One intersting thing on one my servers, in the event veiwer, the user attempting to use DCOM is the IUSR account, all my applications that use DCOM are assigned specific accounts to use.I am very curious about this.
-----Original Message-----
From: Mike O'Toole [mailto:hoople_ny (at) yahoo (dot) com [email concealed]]
Sent: Wednesday, August 13, 2003 6:56 PM
To: 'Vincent Aikema'
Cc: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: attempt to launch a DCOM server?
I've seen this error (at boot up) when some application is trying to
launch the 'IISAdmin Service' to enable it's web management interface.
This was on a server that once had IIS in use but when it was
decommissioned. The IIS services were set to 'disabled' startup state.
Mike
> -----Original Message-----
> From: Vincent Aikema [mailto:vaikema (at) hotmail (dot) com [email concealed]]
> Sent: Wednesday, August 13, 2003 7:02 AM
> To: geoffreyshorter (at) hotmail (dot) com [email concealed]
> Cc: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: attempt to launch a DCOM server?
>
>
> I've seen the same error that Geof reported. It appears on
> just one of my servers here...about 3 times per day. The
> error first appeared AFTER I patched the server over a week
> ago. In my case the "originating user" is in a seperate
> (country) network linked via a vpn with no firewall in between.
>
> My initial obvious conclusion was that the user installed
> some exploit utility either intentionally or unintentionally
> and it is being run automatically. However the local admin
> there hasn't discovered any problem on that user's PC, but
> is still pursuing it. My main concern now is what
> did it do on the server BEFORE it was patched last week.
> I don't see anything abnormal, but...
>
> If anyone has any info on this, I'd also like to know :-)
>
> Ciao,
> Vincent
>
>
> -----Original Message-----
> From: Geoffrey Shorter [mailto:geoffreyshorter (at) hotmail (dot) com [email concealed]]
> Sent: Tuesday, August 12, 2003 9:36 PM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: attempt to launch a DCOM server?
>
> One of our machines, which we know is patched against the RPC DCOM
> vulnerability, reported this at 12:16:33 this afternoon:
>
> System Error 10002
> Access denied attempting to launch a DCOM Server.The server
> is:{<bunch of
> numbers here>}The user is <servicename>/<servername>,
> SID=S-1-5-21-00000000000-000000000-0000000000-0000.
>
> Names and numbers changed/removed to protect the innocent, of
> course... :)
>
> Is the above an indication of someone attempting to exploit
> the RPC DCOM
> vulnerability?
>
> Anyone know?
>
> Thanks.
> geof
>
------------------------------------------------------------------------
---
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
------------------------------------------------------------------------
---
-----Original Message-----
From: Mike O'Toole [mailto:hoople_ny (at) yahoo (dot) com [email concealed]]
Sent: Wednesday, August 13, 2003 6:56 PM
To: 'Vincent Aikema'
Cc: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: attempt to launch a DCOM server?
I've seen this error (at boot up) when some application is trying to
launch the 'IISAdmin Service' to enable it's web management interface.
This was on a server that once had IIS in use but when it was
decommissioned. The IIS services were set to 'disabled' startup state.
Mike
> -----Original Message-----
> From: Vincent Aikema [mailto:vaikema (at) hotmail (dot) com [email concealed]]
> Sent: Wednesday, August 13, 2003 7:02 AM
> To: geoffreyshorter (at) hotmail (dot) com [email concealed]
> Cc: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: attempt to launch a DCOM server?
>
>
> I've seen the same error that Geof reported. It appears on
> just one of my servers here...about 3 times per day. The
> error first appeared AFTER I patched the server over a week
> ago. In my case the "originating user" is in a seperate
> (country) network linked via a vpn with no firewall in between.
>
> My initial obvious conclusion was that the user installed
> some exploit utility either intentionally or unintentionally
> and it is being run automatically. However the local admin
> there hasn't discovered any problem on that user's PC, but
> is still pursuing it. My main concern now is what
> did it do on the server BEFORE it was patched last week.
> I don't see anything abnormal, but...
>
> If anyone has any info on this, I'd also like to know :-)
>
> Ciao,
> Vincent
>
>
> -----Original Message-----
> From: Geoffrey Shorter [mailto:geoffreyshorter (at) hotmail (dot) com [email concealed]]
> Sent: Tuesday, August 12, 2003 9:36 PM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: attempt to launch a DCOM server?
>
> One of our machines, which we know is patched against the RPC DCOM
> vulnerability, reported this at 12:16:33 this afternoon:
>
> System Error 10002
> Access denied attempting to launch a DCOM Server.The server
> is:{<bunch of
> numbers here>}The user is <servicename>/<servername>,
> SID=S-1-5-21-00000000000-000000000-0000000000-0000.
>
> Names and numbers changed/removed to protect the innocent, of
> course... :)
>
> Is the above an indication of someone attempting to exploit
> the RPC DCOM
> vulnerability?
>
> Anyone know?
>
> Thanks.
> geof
>
------------------------------------------------------------------------
---
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
------------------------------------------------------------------------
---
[ reply ]