Organized Crazy Addicts

Zed

F30002 DCE/RPC DCOM buffer overflow exploit attempt detected.

whats up with this message, its on my firewall over and over.

LeeBe · Posted: Thu Sep 04, 2003 9:35 pm Post subject:

Yeah thats from the blaster worm. I got a load of those.

Shaman · Posted: Fri Sep 05, 2003 6:17 pm Post subject:

on port 135 no doubt ?

Zed · Posted: Fri Sep 05, 2003 11:22 pm Post subject:

nope, 1672

LeeBe · Posted: Sat Sep 06, 2003 12:04 am Post subject:

weird.... its usually 135, 137 or 139 Confused

Shaman · Posted: Sat Sep 06, 2003 2:54 pm Post subject:

OMG .....might b a real live hack atempt then lol j/k
is strange though 99.9% of the stuff in my firewall from the blaster worm thingy, was on port 135

roba · Posted: Sat Sep 06, 2003 3:11 pm Post subject:

Firewall logs are funny reading heh, I have there 300+ entries since morning Shocked

various ports, but 135 is winner Smile

btw Spidy, please choose another (smaller) sig, only very small gfx sigs are allowed on our forums, ty Smile

Zed · Posted: Sat Sep 06, 2003 6:46 pm Post subject:

yeah but I've had port 135 blocked for a long time now.

lol spidy, strange thing was when I saw it I disconnected, got a new IP and it happened again about 10 secs later, from the same IP. I then blocekd out 1672 and nothing since then.

I had over 100 attacks in an hour, once I blocked the port, none in a day or so. Very weird.

roba · Posted: Sat Sep 06, 2003 7:15 pm Post subject:

Google says that 1672 is used by IBM Tivoli Netview under AIX. Dont ask me what is it used for lol, but its probably some network thingy:

Shaman · Posted: Sat Sep 06, 2003 7:17 pm Post subject:

yea i get nothing now ive blocked that port too...
here is a link to a freeware prog to disable dcom and block port 135 if anyones not sure what to do...... http://grc.com/files/DCOMbob.exe...
u can test 4 open ports here to....https://grc.com/x/ne.dll?bh0bkyd2