RE: attempt to launch a DCOM server?

From: Majwabu, Richard (RMAJWABU_at_GAPAC.com)
Date: 08/14/03

  • Next message: Glenn Pearl: "RE: New variant. Blast.b" 
    To: 'Mike O'Toole' <hoople_ny@yahoo.com>, 'Vincent Aikema' <vaikema@hotmail.com>
Date: Thu, 14 Aug 2003 13:30:18 -0400

    One intersting thing on one my servers, in the event veiwer, the user attempting to use DCOM is the IUSR account, all my applications that use DCOM are assigned specific accounts to use.I am very curious about this.

    -----Original Message-----
    From: Mike O'Toole [mailto:hoople_ny@yahoo.com]
    Sent: Wednesday, August 13, 2003 6:56 PM
    To: 'Vincent Aikema'
    Cc: focus-ms@securityfocus.com
    Subject: RE: attempt to launch a DCOM server?

    I've seen this error (at boot up) when some application is trying to
    launch the 'IISAdmin Service' to enable it's web management interface.
    This was on a server that once had IIS in use but when it was
    decommissioned. The IIS services were set to 'disabled' startup state.

    Mike

    > -----Original Message-----
    > From: Vincent Aikema [mailto:vaikema@hotmail.com]
    > Sent: Wednesday, August 13, 2003 7:02 AM
    > To: geoffreyshorter@hotmail.com
    > Cc: focus-ms@securityfocus.com
    > Subject: RE: attempt to launch a DCOM server?
    >
    >
    > I've seen the same error that Geof reported. It appears on
    > just one of my servers here...about 3 times per day. The
    > error first appeared AFTER I patched the server over a week
    > ago. In my case the "originating user" is in a seperate
    > (country) network linked via a vpn with no firewall in between.
    >
    > My initial obvious conclusion was that the user installed
    > some exploit utility either intentionally or unintentionally
    > and it is being run automatically. However the local admin
    > there hasn't discovered any problem on that user's PC, but
    > is still pursuing it. My main concern now is what
    > did it do on the server BEFORE it was patched last week.
    > I don't see anything abnormal, but...
    >
    > If anyone has any info on this, I'd also like to know :-)
    >
    > Ciao,
    > Vincent
    >
    >
    > -----Original Message-----
    > From: Geoffrey Shorter [mailto:geoffreyshorter@hotmail.com]
    > Sent: Tuesday, August 12, 2003 9:36 PM
    > To: focus-ms@securityfocus.com
    > Subject: attempt to launch a DCOM server?
    >
    > One of our machines, which we know is patched against the RPC DCOM
    > vulnerability, reported this at 12:16:33 this afternoon:
    >
    > System Error 10002
    > Access denied attempting to launch a DCOM Server.The server
    > is:{<bunch of
    > numbers here>}The user is <servicename>/<servername>,
    > SID=S-1-5-21-00000000000-000000000-0000000000-0000.
    >
    > Names and numbers changed/removed to protect the innocent, of
    > course... :)
    >
    > Is the above an indication of someone attempting to exploit
    > the RPC DCOM
    > vulnerability?
    >
    > Anyone know?
    >
    > Thanks.
    > geof
    >

    ---------------------------------------------------------------------------
    Your network firewall and IDS products do not prevent Web application
    attacks - the most common form of online exploitation- resulting in Web
    defacement, data theft, sabotage and fraud.
    KaVaDo is the only company that provides a complete suite of Web
    application security products.
    Download a FREE whitepaper on "Security Policy Automation for Web
    Applications":http://www.securityfocus.com/Kavado-focus-ms
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Your network firewall and IDS products do not prevent Web application
    attacks - the most common form of online exploitation- resulting in Web
    defacement, data theft, sabotage and fraud.
    KaVaDo is the only company that provides a complete suite of Web
    application security products.
    Download a FREE whitepaper on "Security Policy Automation for Web
    Applications":http://www.securityfocus.com/Kavado-focus-ms
    ---------------------------------------------------------------------------

  • Next message: Glenn Pearl: "RE: New variant. Blast.b"

    Relevant Pages

    • RE: What the heck is this msblast.exe
      ... The RPC exploit itself leaves the server open to any action at all. ... |Your network firewall and IDS products do not prevent Web application ... |attacks - the most common form of online exploitation- resulting in Web ... |Download a FREE whitepaper on "Security Policy Automation for Web ...
      (Focus-Microsoft)
    • Re: DCOM Error in SBS20032 SP1
      ... You may disable DCOM for this service on the Windows server. ... you will see the of the DCOM application. ... Microsoft CSS Online Newsgroup Support ... |>> obviously it did not resolve the error and have no idea where to go. ...
      (microsoft.public.windows.server.sbs)
    • RE: DCOM Server Event ID 10003
      ... I don't know what DCOM is. ... And I don't understand what Microsoft ... "Access denied attempting to launch a DCOM Server using ... > an instance of a word application / a word document using DCOM. ...
      (microsoft.public.windows.server.sbs)
    • Re: RPC DCOM MS03-026 HACK
      ... If you think the patch failed to protect you against further DCOM RPC ... I'm pretty sure Microsoft has full time employees that do nothing but track ... running a web server without a firewall. ...
      (microsoft.public.win2000.security)
    • RE: attempt to launch a DCOM server?
      ... attempt to launch a DCOM server? ... Your network firewall and IDS products do not prevent Web application ... Download a FREE whitepaper on "Security Policy Automation for Web ...
      (Focus-Microsoft)