Author Topic: DCOM explot attack  (Read 8198 times)

0 Members and 1 Guest are viewing this topic.

Labtec

  • Guest
DCOM explot attack
« on: December 12, 2004, 02:07:06 AM »
I know that this subject has already been discussed several times, I read through them but couldn`t find the answer to my problem..

I get this DCOM-exploit attack message from my avast network shield all the time. When I check with my sygate firewall traffic log I see that some of the same IP-adresses that are blocked by the network shield are let trough by the firewall. Those ones that get through the firewall are not blocked by the network shield( comparing the time of attacks/traffic in the logs).

I have back traced some of the IP adresses and I ended up at 2 places; ripe.net and iana.com (internet assigned number authority), at those places I could again search for the IP`s and the result were the name of my internet provider.
I know how to remove the warning messages but it still bothers me that I don`t know what`s going on.

Can anyone clear this up for me?


Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re:DCOM explot attack
« Reply #1 on: December 12, 2004, 02:13:48 AM »
Only thing that is going on is that infected systems are trying to spread to infection to your system. If your firewall let these things through it is not setup correctly.

For definations about DCOM and EXPLOIT you can look HERE
« Last Edit: December 12, 2004, 02:18:53 AM by Eddy »

inthewildteam

  • Guest
Re:DCOM explot attack
« Reply #2 on: December 12, 2004, 03:15:14 AM »
Why not contact your isp with all the relevant details of the ip addresses and times from your logs?

They should be able to monitor and contact the users if they detect an infected machine.  My isp will put any suspected machine within a "walled garden" of web sites to address the problem with regards to malware removal.  This might or might not be the case with your isp, but a report to abuse@ ............. might solicit a response.

Also make sure your machine is fully patched, and if you have any doubts about an infection try working through some of the excellent links provided here.  A search for malware removal on the forum will yeild lots of results to many programmes to secure your system.

Quick edit! that would be yield!  Sometimes my fingers don't move at the same time as my thoughts  ;)
« Last Edit: December 12, 2004, 03:31:09 AM by inthewildteam »

Labtec

  • Guest
Re:DCOM explot attack
« Reply #3 on: December 12, 2004, 04:45:39 AM »
Only thing that is going on is that infected systems are trying to spread to infection to your system. If your firewall let these things through it is not setup correctly.

I have scanned my system multiple times with ad-aware, spybot,avast and even norton online scan. I also have spywareblaster. Never detected anything. If these "attacks" were really "infective" and went through my firewall shouldn`t I have found something during my scans?

Also, these attacks started the moment I updated my Avast.
The IP adresses changes, but they almost always start with the same numbers(81.182...). And what about my IP-searches pointing to my own internet-provider.

A friend of mine suggested that it might just be the network-shield that is "hypersensitive" to normal communication between my PC and the server of my internet-provider.
I`m kind of a PC-newbie so I`m sorry  if I`m asking stupid questions..

whocares

  • Guest
Re:DCOM explot attack
« Reply #4 on: December 12, 2004, 03:02:40 PM »
1)
 Never detected anything. If these "attacks" were really "infective" and went through my firewall shouldn`t I have found something during my scans?

2)
Also, these attacks started the moment I updated my Avast.

Hi,
please read up on BLASTER, SASSER, DCOM & LSASS-Exploits here on the board, at microsoft or basically any security-related website, to know how Network-worms work and use avast help or board-search to see how avast new NETWORK-SHIELD works (if it alerts you, it caught & blocked something: it's not over-sensitive)

you didn't get infected because
- either you have all Windowsupdates/patches against these exploits in place (in which case they can't do you no harm - so far) or
- because your firewall DID block them

2) Nope... they have been happening since 2003 or thereabouts but you didn't see them because either your firewall blocked them, or you were protected by WindowsUpdates (see 1)

And only since avast has incorporated its new NETWORK-Shield in v4.5 you get alerted to those attacks.
(you can switch of the WAYRNINGS in the networkshield options, without losing the protection)
And where/if they appear (avast/or FW) depends on whether avast's Network-Shield or Firewall gets loaded first on Windows startup
(and of course it depends on whether your FW is configured correctly and if you can interpret its logs  ;))
 :)
« Last Edit: December 12, 2004, 03:09:06 PM by whocares »