RE: attempt to launch a DCOM server?
From: Mike O'Toole (hoople_ny_at_yahoo.com)
Date: 08/14/03
- Previous message: Vincent Aikema: "RE: attempt to launch a DCOM server?"
- In reply to: Vincent Aikema: "RE: attempt to launch a DCOM server?"
- Next in thread: Vincent Aikema: "RE: attempt to launch a DCOM server?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Vincent Aikema'" <vaikema@hotmail.com> Date: Wed, 13 Aug 2003 18:56:24 -0400
I've seen this error (at boot up) when some application is trying to
launch the 'IISAdmin Service' to enable it's web management interface.
This was on a server that once had IIS in use but when it was
decommissioned. The IIS services were set to 'disabled' startup state.
Mike
> -----Original Message-----
> From: Vincent Aikema [mailto:vaikema@hotmail.com]
> Sent: Wednesday, August 13, 2003 7:02 AM
> To: geoffreyshorter@hotmail.com
> Cc: focus-ms@securityfocus.com
> Subject: RE: attempt to launch a DCOM server?
>
>
> I've seen the same error that Geof reported. It appears on
> just one of my servers here...about 3 times per day. The
> error first appeared AFTER I patched the server over a week
> ago. In my case the "originating user" is in a seperate
> (country) network linked via a vpn with no firewall in between.
>
> My initial obvious conclusion was that the user installed
> some exploit utility either intentionally or unintentionally
> and it is being run automatically. However the local admin
> there hasn't discovered any problem on that user's PC, but
> is still pursuing it. My main concern now is what
> did it do on the server BEFORE it was patched last week.
> I don't see anything abnormal, but...
>
> If anyone has any info on this, I'd also like to know :-)
>
> Ciao,
> Vincent
>
>
> -----Original Message-----
> From: Geoffrey Shorter [mailto:geoffreyshorter@hotmail.com]
> Sent: Tuesday, August 12, 2003 9:36 PM
> To: focus-ms@securityfocus.com
> Subject: attempt to launch a DCOM server?
>
> One of our machines, which we know is patched against the RPC DCOM
> vulnerability, reported this at 12:16:33 this afternoon:
>
> System Error 10002
> Access denied attempting to launch a DCOM Server.The server
> is:{<bunch of
> numbers here>}The user is <servicename>/<servername>,
> SID=S-1-5-21-00000000000-000000000-0000000000-0000.
>
> Names and numbers changed/removed to protect the innocent, of
> course... :)
>
> Is the above an indication of someone attempting to exploit
> the RPC DCOM
> vulnerability?
>
> Anyone know?
>
> Thanks.
> geof
>
---------------------------------------------------------------------------
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
---------------------------------------------------------------------------
- Previous message: Vincent Aikema: "RE: attempt to launch a DCOM server?"
- In reply to: Vincent Aikema: "RE: attempt to launch a DCOM server?"
- Next in thread: Vincent Aikema: "RE: attempt to launch a DCOM server?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
