[unisog] Windows XP Pro Reboots

Seidl, David . dseidl at purdue.edu
Tue Jul 29 15:08:49 GMT 2003


We've seen this. It is a result of the DCOM RPC exploit posted by Microsoft.

These links provide more information on the vulnerability.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS03-026.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS03-026.asp

Exploit demo code has been posted to Bugtraq as "DCOM RPC exploit (dcom.c)".

If you have administrative access to the machines, Eeye provides a scanner
to determine vulnerable systems, as well as more information about the
exploit code.

http://www.eeye.com/html/Research/Tools/RPCDCOM.html

Finally, Xfocus.org provides a detailed look at the ASM code:

http://www.xfocus.org/documents/200307/2.html

McAfee's current VirusScan update does detect part of the toolkit installed.

David Seidl
IT Security and Policy Analyst
Purdue University / ITaP Security & Policy
dseidl at purdue.edu
www.itap.purdue.edu


>-----Original Message-----
>From: Lois Lehman [mailto:LOIS.LEHMAN at asu.edu] 
>Sent: Monday, July 28, 2003 4:59 PM
>To: 'unisog at sans.org'
>Subject: [unisog] Windows XP Pro Reboots
>
>
>Has anyone at other universities seen Windows XP Pro machines 
>suddenly report that the RPC service has failed and the 
>machine will reboot in 1 minute?  We have had several on our 
>campus this afternoon and are looking for some information on 
>what might be happening.
> 
>Please let me know if you have any information.
> 
>Thanks!
>Lois
> 
>Lois Lehman
>College Network Security Manager
>Physical Sciences Computer Support Manager
>College of Liberal Arts & Sciences
>Arizona State University
>480-965-3139
> 
>



More information about the unisog mailing list