Author Topic: DCOM Exploit  (Read 25936 times)

0 Members and 1 Guest are viewing this topic.

Offline Charmed

  • Newbie
  • *
  • Posts: 3
DCOM Exploit
« on: September 03, 2005, 05:27:18 PM »
I've been using Avast 4.6 (on dial up) for some time now but on Friday I got connected to broadband (plusnet) and now I keep getting the scanner message 'DCOM Exploit - attack from 84.93.143.166.135/tcp'.

I never had this message before I connected to broadband.

Does anyone have any ideas what this?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67269
Re: DCOM Exploit
« Reply #1 on: September 03, 2005, 05:36:03 PM »
Messages like:

Network Shield: blocked "DCOM Exploit" - attack from 81.178.115.162:135/tcp

are due to the RPC/DCOM exploit, which is a vulnerability that allows an attacker to gain access to the destination machine by sending a malformed packet to the DCOM service. It uses the RPC TCP port 135.

In other words, do you use a firewall or not?
The best things in life are free.

Offline Charmed

  • Newbie
  • *
  • Posts: 3
Re: DCOM Exploit
« Reply #2 on: September 03, 2005, 05:37:42 PM »
The only firewall I have is the one in windows.

Offline Charmed

  • Newbie
  • *
  • Posts: 3
Re: DCOM Exploit
« Reply #3 on: September 03, 2005, 05:50:45 PM »
What firewall would you recommend?  :-\

Offline AsRock+SD

  • Newbie
  • *
  • Posts: 3
Re: DCOM Exploit
« Reply #4 on: September 03, 2005, 06:00:56 PM »
Outpost is a dam good one.  Just takes some setting up.  BUT they do have a lot of help in there forums :).

Offline Jarmo P

  • Sr. Member
  • ****
  • Posts: 365
    • My Sygate firewall webpage guide
Re: DCOM Exploit
« Reply #5 on: September 03, 2005, 06:57:18 PM »
Strange that you get that warning if really running XP SP2 firewall?
In earlier XP versions, SP1 or even earlier the windows ICF firewall was not enabled by default !!!
« Last Edit: September 03, 2005, 06:59:57 PM by Jarmo P »
XP Home, Antivir PE Classic,  kerio 2.1.5 or Sygate 5.5.2710, SSM 2.0.8.583 free, SpywareBlaster, CCleaner, Firefox through webshield and running NoScript extension or in Sandboxie
http://www.kotiposti.net/string/SPF_eng/SPFGuide.html

Offline Nicolas

  • Full Member
  • ***
  • Posts: 115
  • I'm not a llama!
Re: DCOM Exploit
« Reply #6 on: September 03, 2005, 07:20:13 PM »
The appearance of the DCOM-exploit warning just after connection to the internet is not unusual, because a lot of legit traffic is taking place then (like update processes) sothat the firewall has opened several ports.
If your windows is updated (security patches !), you have nothing to fear - if not, Avast takes care.
Win2k Pro, 1.5 GHz, 500 MB RAM, Intelbased; Avast AV, Clamwin AV; Sygate Firewall; Spybot S&D, WinPatrol, Ad-Aware, Spyware Doctor; Microsoft AntiSpyware, Spyware Blaster, ActivePorts, Rootkit Revealer, Disk Investigator, Scrip Trap, HijackThis ; Ewido Sec. Suite, IceSword.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67269
Re: DCOM Exploit
« Reply #7 on: September 03, 2005, 07:29:11 PM »
What firewall would you recommend?  :-\
ZA (free), Outpost (free), Kerio (trial then free)  8)
The best things in life are free.

Offline Jarmo P

  • Sr. Member
  • ****
  • Posts: 365
    • My Sygate firewall webpage guide
Re: DCOM Exploit
« Reply #8 on: September 03, 2005, 07:42:03 PM »
With Kerio the situation is the same as with Sygate.
Well maybe there is still develoment with Sygate.

Kerio is stopped:

http://www.wilderssecurity.com/showthread.php?t=95880

XP Home, Antivir PE Classic,  kerio 2.1.5 or Sygate 5.5.2710, SSM 2.0.8.583 free, SpywareBlaster, CCleaner, Firefox through webshield and running NoScript extension or in Sandboxie
http://www.kotiposti.net/string/SPF_eng/SPFGuide.html

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67269
Re: DCOM Exploit
« Reply #9 on: September 03, 2005, 07:44:49 PM »
Well maybe there is still develoment with Sygate.
Sygate was bought by Symantec. In fact, we're talking from now on about a Symantec product.
You can follow your own forum what the users thought about this.
I can't recommend Sygate anymore  :'(
The best things in life are free.

Offline Jarmo P

  • Sr. Member
  • ****
  • Posts: 365
    • My Sygate firewall webpage guide
Re: DCOM Exploit
« Reply #10 on: September 03, 2005, 07:54:57 PM »
Quote
Sygate was bought by Symantec. In fact, we're talking from now on about a Symantec product.
You can follow your own forum what the users thought about this.
I can't recommend Sygate anymore  Cry

You have told your opinions so many times Tech. Sure the message is heard.

I never even recommended Sygate 5.6, but 5.5 is good, what ever versions. That is if you are not using local proxies, WebShield excluded. At least when staying away from IE.

http://smb.sygate.com/products/spf_standard.htm

So I am not recommending to download free version or to buy Pro  from above, but sure instead links in Sygate forum that is not mine, LOL.

It is wierd that you started that bashing on me Tech?
And giving your prejudiced opinions instead of facts.
Sure I called you ignorant in one of your messages when you had used SPF so long with proxy software, never bothered to learn the firewall enough to have noticed that loopback issue before.
XP Home, Antivir PE Classic,  kerio 2.1.5 or Sygate 5.5.2710, SSM 2.0.8.583 free, SpywareBlaster, CCleaner, Firefox through webshield and running NoScript extension or in Sandboxie
http://www.kotiposti.net/string/SPF_eng/SPFGuide.html

Offline Jarmo P

  • Sr. Member
  • ****
  • Posts: 365
    • My Sygate firewall webpage guide
Re: DCOM Exploit
« Reply #11 on: September 03, 2005, 08:05:06 PM »
Actually I tell why I dont use SPF 5.6. It is just cause of that DCOM warning from Avast. I tried that version and once it was late starting.

This might apply to Nicolas, cause he told in his reply that it is normal to see that warning when starting the system. To me it is not normal.

About earlier Sygate 5.5 versions, before 5.5.2710 and a few others, it was so that when the firewall service was not loaded, no internet connection was not possible, they changed it in later versions so that it is not so in free version. But with 5.5.2710 I have never seen this DCOM warning.
XP Home, Antivir PE Classic,  kerio 2.1.5 or Sygate 5.5.2710, SSM 2.0.8.583 free, SpywareBlaster, CCleaner, Firefox through webshield and running NoScript extension or in Sandboxie
http://www.kotiposti.net/string/SPF_eng/SPFGuide.html

Offline Nicolas

  • Full Member
  • ***
  • Posts: 115
  • I'm not a llama!
Re: DCOM Exploit
« Reply #12 on: September 03, 2005, 08:56:19 PM »
Quote
This might apply to Nicolas, cause he told in his reply that it is normal to see that warning when starting the system. To me it is not normal.

Well, I said "not unusual". Especially in cable networks there are many infected computers causing this. When the computer is starting up there is already traffic with the main server to establish the connection. The firewall has to allow at least some legit traffic to make the internet connection possible at all. Unfortunately, malware then uses the same ports. You can see that on the traffic and security logs.

I can't recommend a specific firewall, because I did not compare them in detail. The Sygate free product offers a lot of very useful features, usually not available in other free versions.


   
Win2k Pro, 1.5 GHz, 500 MB RAM, Intelbased; Avast AV, Clamwin AV; Sygate Firewall; Spybot S&D, WinPatrol, Ad-Aware, Spyware Doctor; Microsoft AntiSpyware, Spyware Blaster, ActivePorts, Rootkit Revealer, Disk Investigator, Scrip Trap, HijackThis ; Ewido Sec. Suite, IceSword.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67269
Re: DCOM Exploit
« Reply #13 on: September 03, 2005, 09:10:22 PM »
It is wierd that you started that bashing on me Tech?
No Jarmo. I'm no bashing noboby. See this is a thread from Charmed. The user asked my suggestions about firewalls.
You jump here to defend the company you work for. I'm just an avast! user.

And giving your prejudiced opinions instead of facts.
For me, you work with opinions. I work with my facts, the ones happened in my computer and my own experience.

Sure I called you ignorant in one of your messages when you had used SPF so long with proxy software, never bothered to learn the firewall enough to have noticed that loopback issue before.
Do you really think you can call me ignorant?
The best things in life are free.

Offline Jarmo P

  • Sr. Member
  • ****
  • Posts: 365
    • My Sygate firewall webpage guide
Re: DCOM Exploit
« Reply #14 on: September 03, 2005, 10:07:55 PM »
Quote
You jump here to defend the company you work for. I'm just an avast! user.

No Tech, where did you get that idea?
I am just a Sygate free firewall user. Same as with Avast.
Though I wish sometimes they had given me a Pro version if they had thought my posts in that forum had helped anyone ;)

Even Mats in that forum, Super Moderator is just a product user.
Sometimes I suspect RedJack working for them, cause he has sometimes posts that hint knowing a little what goes behind software.

You are as wellcome to post there as me, though they don't accept much criticism about the product. Even some threads were removed cause of that Symantec takeover complaints. Just a fellow hint ;) That forum is not as free in opinions as this one. Still there are good people who help if having problems, which is rare with many other firewalls. To my long gone Norman firewall, the support was non existent.

Quote
Do you really think you can call me ignorant?
You were that time you found out about loopback proxy issue.

Nicolas
I do recommend you that if you are using SPF 5.6 and even once experience the DCOM warning from Avast Network Shield that you go back to SPF 5.5. Just hope there is free version available, if you need one, to be found in posts with a keyword searc.
XP Home, Antivir PE Classic,  kerio 2.1.5 or Sygate 5.5.2710, SSM 2.0.8.583 free, SpywareBlaster, CCleaner, Firefox through webshield and running NoScript extension or in Sandboxie
http://www.kotiposti.net/string/SPF_eng/SPFGuide.html