attempt to launch a DCOM server? ... Your network firewall and IDS products do not prevent Web application ... Download a FREE whitepaper on "Security Policy Automation for Web ...
      (Focus-Microsoft)
    • 3 Comprehensive links in combat with MSBlaster Worm
      ... and vital stuff gets lost in the myriad email chains and re: ... DCOM ISS Scanner: ... Your network firewall and IDS products do not prevent Web application ... Download a FREE whitepaper on "Security Policy Automation for Web ...
      (Focus-Microsoft)
    • RE: attempt to launch a DCOM server?
      ... did it do on the server BEFORE it was patched last week. ... Is the above an indication of someone attempting to exploit the RPC DCOM ... Your network firewall and IDS products do not prevent Web application ... Download a FREE whitepaper on "Security Policy Automation for Web ...
      (Focus-Microsoft)
    • monitor folders
      ... contents the program which I ask you will monitor this event and will not going to do any thing except generate e-mail to the provided mail administrator, ... this server is published directly to the internet. ... Your network firewall and IDS products do not prevent Web application ... Download a FREE whitepaper on "Security Policy Automation for Web ...
      (Focus-Microsoft)