[Dshield] DCOM morning after

Stephane Grobety security at admin.fulgan.com
Tue Aug 12 14:22:31 GMT 2003

Hello Jonathan,

Tuesday, August 12, 2003, 3:50:22 PM, you wrote:

JR> Received: from iceman.incidents.org ([])
JR>         by mail.fulgan.com (Merak 6.0.3) with SMTP id JHA74159
JR>         for <security at admin.fulgan.com>; Tue, 12 Aug 2003 16:08:15 +0200
JR> Received: (qmail 16700 invoked from network); 12 Aug 2003 14:06:40 -0000
JR> Received: from chipper2-int (HELO viper.incidents.org) (
JR>   by 0 with SMTP; 12 Aug 2003 14:06:40 -0000
JR> Received: from localhost.localdomain (chipper2 [])
JR> 	by viper.incidents.org (8.11.6/8.11.6) with ESMTP id h7CE6bH23486;
JR> 	Tue, 12 Aug 2003 10:06:37 -0400
JR> Received: from dshield.org (charlie [])
JR> 	by viper.incidents.org (8.11.6/8.11.6) with ESMTP id h7CDoXH22100
JR> 	for <list at viper.uunet>; Tue, 12 Aug 2003 09:50:34 -0400
JR> Received: (qmail 27268 invoked from network); 12 Aug 2003 13:50:28 -0000
JR> Received: from mta01.alltel.net (HELO mta01-srv.alltel.net) (
JR>   by 0 with SMTP; 12 Aug 2003 13:50:28 -0000
JR> Received: from abacus.xcorps.net ([]) by mta01-srv.alltel.net
JR>           with ESMTP
JR>           id <20030812135024.TNGL17462.mta01-srv.alltel.net at abacus.xcorps.net>
JR>           for <list at dshield.org>; Tue, 12 Aug 2003 08:50:24 -0500
JR> From: Jonathan Rickman <jonathan at xcorps.net>
JR> Organization: X Corps Security
JR> To: General DShield Discussion List <list at dshield.org>
JR> Subject: Re: [Dshield] DCOM morning after
JR> Date: Tue, 12 Aug 2003 09:50:22 -0400
JR> User-Agent: KMail/
JR> References: <9F3B43C638622B45B013654517B61D9B0773A9 at banana-jr-6k.nmefdn.org>
JR> In-Reply-To: <9F3B43C638622B45B013654517B61D9B0773A9 at banana-jr-6k.nmefdn.org>
JR> MIME-Version: 1.0
JR> Content-Disposition: inline
JR> Content-Type: text/plain;
JR>   charset="iso-8859-1"
JR> Content-Transfer-Encoding: 7bit
JR> Message-Id: <200308120950.22228.jonathan at xcorps.net>
JR> X-Envelope-To: list at dshield.org
JR> X-Mailman-Approved-At: Tue, 12 Aug 2003 10:03:26 -0400
JR> X-BeenThere: list at dshield.org
JR> X-Mailman-Version: 2.1
JR> Precedence: list
JR> Reply-To: General DShield Discussion List <list at dshield.org>
JR> List-Id: General DShield Discussion List <list.dshield.org>
JR> List-Unsubscribe: <http://www.dshield.org/mailman/listinfo/list>,
JR> 	<mailto:list-request at dshield.org?subject=unsubscribe>
JR> List-Archive: <http://www.dshield.org/pipermail/list>
JR> List-Post: <mailto:list at dshield.org>
JR> List-Help: <mailto:list-request at dshield.org?subject=help>
JR> List-Subscribe: <http://www.dshield.org/mailman/listinfo/list>,
JR> 	<mailto:list-request at dshield.org?subject=subscribe>
JR> Sender: list-bounces at dshield.org
JR> Errors-To: list-bounces at dshield.org

JR> On Tuesday 12 August 2003 09:07, Paul Marsh wrote:
>> Good Morning All:
JR> There have been several reports on the incidents list suggesting that
JR> patched machines are being infected in some cases.

The reason behind this is that windows update only uses the registry
to verify wether a patch has been applied or not. If a user has
used windows restore point or has installed patches out of order, then
it might be that the machine is vulnerable again, but windows update
won't detect this.

To correct the problem, you can either use one of the free DCOM
vulnerability scsanners available and manually re-patch all vulnerable
machines or you can use a tool like HFNetChk to do the job for you (it
will do a checksum and version check on the files, not trust the

That, at least, fixed all machines on my network that where still
vulnerable even after being patched. However, if anyone has actually
SEEN a machine that is still vulnerable after it was patched (and by
that, I mean the last thing you've done on it was manually applied the
patch or you've checked the version and checksum of the involved files
so you KNOW they are the good ones), then I'd very much like to hear
about it.

Good luck,
Best regards,
 Stephane                            mailto:security at admin.fulgan.com

More information about the list mailing list