I know that this subject has already been discussed several times, I read through them but couldn`t find the answer to my problem…
I get this DCOM-exploit attack message from my avast network shield all the time. When I check with my sygate firewall traffic log I see that some of the same IP-adresses that are blocked by the network shield are let trough by the firewall. Those ones that get through the firewall are not blocked by the network shield( comparing the time of attacks/traffic in the logs).
I have back traced some of the IP adresses and I ended up at 2 places; ripe.net and iana.com (internet assigned number authority), at those places I could again search for the IPs and the result were the name of my internet provider. I know how to remove the warning messages but it still bothers me that I dont know what`s going on.
Only thing that is going on is that infected systems are trying to spread to infection to your system. If your firewall let these things through it is not setup correctly.
For definations about DCOM and EXPLOIT you can look HERE
Why not contact your isp with all the relevant details of the ip addresses and times from your logs?
They should be able to monitor and contact the users if they detect an infected machine. My isp will put any suspected machine within a “walled garden” of web sites to address the problem with regards to malware removal. This might or might not be the case with your isp, but a report to abuse@ … might solicit a response.
Also make sure your machine is fully patched, and if you have any doubts about an infection try working through some of the excellent links provided here. A search for malware removal on the forum will yeild lots of results to many programmes to secure your system.
Quick edit! that would be yield! Sometimes my fingers don’t move at the same time as my thoughts
Hi,
please read up on BLASTER, SASSER, DCOM & LSASS-Exploits here on the board, at microsoft or basically any security-related website, to know how Network-worms work and use avast help or board-search to see how avast new NETWORK-SHIELD works (if it alerts you, it caught & blocked something: it’s not over-sensitive)
you didn’t get infected because
either you have all Windowsupdates/patches against these exploits in place (in which case they can’t do you no harm - so far) or
because your firewall DID block them
Nope… they have been happening since 2003 or thereabouts but you didn’t see them because either your firewall blocked them, or you were protected by WindowsUpdates (see 1)
And only since avast has incorporated its new NETWORK-Shield in v4.5 you get alerted to those attacks.
(you can switch of the WAYRNINGS in the networkshield options, without losing the protection)
And where/if they appear (avast/or FW) depends on whether avast’s Network-Shield or Firewall gets loaded first on Windows startup
(and of course it depends on whether your FW is configured correctly and if you can interpret its logs ;))
