Author Topic: avast! On-access scanner message  (Read 29358 times)

0 Members and 1 Guest are viewing this topic.

Lise

  • Guest
avast! On-access scanner message
« on: November 13, 2004, 08:43:36 PM »
I keep getting this "avast! On Access Scanner Message     DCOM Exploit - TCP Packet from 69.159.140.119:135"   Is this someone trying to hack into my computer, or someone GETTING into my computer or just a bad setting somewhere???  PLEASE!!!  I am starting to panic! This has been going on all day and I can't find any info on this!
Lise

techie101

  • Guest
Re:avast! On-access scanner message
« Reply #1 on: November 13, 2004, 08:50:00 PM »
The RPC/DCOM exploit is a vulnerability that allows an attacker to gain access to the destination machine by
sending a malformed packet to the DCOM service. It uses the RPC TCP port 135.

Be back in a minute...

OK...Anyway, as VLK stated, the new NS in SP2 is blocking hacker attempts to gain access to your computer.  Right now, not to worry.
I checked the URL provided in the message, and it is not now active and comes up invalid.
Hackers do this sometimes to "test" the waters and then take down the source computer.

The main thing is to always have a good firewall and antivirus in place AT ALL TIMES.

If the attacks persist, contact your ISP Administrator for assistance.

Good Luck.
« Last Edit: November 13, 2004, 08:57:52 PM by Techie101 »

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:avast! On-access scanner message
« Reply #2 on: November 13, 2004, 08:52:11 PM »
This is the new Network Shield actively protecting you - appearently you're being attacked quite often. Fortunately your system is probably patched so the attack doesn't work. :)
If at first you don't succeed, then skydiving's not for you.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re:avast! On-access scanner message
« Reply #3 on: November 13, 2004, 08:58:48 PM »
Interesting. So if you have patched machine,Network Shield won't do anything (i mean won't even detect anything). I'm still trying to understand how Network Shield works so i might ask dumb questions ;D
Visit my webpage Angry Sheep Blog

techie101

  • Guest
Re:avast! On-access scanner message
« Reply #4 on: November 13, 2004, 09:10:16 PM »
Rej,

No dumb questions at all.

Read this article and you will get a good idea of how it works.  It is basically a filter, but read the article for a good explanation.

http://www.networkitweek.co.uk/news/1155763

 :D

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:avast! On-access scanner message
« Reply #5 on: November 13, 2004, 09:15:32 PM »
Techie, we're talking avast's Network Shield, not Microsoft's :P

But it's true that it works very similar to the thing described in the article (which IMHO doesn't exist yet - or at least doesn't ship yet).

Cheers
Vlk
If at first you don't succeed, then skydiving's not for you.

Offline pk

  • Avast team
  • Super Poster
  • *
  • Posts: 2078
Re:avast! On-access scanner message
« Reply #6 on: November 13, 2004, 09:55:34 PM »
Interesting. So if you have patched machine,Network Shield won't do anything (i mean won't even detect anything). I'm still trying to understand how Network Shield works so i might ask dumb questions ;D

You're not right, even if your system was patched, NetworkShield will scan incoming packets and warns you. It also detects when blaster virus is copied over tftp on your local machine (what's happend when the exploit was successful, and your computer downloads the virus).

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re:avast! On-access scanner message
« Reply #7 on: November 13, 2004, 11:09:20 PM »
So will Network Shield prevent any new(unknown) worm from spreading (lets say similar to Sasser) if it maybe matches the rules or it just detects those that are known today (MSBlast,Sasser and other similar known stuff)?
Visit my webpage Angry Sheep Blog

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:avast! On-access scanner message
« Reply #8 on: November 13, 2004, 11:10:38 PM »
Of course even the "new". Its signatures are in the VPS :)

(otherwise, it wouldn't be of much use :P)
If at first you don't succeed, then skydiving's not for you.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re:avast! On-access scanner message
« Reply #9 on: November 13, 2004, 11:14:00 PM »
I meant like heuristic/generic matching. But fast VPS release should also do the job. Thx for explanation :)
Visit my webpage Angry Sheep Blog

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:avast! On-access scanner message
« Reply #10 on: November 13, 2004, 11:16:08 PM »
Heuristic detection is even trickier for IDS than for an AV (I mean much trickier ;)). In fact, it's almost impossible (and frankly I'm not aware of any other such product).

There are some technical reasons for this.
« Last Edit: November 13, 2004, 11:16:37 PM by Vlk »
If at first you don't succeed, then skydiving's not for you.

Offline pk

  • Avast team
  • Super Poster
  • *
  • Posts: 2078
Re:avast! On-access scanner message
« Reply #11 on: November 13, 2004, 11:16:40 PM »
It's not possible to do a heuristic scan; the exploit code must be known (there's no executable code) and its scanning must be really fast (otherwise it would slow down network traffic)

Lise

  • Guest
Re:avast! On-access scanner message
« Reply #12 on: November 14, 2004, 01:08:57 AM »
I would like to thank this group for your quick replies to my question about the DCOM Exploit. I didn't understand a whole lot of it except that it was someone TRYING to get in as opposed to having GOTTEN in, am I right? I have only one problem with the warning message....it just slides up and down too fast to record the numbers properly. It should STAY up til you click it, but when I mean I was being bombarded, I'm talking the whole day every 10 to 30 seconds I would get a new warning....sometimes they woulld number up 3 or 4 URL's high. I have a program called Slap which allows me to view the name belonging to the URL   I managed to get 3 of them
Sudbury HSE ppp.398039.sympatico.ca
Quebec HSE ppp.215991qc.sypatico.ca
Kingston HSE ppp.3995655.sympatico.ca
I don't know what all that means but I sent a message to my ISP (Sympatico) and reported this as well, including these names, hoping they can do something with them. And, yes, I had to turn on my firewall, which is really a pain and sad that we can't enjoy ourselves without someone always trying to screw things up!! :'(    But I gotta tell you, Avast is the BEST AV there is...I dumped useless Norton's and all it's bloat for this one and am spreading the word in all the groups I belong to.
Thanks again
Lise

Offline pk

  • Avast team
  • Super Poster
  • *
  • Posts: 2078
Re:avast! On-access scanner message
« Reply #13 on: November 14, 2004, 01:16:18 AM »
You can disable showing of those NetworkShield warning (in the settings of NetShield provider), because it disturbs you while you're working ;). NetworkShield provider has a log viewer, so you can trace all attacks to your computer. Those IP addresses, you see in the log, are infected with a virus (mainly blaster, ...) and they try to infect your computer. Yes, firewall is a good choice ;).
« Last Edit: November 14, 2004, 01:18:02 AM by pk »

techie101

  • Guest
Re:avast! On-access scanner message
« Reply #14 on: November 14, 2004, 01:18:05 AM »
VLK

Quote
Techie, we're talking avast's Network Shield, not Microsoft's :P

Forgive me.  At times I have a Microsoft mind.   ;D