NetWork Shield Atacks

Viruses and worms
1

Ok lately i got a bit worried as sometimes i could get this from certain days:

21.10.2008 21:11:22 DCOM Exploit attack from 78.43.81.144:135 21.10.2008 21:30:02 DCOM Exploit attack from 78.43.81.144:135 21.10.2008 21:32:04 DCOM Exploit attack from 78.43.81.144:135 21.10.2008 21:33:23 DCOM Exploit attack from 78.43.81.144:135 21.10.2008 21:50:26 DCOM Exploit attack from 78.43.81.144:135 21.10.2008 22:14:21 DCOM Exploit attack from 78.43.81.144:135 21.10.2008 22:18:15 DCOM Exploit attack from 78.43.81.144:135 21.10.2008 22:30:08 DCOM Exploit attack from 78.43.81.144:135 21.10.2008 22:56:49 DCOM Exploit attack from 78.43.81.144:135 21.10.2008 23:13:21 DCOM Exploit attack from 78.43.81.144:135

Should i be a litle worried that someone is trying to hack me or something? :confused:

2

Hi Otaku Ichise,

Make sure you are not vulnerable to this attack and install the Microsoft HotFix:
read here: http://www2.montana.edu/desktop/rpc.htm
The address is a RIPE address from Amsterdam,

polonus

3

I would be happy as the exploit attempt failed.

First a DCOM exploit would only work if your OS was vulnerably, e.g. way out of date (and from your time on the forums I don’t think that is so). This however, doesn’t stop the people trying speculative attacks in the hope that they will find a vulnerable system.

Normally your firewall should be your first line of defence in these DCOM attacks, what is your firewall ?

The attacks aren’t directed at you specifically, they use random IP addresses generators like 123.123.123.123 incrementing the address by 1 each time, 123.123.123.124 and on each IP address they fire off the speculative attack on the DCOM port 135 and hope to get a hit.

Your IP address from your ISP is dynamically assigned so you shouldn’t have the same one each time you connect unless you have a fixed IP address (you would have to ask for that and pay extra). So they would be very lucky to hit you constantly as your IP changes.

This is where it is coming from:

Checking IP: 78.43.81.144... Name: HSI-KBW-078-043-081-144.hsi4.kabel-badenwuerttemberg.de IP: 78.43.81.144 Domain: kabel-badenwuerttemberg.de

Querying root.rwhois.net:4321 for kabel-badenwuerttemberg.de

Querying whois.denic.de for kabel-badenwuerttemberg.de
Domain: kabel-badenwuerttemberg.de
Status: connect

Now that is a cable company in Germany, but it doesn’t mean it is coming from them. They are probably an Internet Service Provider and one of their customers systems is likely to be infected and it is trying to infect other systems.

So now you should have a good understanding of why it isn’t targeted directly at ‘you.’

4

If you have been using an updated operational system and a firewall, you won’t be seeing that attacks…

5

I use PC Firewall tools only 1 month ago, maybe i was late instaling firewall when this tryed to atack me a litle earlier, im going to try 1st sugestion up there about microsoft HotFix.

today got these:

22.10.2008 14:00:23 DCOM Exploit attack from 219.105.88.201:135 22.10.2008 15:49:54 DCOM Exploit attack from 219.105.88.201:135
6

You only need the hotfix if your system isn’t up to date.

The attacks are by a bot and are random and this one is from Japanese IP address.

The attacks are from outside your system so have nothing to do with your not having installed your firewall untill recently. Though I would have thought the PC Tools firewall would be the one intercepting these attacks and if it was you wouldn’t notice, it is just that avast alerts that you know about them.

7

It says my service pack is already updated :confused: and doesnt use that hotfix, i have been always updating my XP tough so didnt got surprised, just thought it was an hotfix that could be used again.

Hopefuly it wont be nothing i think…

8

As I said from your previous posting history I didn’t think you would be vulnerable as the original security patch (hotfix) is years old.