DCOM exploit attack

[samnetx]

i have following DCOM exploit attacks in the last few days.
avast Network shield blocked following attacks

23.05.2009  16:42:07  DCOM Exploit attack
    from 59.94.210.157:135
23.05.2009  16:48:20  DCOM Exploit attack
    from 59.94.41.159:135
24.05.2009  20:18:08  DCOM Exploit attack
    from 59.94.181.50:135
24.05.2009  20:19:06  DCOM Exploit attack
    from 59.94.209.166:135
24.05.2009  20:23:30  DCOM Exploit attack
    from 59.94.8.153:135
24.05.2009  20:25:09  DCOM Exploit attack
    from 59.94.74.150:135
24.05.2009  20:26:02  DCOM Exploit attack
    from 59.94.102.171:135
24.05.2009  20:27:27  DCOM Exploit attack
    from 59.94.180.240:135
24.05.2009  20:28:17  DCOM Exploit attack
    from 59.94.43.124:135

i feel my computer is not safe.

[DavidR]

On the contrary I think it is safe as avast has blocked these attacks.

However, your firewall really should have been the one to block these attacks, what is your firewall ?

These DCOM attacks are speculative and not targeted directly on your system, they use randomly generated IP addresses to try and find if you are vulnerable to a DCOM exploit. Even if the DCOM exploit attempt got past your firewall and avast, if your OS is up to date it isn't vulnerable to the DCOM exploit.

- What Operating System are you using ? is it up to date ?

[polonus]

Hi DavidR,

He can check that here: http://www2.montana.edu/desktop/rpc.htm

pol

[samnetx]

hi DavidR

i recently uninstalled my outpost firewall because i am having downloading problems after all this my computer is regularly attacked by DCOM exploit attack and the attack is still going on whenever i connect to the internet.

i am using windows xp sp3 updated regularly.

[DavidR]

Then you aren't vulnerable to the exploit, that however doesn't stop these speculative attacks and believe me they are always going on, it it just that your firewall normally blocks them, so you are normally unaware of them.

Having uninstalled Outpost, now you are seeing the avast network shield take up some of the slack, but it isn't a full firewall (not even close), so you need an active firewall and preferably one like outpost that provides outbound protection. I have never had problems with downloads with Outpost Firewall Pro and I have been using Outpost in one version or another for over 6 years.

If you having uninstalled Outpost, did you not enable the windows firewall as that too should protect against this ?

[samnetx]

now i enable my windows firewall and now attacks are gone.

[Mr.Agent]

Good. Never let your pc without firewall. If you feel unsafe you can do a boot time scan for see if there any malicious virus.

Mr.Agent

[DavidR]

now i enable my windows firewall and now attacks are gone.

Not gone but taken care of at firewall level, rather than by avast

Though you really need to consider a third party firewall.

Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.

Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

[samnetx]

now after DCOM attacks whenever i connect my computer to internet my IP address always starts from 59.94.---.---
how to fix this.

[DavidR]

That has nothing to do with DCOM attacks, for a start they didn't get into your system and your system being up to date isn't vulnerable.

Your IP is dynamically assigned by your ISP and would generally always begin with the same two groups of numbers, see image. Your first two groups fall within this range and this is likely to be your ISP or whoever provides the ISP with its connection.

So what this shows that the DCOM attacks came from within the ISP customer base and that was most likely an infected users systems trying to infect other systems.