RE:DCOM (RPC) problem

Subject: RE:DCOM (RPC) problem
tcv@ninjatech.cjb.net
Date: Tue Aug 12 2003 - 12:52:58 AKDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: W.D. McKinney: ""Worm with teeth could infect 10s of millions of Windows machines""
• Previous message: Dave Brown: "RE:DCOM (RPC) problem"
• Maybe reply: tcv@ninjatech.cjb.net: "RE:DCOM (RPC) problem"

On Tuesday 12 August 2003 12:33 pm, Dave Brown wrote:
> tcv@ninjatech.cjb.net typethed the following...
>
> >If you have any microsoft machines residing behind the router:
> >
> >Click Start->Run
> >Type "dcomcnfg.exe"
> >
> >disable DCOM
> >then use ingress and egress filtering on port 135. I am sure the problem
> >will get worse before it gets better.
>
> Disabling DCOM does not actually protect you, Several people over on
> NTBUGTRAQ have learned this the hard way over the last few days. Patch
> your MS systems and deny at the router are your best bets.
> --Dave

Thought I mentioned that.

The bug has actually been active for about a year. Only very public as of late because of Ben Jurry.
<snip>
RPC/DCOM interface is accessible over any RPC protocol sequence that the endpoint mapper listens on.

That includes:

o ncacn_ip_tcp : TCP port 135
o ncadg_ip_udp : UDP port 135
o ncacn_np : \pipe\epmapper, normally accessible via SMB null
session on TCP ports 139 and 445
o ncacn_http : if active, listening on TCP port 593.
</snip>
:0)

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.

• Next message: W.D. McKinney: ""Worm with teeth could infect 10s of millions of Windows machines""
• Previous message: Dave Brown: "RE:DCOM (RPC) problem"
• Maybe reply: tcv@ninjatech.cjb.net: "RE:DCOM (RPC) problem"

This archive was generated by hypermail 2a23 : Tue Aug 12 2003 - 12:53:02 AKDT