lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: delacruzma at msn.com (Michael De La Cruz) Subject: RPC DCOM footprints Hello all, Just in case some other security professionals are looking at identifying if their boxes have been exploited, I've typed up some occurences after a successful DCOM exploit. - Windows XP SP 0 (haven't tried it on SP 1 yet) Generates a System Shutdown message after a disconnect. The message indicates that Windows must now restart because the RPC service terminated unexpectedly. - Windows 2000 Professional all SP's A Service Control Manager error is reported on the Application Logs with a message ID of 7031 indicating that RPC terminated unexpectedly. The W2K boxes I've tested this on didn't allow me to view the event logs after exploitation. A few mmc.exe error messages also appeared. A quick reboot appeared alleviate the event log viewing issue. *Note* This is using the final universal DCOM exploit that was found on http://cyruxnet.com.ar/rpcxploit2.htm. I've heard there is an exploit that does not crash the port though, so an error may not be generated with that exploit. I'll try to include any new effect I manage to gather from my tests. Did anyone else experience these types of behaviors? Thanks. Michael De La Cruz Information Security Officer delacruzma@....com _________________________________________________________________ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus
Powered by blists - more mailing lists