Amiga.org
The "Not Quite Amiga but still computer related category" => Alternative Operating Systems => Topic started by: Vincent on August 11, 2003, 10:11:10 PM
-
My cousin runs Windows XP and connects to the netusing BTOpenworld.
Today she has run into problems with it. She can connect for about five minutes before getting an error message:
Remote Procedure Call terminated unexpectedly
Then the PC has to reset.
Anyone know how to fix this? This hasn't happened before and she's not the type to go into settings and stuff if she doesn't know what she's doing.
Thanks. :-)
-
Maybe I'm wrong.. but in the network options
The only thing needed is TCP/IP
- no Microsoft Client
- no QoS Planner
- no other Protocol
-
I honestly have no experience at all with networking stuff, so I don't know what you mean. This is the first time I've ever heard of this Remote Procedure Call.
In this topic treat me like I'm technically illiterate :-D
-
Wow, I got a support call at work about this exact problem just before leaving today! Same symptoms, same OS. Don't know what the cause is though, we support our own software running under windows, not windows itself... But I'll let you know if I find out what the problem was.. sounds almost like something broken at m$ or something (XP talking with m$ on a regular basis and all...)
-
There is a patch available to fix this problem, its a security hole discovered by some l33t h4x0rs... you can get ithere (http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp)
-
Hmm, not entirely sure what it is, but I know the RPC port (135, IIRC) is often exploited by script kiddies and the likes.
And with the recent warnings about a massive attack building up, I'd take precautions in that regard, eg. install a firewall or not use Windows :-P
-
@Turambar
Well done that man. I've been attacked in the same manner over the past 24-36 hours a few times, with it getting critical a few hours ago. I finally figured the workaround of enabling the firewall, but hadn't got round to checking the MS site to see if it was a well known problem (then again, I wasn't sure if the problem was local or not at first).
You've saved me some time searching. ;-)
-
Above link looks right.
See:
Slashdot article (http://developers.slashdot.org/developers/03/08/11/2048249.shtml?tid=126&tid=172&tid=185&tid=190&tid=201)
SANS article linked from Slashdot (http://isc.sans.org/diary.html?date=2003-08-11)
CERT: Patched Win2k still has a denial-of-service vulnerability (http://www.kb.cert.org/vuls/id/326746)
Probably be all over the news tonight, anyhow.
Applying the RPC DCOM patch or firewalling TCP port 135 incoming should provide safety from infection by this particular worm; with Win2k, sounds like only the second can avoid potential DoS from hammering of the port. Once one machine is infected, it can of course spread to other machines on its local segment (cable modem subscribers - enjoy another Code Red)... Patching with the existing MS patch will not deactivate the payload - for that, you'll have to find the MSBlast.exe file, and delete it and the autorun reference in the registry as placed on a successful infection; quoting SANS:
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, name: 'windows auto update'
(Presumably you can distinguish this from any actual services by reference to the MSBlast.exe file?)
Remember, this information may become obsolete as the code is studied more closely.
-
@Merc
I've just read on another forum someone asking about the same thing, no answers there yet though.
@Turambar
I've just had a quick look at that link, but I have no idea where I should go from there to get the patch. Could you give me a direct link to it? Also, do you know how big the patch is?
@Blomberg
I don't think they have a firewall installed yet - they (well, me really) were going to install WinXP again as they are having a few problems with it, but I don't have the time to do that just yet.
Edit: just seen Floid's post, very helpfull indeed :-D
Edit2: how do you find out if you have the 32-bit or 64-bit version of XP? (I think it's Home Edition she has btw)
-
This worm has been plagueing my chosen IRC server all day.
The message is:
ALERT!!! a worm has been released which is targeting vulnerable windows systems on port 135. This will explain users who's pc's suddenly reboot. see http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp for more details
-
Unless it's an Itanium, it's 32-bit. And no, it's not an Itanium.
Scrolling through the Slashdot thread shows a few related worms taking advantage of the vulnerability, some nastier than the presently-virulent one. As always, take Slashdot advice with a grain of salt, and Google until you find confirmation from something resembling a reputable source (CERT, SANS, McAffee, Norton, etc.).
As noted in some of the comments, XP has a software firewall that can be thrown up as defense from reinfection while applying the patch and trying to clean up the mess. If you aren't confident, you may want to find someone more deeply Windows-familiar to deal with the registry editing and associated hair-pulling.
-
Oh, and let me add this: Windows users should always be using a firewall at all times, preferably a hardware or linux one but a personal firewall will do. Your systems are desperately vulnerable, and not only that, can be used as a platform to attack other users and sites, and to spread malicious code. Please install a firewall ASAP, preferably with port filtering on both sides of the firewall.
-
@Floid
I'm confident enough to go through the registry to fix this (I've been through a registry before) so I'll hopefully be able to fix it tomorrow.
@KennyR
After applying the patches (which I'm d'ling now) I'll be installing a firewall for her :-D
Edit: I didn't expect to get this many replies this quick ! Cheers guys :-D
-
Hi,
The minute I saw this thread the same message came on to my screen too. I just want to quickly check my mail and then this. It really made me angry. I wonder how it got on my machine since I use Norton and it is up to date.
Anyway thnx to Floid who wrote here about the registry and the file I was able to stay online. Now I am getting the fix and all.
Anyway, if you ever see me, collect your free beer Floid.
Coder
-
To quote Calen on IRC just now:
[00:39:25] its time like this u love windows even more huh
:lol:
-
Another filename to keep an eye out for is msmsgri32.exe
I just found that on my sister's computer as i was setting it up for her new adsl connection, it was causing a lot of 'red' traffic in the outgoing direction.
Didn't think it was related to this attack until Vincent here found the exact same one, i repeat: msmsgri32.exe - get rid of it :-)
-
To further what Blomberg's said, use msconfig to disable it (under startup) and clean the registry - there's one entry for it.
It's in something like:
Local machine:software\microsoft\shared tools\ msconfig\startupreg\mssyslanhelper
edit: if you have Win2k, try to find someone with WinXP and copy their msconfig - it works on Win2k aswell :-)
-
Vincent wrote:
edit: if you have Win2k, try to find someone with WinXP and copy their msconfig - it works on Win2k aswell :-)
Arr arr and a barrel of rum! :-D
-
It wasn't until about 0:30ish that I discovered that I had actually been infected with this virus aswell. I had the msmsgri32.exe file.
Thankfully it didn't "work" on my setup. Now I know first hand how to get rid of it and close the ports I'll be able to easily do it on my cousin's CP setup :-D
I'm not promoting this hacker in anyway, but I do agree with his message:
"billy gates why do you make this possible? Stop making money and fix your software!"
Too true! :-D
-
Gotta love Windows.
Here's Symantec's writeup (http://www.symantec.com/avcenter/venc/data/w32.randex.d.html) on the second (msmsgri32.exe) worm, for anyone else reading. They call it W32.Randex.D, with an associated Backdoor.Roxy or Backdoor.Trojan. (W32/Slanper.worm [McAfee], W32/Slanper-A [Sophos], Worm.Win32.Randex.d [KAV])...
...Since it spreads by testing victim machines' accounts for weak passwords, one could imagine it might be heavy on outgoing traffic. Via Sophos's writeup (http://www.sophos.com/virusinfo/analyses/w32slanpera.html) and a little bit of knowledge, the NetUserEnum() function mentioned is part of the old Lan Manager function set, running over SMB on port 445 (TCP? UDP?). I have no idea which services would need disabling to block it without firewalling, but maybe someone else does.
Symantec's removal instructions for Randex seem to take out the backdoor at the same time, but there is a separate page for the Roxy aspect itself.
---
Back on the original thread, names for the RPC worm du-jour seem to be settling out to "Blaster," "MSBlast," or "Lovsan," if you need words to Google for. The original SANS article (http://isc.sans.org/diary.html?date=2003-08-11) has been updated with some links, cleaning utilities, etc. In fact, may as well put the Symantec Blaster removal tool (http://www.sarc.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html) in a nice bold link for anyone still suffering.
-
It got to me too ... grrrr
I just hope i have time enough to download and install it before this thing shuts down my computer.
-
Vince, you put this into 'alternative operating systems'?!!
:-P
-
@Kees
Put up the firewall and this will give you the time you need.
My server was under heavy attack until I did this. The trouble I have now is that I can't locate any of the worms mentioned. The registry is clean, and the files mentioned aren't on my system either.
Grrrr...
-
There are quite a few steps needed to secure RPC and Windows filesharing services, so I can't just quote a particular step, but my install guide for win2k might help:
win2k install guide (http://www.legolas.com/wac/install-win2k-workstation-mikec.txt)
I've not installed XP from scratch before, but XP is similiar enough to Win2k.
-
It got to me too ... grrrr
How? I treat [color=FF0000]ALL[/color][/b] e-mails with attatchments with suspicion. Even when they are from someone I know.
I always run behind one of these (http://www.ebuyer.com/customer/products/index.html?action=c2hvd19wcm9kdWN0X3Jldmlld3M=&product_uid=44088) as well as running ZoneAlarm (http://www.zonelabs.com/store/content/home.jsp). Virii are kept in check with AVG (http://www.grisoft.com/us/us_dwnl_free.php).
With near-weekly incidents like these, it's impossible to not get paranoid running a Winbox that's connected to the net.
-john
-
AFAIK there's a worm that propagates via insecure RPC as well as via email.
-
i didnt have any problems... this is all linux propaganda...
lol
-
-
I wonder how it got on my machine since I use Norton and it is up to date.
1) It's not a virus in the traditional sense.
2) Norton or any other virus killer has no way of stopping new viruses and worms. The virus/worm need to be captured, analyzed and finally detection and removal code written for it. This is very specialized handwork and cannot be made automatic, so it takes time.
With the today's fast spreading distributed worms and exploitable windows holes it's almost impossible to get generic solutions against such things. If you want to be safe, get rid of Windows. Or at least run real firewall (NO, windows built-in firewall is no solution here).
One upto-date hardware firewall or a linux/bsd box routing all traffic should be enough to stop 99% of the baddies.
-
1) It's not a virus in the traditional sense.
2) Norton or any other virus killer has no way of stopping new viruses and worms. The virus/worm need to be captured, analyzed and finally detection and removal code written for it. This is very specialized handwork and cannot be made automatic, so it takes time.
Oh no, please let's not start one of those discussions :-)
-
what do you mean i don
-
As Piru said, this is not a traditional virus, so anti-virus software is useless against it. Even if it did recognise it, all anti-virus software can do is clear your system after infection, nothing more. It would not prevent further attacks.
This is a worm attacking a vulnerability (read bug) as described on the Microsoft site (linked earlier in the thread). Unfortunately, it's unlikely that anyone will ever remove ALL such vulnerabilities from any operating system.
Using Linux provides better protection simply because it's less of a target for attack, not because it has fewer vulnerabilities.
Professional firewalls and/or dedicated hardware routers further reduce the likelihood of a successful attack, but no system is totally secure.
-
One upto-date hardware firewall or a linux/bsd box routing all traffic should be enough to stop 99% of the baddies.
Actually no, well-educated computer users should be enough to stop 99% of the baddies.
-
I have no idea how it got to me .. but it did.
I installed the patch from the ms site and everything seems to be fine now.
-
There's a tool here (http://grc.com/default.htm) to check if your port is open for abuse.
AVG has been updated to include checking for the 'Lovsan' that exploits the flaw.
-john
-
i never leave my ports opened.
ahem...
-
i never leave my ports opened.
Web browsing must be tedious :-)
-
mikeymike wrote:
i never leave my ports opened.
Web browsing must be tedious :-)
Either that, or he's a French farmer ;-)
-john
-
Every time I read threads like this I have a feeling of
peace and freedom. At home I surf the web with my
a1200 and a PC with Beos, so no viruses, dialers,
popups, attacks and no need for firewalls... just the
nicer side of the web, aahhh :-P
Varthall
-
Gawd, I`ve only just got back from sorting out a friends system that got infected with Bugbear.
The silly moo had a firewall and anitvirus installed, but she hadn`t updated them since they were installed last November :-o
I`ve just checked my firewall logs, and in the last 12 hrs, 75% of attempted connections are for the RPC port 135...Times like this makes me glad that I refuse to upgrade from Win98... ;-)
And Microsoft want us to believe in their "Trustworthy Computing Initiative"...
However many $$ they spent on those couple of months of bugfixing and security checking last year, it wasn`t enough..
-
merde! :-P
-
Elektro wrote:
i didnt have any problems... this is all linux propaganda...
Linux propaganda? Hmmph!
(http://www.tendra.org/~nonce/pics/dfbsd/glorious_dfbsd.jpg)
:-D
-
Kees wrote:
It got to me too ... grrrr
Hmm, "Senior Webmaster gets victimised by mere trojan" :-o
Tsk tsk tsk ...
:-D
-
I`ve just checked my firewall logs, and in the last 12 hrs, 75% of attempted connections are for the RPC port 135...Times like this makes me glad that I refuse to upgrade from Win98...
Seems to be a very common thing of late, you can directly test if your at risk with this by clicking
here (https://grc.com/x/portprobe=135) (port 135 on your comp will be probed)
This link will instantly and easily test anyone's Internet-connected PC. "Open" is BAD, "Closed" or "Stealth" is safe.
Lots of other security tests can be performed at the main Shields Up (https://grc.com/x/ne.dll?bh0bkyd2) page which we all had fun time? on IRC doing last night :-)
Welcome to probe central ;-)
-
Calen wrote:
Seems to be a very common thing of late, you can directly test if you at risk with this by clicking
here (https://grc.com/x/portprobe=135) (port 135 on your comp will be probed)
This link will instantly and easily test anyone's Internet-connected PC. "Open" is BAD, "Closed" or "Stealth" is safe.
Lots of other security tests can be performed at the main Shields Up (https://grc.com/x/ne.dll?bh0bkyd2) page which we all had fun time? on IRC doing last night :-)
Seems to me that test isn't very reliable.
I probed my ports several times without changing any firewall settings, and still I got different results on some ports (some times closed, some times stealthed), but at least they didn't appear to be open :-)
-
but at least they didn't appear to be open
Yep thats the main thing. I aint probed more than once tbh, once was enough for now, maybe later ;-)
-
as long as you two don't start probing backdoors...
:-P :-P :-D
-
Gibson (of GRC) is sort of a benign loon; he does his best to help the little guy, but there's the bit of the showman to him, and his technical knowledge itself is really only.. middling to average. Off the top of my head, DSLReports offer some similar tests (http://dslreports.org/tools) with more detail and less obfuscation, or you can find a copy of 'nmap' or another portscanner and conduct them yourself (though you'll probably want a remote machine to test from).
Basically, 'closed' would indicate the port returned a TCP reset or reset/ACK pair. 'Stealth,' from Gibson's perspective, seems to indicate the port didn't respond at all - well and good - but you can get the same impression if the packets are lost on their way for whatever reason. If you're stuck using people's web-based tools, it's good to get a second or third opinion.
Basics of TCP negotiation and 'theories' of portscanning here (http://www.trojanforge.net/showthread/t-808.html), or a million other places via Google. nmap itself is over here, (http://www.insecure.org/nmap/) and there's even a Windows version available.
-
Gibson (of GRC) is sort of a benign loon
Agreed, if he had just kept to the point and not tried to over-dramatise everything, he'd probably have a v. good reputation today in techie circles.
And firewalls are not the be-all and end-all of human existence, nor will they fend off all attacks, or even the majority of attacks aimed at Windows machines.
The only time anyone should give a stuff about a port closed response and no response at all is on a high-profile publicly accessible facility (such as a well-known website), where more time is taken responding to all packets than letting a firewall do it for you.
There is no substitute for a well-configured machine, except for the power cable being pulled out :-)
-
hehe cool pic floid
-
@Calen
I don't think "fun" is the word I'd use :-P
@Elektro
Probing backdoors eh? We'll just leave you to do that :-D
-
Elektro wrote:
hehe cool pic floid
Real credit goes to whoever on the TenDRA (http://www.tendra.org/) (C-and-other compiler, formerly of the UK DERA, now under an unrestrictive license (http://www.tendra.org/licenses/BSDL.txt)*) team cooked it up and released it.
More over here, (http://www.tendra.org/~nonce/pics/dfbsd/) of course the DragonFly project is over there... (http://www.dragonflybsd.org/Main/)
---
*No, really, I love the GPL. It's just that such digs are a good 'evangelism' trick for all the people who don't get that BSD means free as in free, not free as in... hm, OpenLinux? ;)
-
(http://we-r-here.com/auctions/b3ta/microsoft_1.jpg)
-
Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice.
Dats wot i like to see :-)
-
_LinchpiN_ wrote:
Dats wot i like to see :-)
Hoping for a bit much there aren't you? :-P
-
I'm too tired to read all the replys but if you need help here is a link to help you manualy remove. When done then apply patch.
Avault (http://forums.avault.com/cgi-bin/ultimatebb.cgi?ubb=get_topic;f=10;t=001689)
Good site and nice people. I hope it helps.
-
Your system has achieved a perfect "TruStealth" rating.
You need to switch your machine on first.
-
this MsBlaster got me too but cos I'm running Win2k showed itself as svchost.exe crashing and disabling some functioning of the PC. Also wouldn't reliably connect to webpages. Ran Mcafee Stinger from this !link (http://vil.nai.com/vil/content/v_100547.htm) and installed the MS security patch - now all is fine.
IT really took me by surprise as all I did was connect briefly to the internet to get it - but then I am running no virusguard or firewall...will be in the future :)
-
I've sorted the problem on my cousin's XP box. I stopped the MSBlast task in Task Manager, used MSConfig to stop it at startup, the used the FixBlast (or whatever it was called) to get rid of it. Then after a reboot and checked it was gone I installed XP SP1 and installed Sygate Personal Firewall and set it up to block port 135.
All is done, all is good :-D
.....
until the next time :-x
Cheers for the help :-)
-
Vincent wrote:
.... Firewall and set it up to block port 135.
All is done, all is good :-D
.....
until the next time :-x
Cheers for the help :-)
Did you check ports 3330-3332 and 3362?
-
Phew..I think I managed to lock down my parents XP box just in time today.
Luckily I came equipped with an upto date virus checker and firewall on a flash disk, so I didn`t have to risk connecting to the net!
The thing that really bugs me (no pun intended) is how insecure a standard XP Home edition machine is.
My parents are your average PC newies, they can just about manage to send an email and browse Ebay..how the hell do MS expect people like this to know howto lock down a system?
Why should these services allow incoming connections with no easy way to disable them?
To make my day even better, I thought I`d better check windows update..
Yup, they hadn`t even run that in the 2 months they`ve had the PC. And in that 2 months..32Mb of updates waiting for them to download..over a poxy 56k dialup line !!
I started downloading, Windows Update said something in the region of 6 1/2 hours to download..so I left it running. I came back later to check, and the bloody ISP had cut the connection because of a 2 hour dial up limit.. :-x
Tried again, and Windows Update said it needed to start from the beginning again !!! ...I gave up, and gonna get a mate to burn them to CD for me!
..Nope, didn`t work..still mad as hell as MS and their usual crappy standards.
I told my parents to buy a Mac, but did they listen...?
Anyway, just checked the firewall logs again, and it`s about 99% now of port 135 probes at a rate of about 2 attempts a minute ( of which about 50% are coming from my ISP`s netblock.)
-
@Blom
I checked as many ports as I could - all came back Stealthed :-D
@Doobrey
That sucks. Good job they've got someone who know a thing or two ;-)
A 32Meg download on dial-up should take only 3 hours, mind you, this is the official "Windows Update" bollocks running so you've to expect some lagging, but double the time? That's really bad.
That two hour limit - they aren't on BTOpenworld are they? If so, tell them to check out Telewest. Line rental is £10 a month and unlimited dial-up is an extra £13 on that (less a quid or two if paying by direct debit). I've only been unable to connect 4 times at most in about 18 months. Each time the problems have been solved in a few hours.
EDIT: just remembered that the Windows "Time Remaining" crap is *never* right so that 6 1/2 hours is total balls :-D
EDIT2: Blom, installed the Win2kSP4 on my machine (after the IE6SP1) a few hours ago and everything seems to be fine so far *knocks wood* :-D
Guess I'll really find out when I wake up tomorrow :-P
-
Calen wrote:
I`ve just checked my firewall logs, and in the last 12 hrs, 75% of attempted connections are for the RPC port 135...Times like this makes me glad that I refuse to upgrade from Win98...
Seems to be a very common thing of late, you can directly test if your at risk with this by clicking
here (https://grc.com/x/portprobe=135) (port 135 on your comp will be probed)
This link will instantly and easily test anyone's Internet-connected PC. "Open" is BAD, "Closed" or "Stealth" is safe.
Lots of other security tests can be performed at the main Shields Up (https://grc.com/x/ne.dll?bh0bkyd2) page which we all had fun time? on IRC doing last night :-)
Welcome to probe central ;-)
Using MS's built-in firewall (WinXP-SP1), my port 135 is rated "Stealth"(by GRC).
-
That two hour limit - they aren't on BTOpenworld are they? If so, tell them to check out Telewest. Line rental is £10 a month and unlimited dial-up is an extra £13 on that
150k broadband + Digital TV Box + Telephone Line Rental with free local calls from NTL is £26 a month.
-
mdma wrote:
150k broadband + Digital TV Box + Telephone Line Rental with free local calls from NTL is £26 a month.
:-o
Pity I can't get NTL here :-(
-
Vincent wrote:
mdma wrote:
150k broadband + Digital TV Box + Telephone Line Rental with free local calls from NTL is £26 a month.
:-o
Pity I can't get NTL here :-(
Pity we can't get Teleswest here. I want that 2MB line for £50 a month that they offer!