Dcom Exploit

[LeegPlayer]

I am not sure as to what is happening. My Avast online scanner keeps flashing the message that there is a dcom exploit 88.107.???.???:135 /tcp (the ???.??? keeps changing.) Am I being attacked?

[honda12]

From the Avast Support Forum (Thread: http://forum.avast.com/index.php?topic=29881.0)

Messages like:
Network Shield: blocked "DCOM Exploit" - attack from 81.178.115.162:135/tcp
are due to the RPC/DCOM exploit, which is a vulnerability that allows an attacker to gain access to the destination machine by sending a malformed packet to the DCOM service. It uses the RPC TCP port 135.

Which firewall do you use?
And, most important, is your operational system updated?

You could get this free program from Steve Gibson's site. This small program will test your PC to see if it's vulnerable. The link below also explains what DCOM is all about.

Microsoft's DCOM security patch leaves DCOM running...
http://www.grc.com/freeware/dcom.htm

It will also shut down any further occurrence.

My advice is to make sure that:
1. Windows is updated
2. And your Firewall is enabled and updated

Hope that helps,

honda


Note. For a list of good free firewalls: http://forums.spybot.info/showthread.php?t=18603

[LeegPlayer]

Windows XP SP3 with latest updates. Windows Firewall, Avast online scanner and spybot S&D.

I know that SP2 stopped this exploit so is this a vunerability with SP3?

The link you suggested states that the dcom port is open.

If you can provide a step by step guide to close this exploit it would be much appreciated.

[LeegPlayer]

Update. I have tried using the link provided to close port 135 but this will not work. I have also tried disabling the DCOM launcher but it screws my system up.

[Greyfox]

Windows XP SP3 with latest updates. Windows Firewall, Avast online scanner and spybot S&D.

Leegplayer,

To perhaps add to what honda12 said:

"Avast! online scanner" is not an installed active antivirus that provides continuous protection, but an on demand on line scan service. You should seriously consider installing either Avast! Home Edition (free) or Avast! Professional Edition. The current release is 4.8.1195

Windows firewall provides NO outgoing protection at all. You should look at installing firewall software that protects both ways - refer to the link in honda12's post

[drragostea]

To add to that... . Practice safe hex, use a firewall (ZoneAlarm or Comodo), AV (AVG or avast!) and download the latest Service Pack and all critical updates. The latest version of avast! is 4.8.1201. Surf safe.

http://www.avast.com/eng/avast-4-hom...n-history.html

[LeegPlayer]

"Avast! online scanner" is not an installed active antivirus that provides continuous protection, but an on demand on line scan service. You should seriously consider installing either Avast! Home Edition (free) or Avast! Professional Edition. The current release is 4.8.1195

When I say Avast online scanner This is part if the (full) avast AV program and is therefore blocking the exploit. I need to know why after so many years of running XP that all of a sudden I am Getting this exploit.

"download the latest Service Pack and all critical updates"

I installed SP3 (checked yesterday for updates) a couple of days ago and this seems to coincide with this. The only other possibility I can suggest is that my partner has just signed up to facebook but I would be surprised if this is the cause.

[Greyfox]

LeegPlayer,

As indicated by honda12 there is some interesting reading in the Avast! forum about the DCOM exploit, and it is also perhaps worth downloading and running the Gibson DCOM exploit test he provided a link to.

XP SP2 included a patch to prevent DCOM exploits. I can't find any information to indicate SP3 has opened it up again, but RPC has been associated with DCOM exploits and I believe that SP3 does include changes to RPC.

Turning off the DCOM service is said to be a solution, but may have other side effects. Installation of a good quality firewall is the most commonly proposed solution.