Author Topic: DCOM Exploits linked to ISP?  (Read 5858 times)

0 Members and 1 Guest are viewing this topic.

Turaiel

  • Guest
DCOM Exploits linked to ISP?
« on: November 25, 2010, 04:06:53 AM »
I've been getting a lot of DCOM Exploits, or so they seem to be. It only seems to occur on AT&T's dialup, and it comes from another (somewhat local) dialup address.

12.75.57.11:135/tcp

I've already run DCOMbobulator, and disabled it (the thing couldn't tell if DCOM was safe though, for some reason)

At any rate, I've been getting alerts from Avast every few minutes, even when I'm not on any websites. I'm kind of getting the feeling that Avast is just detecting corrupted packets incorrectly (after all, it IS dialup). Can anyone look into this?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88898
  • No support PMs thanks
Re: DCOM Exploits linked to ISP?
« Reply #1 on: November 25, 2010, 04:38:36 AM »
First DCOMbobulator is a waste of time as that is at system level and it is an external exploit attempt which would still be blocked before decombob got to it.

It is indirectly linked to your ISP, in that it is more than likely one of its customers systems which is infected and trying to spread the infection.

~~~~
- DCOM Attacks are speculative, not targeted and tries to exploit a vulnerability in out of date OS, if your OS is up to date then you aren't vulnerable to the exploit. That doesn't stop them (usually someone from the same ISP with an infected computer) trying to see if it can infect others.
 
Your firewall should be the first line of defence in this, but avast also monitors common attack ports using the Network Shield, ideally the firewall should block it and avast wouldn't know about it, but for whatever reason avast is first in line over your firewall

What is your firewall ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Turaiel

  • Guest
Re: DCOM Exploits linked to ISP?
« Reply #2 on: November 25, 2010, 04:47:46 AM »
Well that's a tiny bit obnoxious that I'm being affected just because of my ISP. Anyway, I'm using Windows Firewall, because I really don't see a need for anything more than that.

Altarir.

  • Guest
Re: DCOM Exploits linked to ISP?
« Reply #3 on: November 25, 2010, 05:03:39 AM »
Try closing port 135 using Windows worms door cleaner, it should help

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88898
  • No support PMs thanks
Re: DCOM Exploits linked to ISP?
« Reply #4 on: November 25, 2010, 01:43:43 PM »
Well that's a tiny bit obnoxious that I'm being affected just because of my ISP. Anyway, I'm using Windows Firewall, because I really don't see a need for anything more than that.

Your ISP can hardly be responsible for every users system being clean and they can't arbitrarily block all port 135 traffic as it also has a legitimate purpose.

You could report the attacks (which as I said are randomly generated and not targeted) to AT&T. You would have to have the exact times of the attacks as ISPs dynamically assign IP addresses (or they may not have enough) to their customers, so that same IP could be assigned to many different users over the course of a day/week/month, etc.

Though I don't know if AT&T would be able to a great deal about it, as I said these attacks aren't targeted so there is the possibility that they go away as quickly as they arrived. If they don't do anything about it then you would obviously has to make a decision on their lack of customer service.

The windows firewall should stealth your system, but when someone is using randomly selected IP addresses within a range of IPs it doesn't matter if your system is stealthed or not as it isn't specifically looking for something on that IP, it is speculative that there will be something there. So currently the windows firewall isn't doing anything to block an inbound connection for your IP, or the network shield is getting in first.

I also don't know if even closing the ports as suggested will work as I don't know which would get in there first, avasts network shield (which is what is blocking it) of the closing of the ports.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Turaiel

  • Guest
Re: DCOM Exploits linked to ISP?
« Reply #5 on: November 26, 2010, 05:23:46 AM »
Alright, thanks. I guess I'll just live with it and ignore Avast's warnings. I was just wondering why it kept happening, and why there wasn't really anything useful as far as information goes.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88898
  • No support PMs thanks
Re: DCOM Exploits linked to ISP?
« Reply #6 on: November 26, 2010, 02:01:15 PM »
You're welcome.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security