Re: RPC DCOM MS03-026 HACK

From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 08/08/03 

Date: Fri, 8 Aug 2003 14:43:35 -0400

If you think the patch failed to protect you against further DCOM RPC
exploits, you could call Microsoft support for free at
www.microsoft.com/support

I'm pretty sure Microsoft has full time employees that do nothing but track
down warez sites, especially one so common that you found it through a quick
search. Removing such sites is hard with sites being in various countries
with various laws, and sites come up as quickly as others are brought down.
You really can't halt this sort of information, even if you wanted to.

Um, it sounds like you're not running a firewall. This is exactly why you
need to be running a firewall. There are even free firewalls out there.

http://securityadmin.info/faq.htm#firewall

Also, you don't just need one patch, you need them all, especially if you're
running a web server without a firewall. This is not the only exploit that
affects DCOM or RPC or that uses the NetBIOS ports.

Just disabling DCOM without running a firewall allows all sorts of things to
happen on other ports, such as your server leaking password hashes outbound
[this is reportedly a way that web servers are frequently hacked], people
installing remote access trojans or IRC back doors or keystroke loggers or
sniffers that send data outbound, etc.

Once a server is compromised, just installing a patch is not necessarily
enough. Installing a patch does nothing to stop the FTP server or remote
control back door that could have been on your server. Are you sure the
"second hack" happened through DCOM? Or through this particular
vulnerability?

Here are some other things you may want to do to secure the server:

http://securityadmin.info/faq.htm#harden

also:

http://securityadmin.info/faq.htm#hacked
http://securityadmin.info/faq.htm#ftpfolder

Hope this is useful?

"JJ" <nospam> wrote in message
news:3f3272cd$0$18494$cc9e4d1f@news.dial.pipex.com...
> Hi,
>
> I have a win2k server which until recently had no problems.
> 2 Weeks ago I installed all available updates including SP4.
>
> I then went on holiday for a week.
> In that time, my machine was hacked using the DCOM exploit.
> It shows up in the event log as dcom calls, then the rpc stops working and
> gradually all the web sites fail as visitors access them.
>
> I had no idea what had happened, and didn't realise that my machine had
been
> hacked.
> However I installed the 2 critical updates on the server which became
> available through windows update last week.
>
> The RPC/DCOM still happened after that though, so I installed the MS03-026
> patch on it's own.
> After that the RPC/DCOM exploit happened again, so I can only presume that
> the Microsoft patch did not fix my server.
> In hindsight, perhaps this was as the result of something the hackers did.
>
> Anyway, as the websites kept failing (The server was ok apart from iis) I
> kept investigating.
> I searched for files which had been created in the last week, and guess
what
> I found...!!!!!!
> A whole stack of German DVD's!!!, an FTP server, A back door service, and
> other dodgy files.
>
> I have since removed the files, and resecured the server as much as
> possible. Clearly the only real option is to reformat the drive, but I am
> hoping that perhaps the hackers will leave me alone as I discovered the
ftp
> stuff quickly.
>
> On my travels though I thought i'd see exactly how the hackers are doing
> this stuff, seeing as this information would clearly be useful to protect
a
> system. The most interesting site I found was a site (I was going to
mention
> it, but i'd better not) which literally had code to perform the dcom
exploit
> and also a port scanner 'x-scan' to locate vunerable computers.
>
> Microsoft really needs to be looking at this site in particular, as most
> other sites seem to get there info from it.
> Additionally the site also mentions that the MS03-026 fix does not fix all
> systems.
>
> To summarise, this is an extremely dodgy business to be in, and all I can
> suggest is a ghost type backup every night to save massive reconfiguring!
>
> Any Comments are welcome!
>
> JJ
>
>
>

Relevant Pages

  • RE: DCOM Server Event ID 10003
    ... I don't know what DCOM is. ... And I don't understand what Microsoft ... "Access denied attempting to launch a DCOM Server using ... > an instance of a word application / a word document using DCOM. ...
    (microsoft.public.windows.server.sbs)
  • Re: DCOM Error in SBS20032 SP1
    ... You may disable DCOM for this service on the Windows server. ... you will see the of the DCOM application. ... Microsoft CSS Online Newsgroup Support ... |>> obviously it did not resolve the error and have no idea where to go. ...
    (microsoft.public.windows.server.sbs)
  • Re: Immediate Logoff
    ... What I am saying is that there is no magic button that MSFT can push to fix the problem unless you can give them some information, ... Microsoft MVP - Terminal Server ... however think it is ironic how it happened from a patch. ... Do you know where I can report this to Microsoft for free? ...
    (microsoft.public.windows.terminal_services)
  • Re: COM Server Permission Error
    ... Here we will focus DCOM 10016 error. ... On the SBS server: ... permissions to the default DCOM permission on the computer. ... Programs that use DCOM do not work correctly after you install Microsoft ...
    (microsoft.public.windows.server.sbs)
  • Re: Immediate Logoff
    ... Do you know where I can report this to Microsoft for free? ... > "To me it seems Microsoft locked it down with there patch". ... > "I was lucky to that I was able to get it working by adding the group to the local admin group on the server." ... I was lucky to> that I was able to get it working by adding the group to the local admin> group on the server. ...
    (microsoft.public.windows.terminal_services)