on-access scanner - network shield

[grim]

hey, i keep getting attacked, just wondering if its anything i should be worrying about

10.12.2006  10:57:10  DCOM Exploit attack
    from 89.241.46.141:135
10.12.2006  10:58:06  DCOM Exploit attack
    from 89.241.186.52:135
10.12.2006  10:58:28  DCOM Exploit attack
    from 89.241.247.131:135
10.12.2006  11:00:58  DCOM Exploit attack
    from 89.241.36.150:135
10.12.2006  11:03:54  DCOM Exploit attack
    from 89.241.45.108:135
10.12.2006  11:04:50  DCOM Exploit attack
    from 89.241.38.230:135
10.12.2006  11:05:57  DCOM Exploit attack
    from 89.241.45.108:135
10.12.2006  11:06:02  DCOM Exploit attack
    from 89.241.67.54:135
10.12.2006  11:08:43  DCOM Exploit attack
    from 89.241.186.52:135
10.12.2006  11:09:03  DCOM Exploit attack
    from 89.241.45.108:135

[Lisandro]

Which firewall do you use?
Are your Windows updated?

Messages with "DCOM Exploit" attack are due to the RPC/DCOM exploit, which is a vulnerability that allows an attacker to gain access to the destination machine by sending a malformed packet to the DCOM service. It uses the RPC TCP port 135.

avast Network Shield is a protection against known Internet worms/attacks. It analyses all network traffic and scans it for malicious contents. It can be also taken as a lightweight firewall (or more precisely, an IDS (Intrusion Detection System).

Network Shield protects you from internet worms that spread themselves via various security holes in your system. Typicaly these kind of viruses don't infect files but instead  they attack running processes on your PC (either Windows components or some server programs like SQL Server, IIS etc.). These kind of attacks are not easily catched by ordinary antivirus during file or mail scanning. It is not a duplicate work with Standard Shield.

[DavidR]

Your firewall should intercept this first, so it would appear it isn't doing its job, as Tech asks what firewall do you have.

The DCOM exploit attack is a speculative attack as they don't know if your system OS is fully up to date and so not vulnerable to it, so they just keep plugging away in the hope of catching someone without firewall defences and an out of date OS.

As to should you be worrying about it, yes, ensure your firewall is able to trap this and ensure your system is up to date. You can feel a little more secure in the thought that the Network Shield has provided a back-up and has blocked the DCOM attack. If it frightens you you can disable the notification in the Network Shield Customize settings.

A whois search for the last IP returns this:

% Information related to '89.241.0.0 - 89.243.255.255'

inetnum:        89.241.0.0 - 89.243.255.255
netname:        OPAL-DSL
descr:          Opal Telecom DSL Network
country:        GB

So it would appear that someone on that DSL Network is infected and trying to infect others.

[grim]

i'm using comodo personal firewall, which has been pretty good, other than this. i can block the ip's manually, but i guess its a problem with the firewall so i should use their forums.  lol

[DavidR]

Yes I think you should check out their forums as I feel it should be the first to intercept these exploits. There have been a couple of other posts about firewalls not challenging outbound connections and they related to comodo also, not sure. If so I believe that there are some poor default actions if you choose the 'Easy' user interface, so you may need to read the help file and see if there are any settings you can change to beef up the protection.

It is probable a waste of time blocking Ip addresses as they are too much of a moving target, but you might consider blocking port 135 if you can. The other option is to visit grc.com DCOMbobulator http://www.grc.com/freeware/dcom.htm.

[grim]

ok thanks guys i'll block that port and check out their forums

[grim]

great url, cheers

[DavidR]

No problem, welcome to the forums.