Attacks to my computer by DCOM Exploit

Hello!
I had very many attack on my computer from some IP-addresses: 218.48.49.15, 218.50.78.135, 218.50.43.129 and etc. Antivirus Avast blocked attackes from this addresses with message including name of viruse “DCOM Exploit”. I find located this IP-addresses by NeoTrace in some networks of Seoul.
I am locate in Seoul but I know that hackers can masking under another addresses.
I have questions:

  1. How hacker may determine my IP-address (I know some ways - by transfer files to icq, registration on some sites). May be exist another ways?
  2. Can I define real IP-address of hacker if it masked his IP-address?
  1. They don’t determine your IP they just use a random IP number blocks and cycle through them (using a program) in the hope that they hit a vulnerable system.

  2. This may be a somewhat pointless exercise, the IP may be for an ISP and it could be one of their customers systems that is infected and pumping out these exploit attempts.

This is the avast Network Shield working, which is an intrusion detection monitoring known attack points. It would appear that your firewall isn’t blocking these attempts as a competent firewall should catch this before avast.
What is your firewall ?

If your operating system is up to date it is likely it wouldn’t be vulnerable to this exploit.
What Operating System are you using ? is it up to date ?

Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections. and post the information about the warning/attempt ?

How to disable DCOM support in Windows

http://support.microsoft.com/kb/825750/en-us

Отключение поддержки DCOM в Windows

http://support.microsoft.com/kb/825750/ru

Isn’t it the same as disabling DCOM service? If not, for what is needed the DCOM service?

There really isn’t any need to disable DCOM if your system is fully up to date it isn’t vulnerable to the DCOM exploit (patched by MS years ago). That way if DCOM is required for legit purposes it is available.

What firewall are you using? A good firewall that stealths all your ports should prevent those attacks. I recommend PC Tools Firewall Plus , it will stealth your ports with the default settings & uses little RAM. Works for me. Requires 2000, XP or Vista 32 bit.

Here are some free choices for older systems:

Agnitum Outpost Firewall Free
http://www.majorgeeks.com/Outpost_Firewall_Free_d1056.html

Filseclab Personal Firewall
http://www.filseclab.com/eng/products/firewall.htm

Jetico v1
http://www.jetico.com/index.htm#/jpfirewall.htm

Look’n’Stop Lite
http://www.soft4ever.com/LooknStop/En/LooknStop_Lite_Setup_104.exe (direct download)

Kerio Personal Firewall 2.1.5
OS: Win98/Me/NT4/2000/XP
Kerio Personal Firewall is a small and easy to use system designed for protecting a personal computer against hacker attacks and data leaks. It is based on the ICSA certified technology used in the WinRoute firewall. The firewall itself runs as a background service, using a special low-level driver loaded into the system kernel. This driver is placed at the lowest possible level above the network hardware drivers. Therefore, it has absolute control over all passing packets and is able to ensure complete protection of the system it is installed on.

Download (2018 kB) http://www.321download.com/LastFreeware/files/keriopf215.zip


Hi folks,

It could also have been part of a blaster worm attack as it uses this same exploit.

polonus

Thanks very much. My problem was take place in Firewall. Now is all good and attacks stopped.

Halio vly67,

Thanks for reporting. Welcome to the forums. As they say in Russian: “Naboj!”.

pozdrawiam,

polonus

Glad we could help.

With a firewall the speculative DCOM attacks (or attempts) probably haven’t stopped, just that your firewall is now intercepting them.

Welcome to the forums.