Author Topic: DCOM exploit messages  (Read 14669 times)

0 Members and 1 Guest are viewing this topic.

MediaMagician

  • Guest
DCOM exploit messages
« on: August 12, 2007, 01:46:41 PM »
I've been running avast! successfully for a number of months with no issues. Just recently I'm getting regular messages regarding a DCOM exploit attack with various IP addresses but all located in my country. I've run a virus check and none come up.

Should I be worried?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: DCOM exploit messages
« Reply #1 on: August 12, 2007, 03:04:54 PM »
Messages like:
Network Shield: blocked "DCOM Exploit" - attack from 81.178.115.162:135/tcp
are due to the RPC/DCOM exploit, which is a vulnerability that allows an attacker to gain access to the destination machine by sending a malformed packet to the DCOM service. It uses the RPC TCP port 135.

Which firewall do you use?
And, most important, is your operational system updated?

You could get this free program from Steve Gibson's site.  This small program will test your PC to see if it's vulnerable.  The link below also explains what DCOM is all about.

Microsoft's DCOM security patch leaves DCOM running...
http://www.grc.com/freeware/dcom.htm

It will also shut down any further occurrence.
The best things in life are free.

sharon_brownlie

  • Guest
Re: DCOM exploit messages
« Reply #2 on: January 04, 2009, 04:42:20 PM »
I am completely computer illiterate...I .....i am getting DCOM messgae from avast. I used to have a secure landlind connection but now use the wireless connection. Is this why I am getting message and am I now vulnerable to attacks?

If so how do I resolve the issue?

I have tried to read the topics on this but I really do not understand all the jargon ???

Offline MikeBCda

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2247
Re: DCOM exploit messages
« Reply #3 on: January 04, 2009, 08:31:04 PM »
Hi,

I don't know if wireless changes the situation, but generally there's been agreement here that if avast is successfully blocking the DCOM things, don't worry too much about them.

I get those warnings from time to time too.  Supposedly the firewall should block them before avast even "sees" them, but I haven't yet figured out how to get my Comodo to do that properly.  Maybe I need to change its security mode, not just try to block the IPs, but if avast is catching and blocking the exploits then that's probably good enough for me.
Intel Atom D2700, 2 gig RAM, Win 7 x64 SP1 & IE-11, Firefox 51.0
(default). 320 gig HD, 15Mb DSL, Win firewall, Avast 12.3.2280 free, SpywareBlaster, MBAM Prem., Crypto-Prevent

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89420
  • No support PMs thanks
Re: DCOM exploit messages
« Reply #4 on: January 04, 2009, 08:40:54 PM »
Start be answering Tech's questions as they are relevant to how you would best resolve the problem.

The DCOM attacks are speculative in the hope that your OS is out of date and as such vulnerable to exploit.

If it is up to date it isn't vulnerable, that however, doesn't stop the speculative attacks. Your firewall should be your first line of defence and it should stop these DCOM attempts and you shouldn't see the Network Shield (a second line of defence) pop-up these alerts.

So I hope you can see why these questions need answered.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: DCOM exploit messages
« Reply #5 on: January 04, 2009, 08:48:15 PM »
I have tried to read the topics on this but I really do not understand all the jargon ???

Answer this please...
Which firewall do you use?
And, most important, is your operational system updated?

This could help also.
You could get this free program from Steve Gibson's site.  This small program will test your PC to see if it's vulnerable.  The link below also explains what DCOM is all about. http://www.grc.com/freeware/dcom.htm
The best things in life are free.

sharon_brownlie

  • Guest
Re: DCOM exploit messages
« Reply #6 on: January 04, 2009, 11:08:04 PM »
Thank you all for your replies.

As far as I know I have Windows firewall. I appear to be updated BUT for some reason the Windows xp SP3 will not fully update..........microsoft trying to help me with this.............unsuccessfuly so far.............they say it should not affect anything.

I also have windows vista, same wireless connection and am free from these DCOM message.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: DCOM exploit messages
« Reply #7 on: January 04, 2009, 11:10:22 PM »
Strange, if Windows XP firewall is on and your XP get updated with SP3... you shouldn't have been seen that messages...
Anyway, avast is protecting you.
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89420
  • No support PMs thanks
Re: DCOM exploit messages
« Reply #8 on: January 04, 2009, 11:50:13 PM »
<snip>
As far as I know I have Windows firewall. I appear to be updated BUT for some reason the Windows xp SP3 will not fully update..........microsoft trying to help me with this.............unsuccessfuly so far.............they say it should not affect anything.

I also have windows vista, same wireless connection and am free from these DCOM message.

You're welcome.

Personally the windows XP firewall provides limited protection (but it should be able to cope this these DCOM ones) as it doesn't have outbound protection. Vista's firewall does, but it is disabled by default and when enabled isn't very friendly.

Whilst the windows XP (and Vista) firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.

Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

- There are many freeware firewalls such as, Comodo (care required now it is a suite not to install the anti-virus element), PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.

See A Forum discussion on free firewalls http://forum.avast.com/index.php?topic=30808.0
See http://www.matousec.com/projects/firewall-challenge/results.php.

####
- You could also enable the outbound protection of the Vista firewall, but it isn't very friendly, is rule based and you have to create the rules, check this out. - Vista Firewall Control, check out this topic for some user friendly help for the Vista Firewall, Outbound protection, http://forum.avast.com/index.php?topic=30234.0
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

GrizeBar

  • Guest
Re: DCOM exploit messages
« Reply #9 on: January 05, 2009, 01:38:33 AM »
I use use Sygate firewall and recommend it highly.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89420
  • No support PMs thanks
Re: DCOM exploit messages
« Reply #10 on: January 05, 2009, 02:07:24 AM »
Well it is old and no longer supported and doesn't handle localhost proxies at all well, which could drive a coach and horses through your security.

Fortunately the web shield proxy is limited to specific browsers.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3870
  • Just an avast user
Re: DCOM exploit messages
« Reply #11 on: January 05, 2009, 08:09:49 AM »
This thread has caught my interest. 

In the interests of research I have turned on the logs I know of and exposed this system to the Internet with the Windows XP firewall as the sole firewall defense.  I am running the current version of avast with the Network Shield active.

I am fully up to date (which alas sharon_brownlie does not appear to be) with Windows XP SP3.  So I want to see what happens if/when I am the subject of a port 135 intrusion.

I will report back in this thread.

sharon_brownlie

  • Guest
Re: DCOM exploit messages
« Reply #12 on: January 05, 2009, 01:58:32 PM »
This thread has caught my interest. 

In the interests of research I have turned on the logs I know of and exposed this system to the Internet with the Windows XP firewall as the sole firewall defense.  I am running the current version of avast with the Network Shield active.

I am fully up to date (which alas sharon_brownlie does not appear to be) with Windows XP SP3.  So I want to see what happens if/when I am the subject of a port 135 intrusion.

I will report back in this thread.

I am going to be very interested if and when you have problems with it. Then maybe I can resolve this. As I stated Windows xp will not load fully it won't install a number that begins with KB9.....

I am going to add another firewall. I am glad that you have all reassured me that avast is doing its job!!!!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89420
  • No support PMs thanks
Re: DCOM exploit messages
« Reply #13 on: January 05, 2009, 03:43:34 PM »
You are not so much going to add another firewall as there should only be one running, the usual procedure when a third party is installed is that is disables the Windows Firewall.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

GrizeBar

  • Guest
Re: DCOM exploit messages
« Reply #14 on: January 05, 2009, 11:23:41 PM »
Well it is old and no longer supported and doesn't handle localhost proxies at all well, which could drive a coach and horses through your security.

Fortunately the web shield proxy is limited to specific browsers.

True. Sygate was gobbled up by Norton and incorporated into it's Internet Security package. I hate Norton and refuse to yield to it's expensive yet shoddy corporate rape of a formerly fine firewall system. I still retain the free version which works for me without revision.