rpc unexpected shutdown

Discussion in 'NZ Computing' started by goneill, Aug 12, 2003.

  1. goneill

    goneill Guest

    rpc on my comp has just started shutting down my system and dropping the net

    any ideas on how to fix
     
    goneill, Aug 12, 2003
    #1
    1. Advertising

  2. "goneill" <> wrote in message
    news:3f38a71e$...
    > rpc on my comp has just started shutting down my system and dropping the

    net

    Pull the plug on your network connection

    > any ideas on how to fix


    Patch before you get owned, you probably need MS03-26 go to
    http://windowsupdate.com
    http://www.microsoft.com/security/security_bulletins/ms03-026.asp

    Since you are already hacked, consider these tips
    http://isc.sans.org/diary.html?date=2003-08-11

    Once you are infected, we highly recommend a complete rebuild of the site.
    As there have been a number of irc bots using the exploit for a few weeks
    now, it is possible that your system was already infected with one of the
    prior exploits. Do not connect an unpatched machine to a network.
    If you can not do this and/or the computer resides on a protected or
    non-Internet connected network, then several Anti-Virus Venders have
    supplied tools to assist in removing the worm. However, these tools can not
    clean-up damage from other RPC DCOM malware such as the recent sdbot irc
    bots. This method of cleaning your system is _not_ recommended, but the URLs
    are presented below for completeness.

    http://www.sarc.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
    http://www3.ca.com/Files/VirusInformationAndPrevention/ClnPoza.zip
     
    Nathan Mercer, Aug 12, 2003
    #2
    1. Advertising

  3. goneill

    MarkH Guest

    Steven H <> wrote in news:MPG.19a4390ac7c13e2e989711
    @news.dun.ihug.co.nz:

    > In article <>,
    > says...
    >
    >> Buy a Mac :)

    >
    > if i wanted a hamburger i wold go to McDonalds


    I think you’ll find that both Burger King and Wendys do better burgers than
    McDonalds.




    --
    Mark Heyes (New Zealand)
    See my pics at http://homepages.ihug.co.nz/~markh/
    "There are 10 types of people, those that
    understand binary and those that don't"
     
    MarkH, Aug 13, 2003
    #3
  4. goneill

    T-Boy Guest

    In article <Q52_a.113762$>, nathan@
    4757979!!!SPAMSUCKS****mcs.co.nz says...

    > Once you are infected, we highly recommend a complete rebuild of the site.


    Thanks for the good info Nathan.

    A query though.

    OK.. so an infected user follows MS's advice and does a
    reinstall blah blah.

    Um.. then they update on the internet. SP4 - whatever.

    Meantime... what will be happening on their PC ????

    I'll give you ONE guess.

    (cos hey, where else are they gonna get the updates - *most*
    people *won't* have SP4 (2K) or SP1a (XP) on CD yer know).

    PS: just now, i'm unable to connect to microsoft.com - not
    lookin' good.


    --
    Duncan
     
    T-Boy, Aug 13, 2003
    #4
  5. goneill

    T-Boy Guest

    In article <>,
    says...
    > In article <>,
    > says...
    >
    > > Buy a Mac :)

    >
    > if i wanted a hamburger i wold go to McDonalds


    you'd be making a big mistake.

    :)

    --
    Duncan
     
    T-Boy, Aug 13, 2003
    #5
  6. goneill

    T-Boy Guest

    In article <>,
    says...
    > In article <Q52_a.113762$>, nathan@
    > 4757979!!!SPAMSUCKS****mcs.co.nz says...
    >
    > > Once you are infected, we highly recommend a complete rebuild of the site.

    >
    > Thanks for the good info Nathan.
    >
    > A query though.
    >
    > OK.. so an infected user follows MS's advice and does a
    > reinstall blah blah.
    >
    > Um.. then they update on the internet. SP4 - whatever.
    >
    > Meantime... what will be happening on their PC ????
    >
    > I'll give you ONE guess.
    >
    > (cos hey, where else are they gonna get the updates - *most*
    > people *won't* have SP4 (2K) or SP1a (XP) on CD yer know).
    >
    > PS: just now, i'm unable to connect to microsoft.com - not
    > lookin' good.


    Waited long enough - Let me reply for you then....

    quote from (just recently updated, BTW):
    http://microsoft.com/security/incident/blast.asp
    "
    If you have Windows NT 4.0 or Windows 2000, you will need to
    install a third-party firewall
    "

    need should be NEED :)

    --
    Duncan
     
    T-Boy, Aug 13, 2003
    #6
  7. goneill

    Who is this Guest

    In article <>,
    Steven H <> wrote:

    > In article <>,
    > says...
    >
    > > Buy a Mac :)

    >
    > if i wanted a hamburger i wold go to McDonalds


    Instead your system is mincemeat.
     
    Who is this, Aug 13, 2003
    #7
  8. goneill

    Steven H Guest

    In article <>,
    says...
    > In article <>,
    > Steven H <> wrote:
    >
    > > In article <>,
    > > says...
    > >
    > > > Buy a Mac :)

    > >
    > > if i wanted a hamburger i wold go to McDonalds

    >
    > Instead your system is mincemeat.


    is it?

    i stick to my old saying that only the stupid get viri

    7 years running windows - no viri
    using Outlook (the virus engine it is) since 97 - no viri

    what am i doing wrong??

    --
    ===================================================
    Steven H
     
    Steven H, Aug 13, 2003
    #8
  9. goneill

    lily Guest

    Steven H wrote:

    > In article <>,
    > says...
    >
    >>In article <>,
    >> Steven H <> wrote:
    >>
    >>
    >>>In article <>,
    >>>says...
    >>>
    >>>
    >>>>Buy a Mac :)
    >>>
    >>>if i wanted a hamburger i wold go to McDonalds

    >>
    >>Instead your system is mincemeat.

    >
    >
    > is it?
    >
    > i stick to my old saying that only the stupid get viri
    >
    > 7 years running windows - no viri
    > using Outlook (the virus engine it is) since 97 - no viri
    >
    > what am i doing wrong??
    >

    Try sharing your C: drive rw without a firewall
     
    lily, Aug 13, 2003
    #9
  10. "lily" <> wrote in message
    news:sEn_a.11220$...
    > Steven H wrote:
    >
    > > In article <>,
    > > says...
    > >
    > >>In article <>,
    > >> Steven H <> wrote:
    > >>
    > >>
    > >>>In article <>,
    > >>>says...
    > >>>
    > >>>
    > >>>>Buy a Mac :)
    > >>>
    > >>>if i wanted a hamburger i wold go to McDonalds
    > >>
    > >>Instead your system is mincemeat.

    > >
    > >
    > > is it?
    > >
    > > i stick to my old saying that only the stupid get viri
    > >
    > > 7 years running windows - no viri
    > > using Outlook (the virus engine it is) since 97 - no viri
    > >
    > > what am i doing wrong??
    > >

    > Try sharing your C: drive rw without a firewall
    >


    This only happens when you bind filesharing to your TCP/IP for your modem.
    Which Windows warns you about

    Cheers,
    Nicholas Sherlock
     
    Nicholas Sherlock, Aug 13, 2003
    #10
  11. "Nicholas Sherlock" <> wrote in message
    news:bhcsor$thr$...
    > > what am i doing wrong??

    >
    > Yes, only the stupid get virii. The last time I had a virus was way back

    in
    > the days of Windows 3.1, when I got an infected copy of "Jazz Jackrabit"
    > (Commerical distribution on disk with the read-only attribute set).
    >
    > These days, I run a firewall (Not needed if you are all patched up) and


    I'd recommend a firewall even if you are patched -defense in depth. Why be
    unfirewalled when you can be firewalled?
     
    Nathan Mercer, Aug 13, 2003
    #11
  12. goneill

    lily Guest

    Nicholas Sherlock wrote:

    > "lily" <> wrote in message
    > news:sEn_a.11220$...
    >
    >>Steven H wrote:
    >>
    >>
    >>>In article <>,
    >>>says...
    >>>
    >>>
    >>>>In article <>,
    >>>>Steven H <> wrote:
    >>>>
    >>>>
    >>>>
    >>>>>In article <>,
    >>>>>says...
    >>>>>
    >>>>>
    >>>>>
    >>>>>>Buy a Mac :)
    >>>>>
    >>>>>if i wanted a hamburger i wold go to McDonalds
    >>>>
    >>>>Instead your system is mincemeat.
    >>>
    >>>
    >>>is it?
    >>>
    >>>i stick to my old saying that only the stupid get viri
    >>>
    >>>7 years running windows - no viri
    >>>using Outlook (the virus engine it is) since 97 - no viri
    >>>
    >>>what am i doing wrong??
    >>>

    >>
    >>Try sharing your C: drive rw without a firewall
    >>

    >
    >
    > This only happens when you bind filesharing to your TCP/IP for your modem.
    > Which Windows warns you about
    >
    > Cheers,
    > Nicholas Sherlock
    >
    >

    No warning that I've seen in 98
     
    lily, Aug 14, 2003
    #12
  13. On Wed, 13 Aug 2003 21:36:18 +1200, lily wrote:

    >> what am i doing wrong??
    >>

    > Try sharing your C: drive rw without a firewall


    Anyone running printer shares is doing EXACTLY that with c:\winnt or
    c:\windows System directories.


    As a way of showing how secure Windows NT/XP really is, even on a locked
    down system it's trvial to get administrator access.

    Simply copy cmd.exe to whatever.scr and set that as your screensaver, when
    the idle timer kicks in, voila, instant administrator shell.
     
    Uncle StoatWarbler, Aug 14, 2003
    #13
  14. goneill

    Steven H Guest

    In article <>, alanb+google4
    @digistar.com says...

    > As a way of showing how secure Windows NT/XP really is, even on a locked
    > down system it's trvial to get administrator access.
    >
    > Simply copy cmd.exe to whatever.scr and set that as your screensaver, when
    > the idle timer kicks in, voila, instant administrator shell.



    ummm, so....

    only admins can trash a comp thru cmd

    any idiot under a user account (where they should be - NO body should
    use admin accounts on a daily basis - not even for development) cant do
    jack shit because cmd is launched in THEIR process space, which is of
    course user.

    --
    ===================================================
    Steven H
     
    Steven H, Aug 14, 2003
    #14
  15. "Steven H" <> wrote in message
    news:...
    > In article <>, alanb+google4
    > @digistar.com says...
    >
    > > As a way of showing how secure Windows NT/XP really is, even on a locked
    > > down system it's trvial to get administrator access.
    > >
    > > Simply copy cmd.exe to whatever.scr and set that as your screensaver,

    when
    > > the idle timer kicks in, voila, instant administrator shell.

    >
    >
    > ummm, so....
    >
    > only admins can trash a comp thru cmd


    That's just what he said. You can trick Windows into launching you an
    administrator-priviledges console. Or, if your admin's password is
    "Password", or if you want to reset it from DOS with any one of the many
    free tools available to do so, you can either boot in "Safe mode" to get the
    hidden administrator prompt, or download the tool from
    http://home.eunet.no/~pnordahl/ntpasswd/

    Cheers,
    Nicholas Sherlock
     
    Nicholas Sherlock, Aug 14, 2003
    #15
  16. goneill

    Steven H Guest

    In article <bhgo1v$5ul$>,
    says...

    > > ummm, so....
    > >
    > > only admins can trash a comp thru cmd

    >
    > That's just what he said. You can trick Windows into launching you an
    > administrator-priviledges console.


    one word, Bullshit!

    how do i know this, i tried it

    windows will only run a screen saver under YOUR OWN cradentals not
    somebody elses, and if the User instructs windows to do otherwise they
    will get a password prompt.

    want proof of what i done

    well i created a folder that ONLY people in the administrator group can
    access, tried the exploit outlined previously and it FAILED

    secondly i checked to see the user that cmd.scr was running as - and
    guiess what, it was me!


    > Or, if your admin's password is
    > "Password", or if you want to reset it from DOS with any one of the many
    > free tools available to do so, you can either boot in "Safe mode" to get the
    > hidden administrator prompt, or download the tool from


    its not exactly a difficult exploit as any idiot with a boot disk and
    access to the computer can do it


    --
    ===================================================
    Steven H
     
    Steven H, Aug 15, 2003
    #16
  17. "Steven H" <> wrote in message
    news:...
    > > Or, if your admin's password is
    > > "Password", or if you want to reset it from DOS with any one of the many
    > > free tools available to do so, you can either boot in "Safe mode" to get

    the
    > > hidden administrator prompt, or download the tool from

    >
    > its not exactly a difficult exploit as any idiot with a boot disk and
    > access to the computer can do it


    And that is the key to this "vulnerability", you need physical access to the
    computer. If I have physical access to your PC, its not your PC anymore

    Windows is not the only OS that has this feature. Under Windows you can
    help to mitigate against offline dictionary attacks against the accounts
    databases by using strong passwords (!) EFS encrypting file system, and
    SYSKEY which forces you to have a floppydisk/password to boot the system
     
    Nathan Mercer, Aug 15, 2003
    #17
  18. goneill

    Enkidu Guest

    On Wed, 13 Aug 2003 20:26:05 +1200, "Nicholas Sherlock"
    <> wrote:
    >
    > For anti-virus, I would strongly reccomend AntiVir.
    >Free, doesn't suck resources and updating is a breeze.
    >

    .....if you consider totally removing and reinstalling it a breeze,
    fine. The thing worked for me, for a year, and then the auto update
    stopped working. The recommendation was to totally remove it and
    reinstall it. After three months of removing it, and then reinstalling
    it, I gave in and installed Norton's. Sure it cost me money, but I've
    bettter things to do than reinstall virus software every month.

    I would NOT recommend AntiVir to anyone. So far as I know its
    antivirus works fine, but that's offset by the lack of *any* support
    for the free version. Novices would be totally befuddled by it.

    Cheers,

    Cliff
    --

    Signed and sealed with Great Seal of the Executive
    Council of the Internet, by The Master of The Net.
     
    Enkidu, Aug 15, 2003
    #18
  19. goneill

    Enkidu Guest

    On Wed, 13 Aug 2003 19:13:58 +1200, Steven H <>
    wrote:

    >In article <>,
    >says...
    >> In article <>,
    >> Steven H <> wrote:
    >>
    >> > In article <>,
    >> > says...
    >> >
    >> > > Buy a Mac :)
    >> >
    >> > if i wanted a hamburger i wold go to McDonalds

    >>
    >> Instead your system is mincemeat.

    >
    >is it?
    >
    >i stick to my old saying that only the stupid get viri
    >
    >7 years running windows - no viri
    >using Outlook (the virus engine it is) since 97 - no viri
    >
    >what am i doing wrong??
    >

    I don't know what you are doing *right*. I assume that you don't have
    a virus protector program. So you can't scan your system to see if you
    have any viruses. You could be infected and infectious without even
    knowing it.

    Cheers,

    Cliff
    --

    Signed and sealed with Great Seal of the Executive
    Council of the Internet, by The Master of The Net.
     
    Enkidu, Aug 15, 2003
    #19
  20. goneill

    Enkidu Guest

    On Fri, 15 Aug 2003 07:30:10 +1200, "Nicholas Sherlock"
    <> wrote:

    >"Steven H" <> wrote in message
    >news:...
    >> In article <>, alanb+google4
    >> @digistar.com says...
    >>
    >> > As a way of showing how secure Windows NT/XP really is, even on a locked
    >> > down system it's trvial to get administrator access.
    >> >
    >> > Simply copy cmd.exe to whatever.scr and set that as your screensaver,

    >when
    >> > the idle timer kicks in, voila, instant administrator shell.

    >>
    >>
    >> ummm, so....
    >>
    >> only admins can trash a comp thru cmd

    >
    >That's just what he said. You can trick Windows into launching you an
    >administrator-priviledges console.
    >

    You can't. Unless you are admin in the first place.
    >
    > Or, if your admin's password is "Password", or if you want to reset it from
    > DOS with any one of the many free tools available to do so, you can either
    > boot in "Safe mode" to get the hidden administrator prompt, or download the tool from
    >http://home.eunet.no/~pnordahl/ntpasswd/
    >

    You are talking about physical access to the machine. In which case
    all bets are off. You can do whatever you like to a machine you can
    get your hands on.

    Cheers,

    Cliff
    --

    Signed and sealed with Great Seal of the Executive
    Council of the Internet, by The Master of The Net.
     
    Enkidu, Aug 15, 2003
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Myrt Webb

    Unexpected Shutdown

    Myrt Webb, Nov 9, 2004, in forum: Wireless Networking
    Replies:
    3
    Views:
    8,532
  2. Mcploppy ©

    Re: SOLUTION to NT AUTHORITY SHUTDOWN RPC

    Mcploppy ©, Aug 11, 2003, in forum: Computer Support
    Replies:
    1
    Views:
    666
    °Mike°
    Aug 11, 2003
  3. star2fire

    Re: SOLUTION to NT AUTHORITY SHUTDOWN RPC

    star2fire, Aug 12, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    527
    star2fire
    Aug 12, 2003
  4. Scribner

    Re: SOLUTION to NT AUTHORITY SHUTDOWN RPC

    Scribner, Aug 12, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    452
    Scribner
    Aug 12, 2003
  5. meikigibo

    Unexpected shutdown/deleting of e-mail

    meikigibo, Sep 30, 2003, in forum: Computer Support
    Replies:
    7
    Views:
    767
    meikigibo
    Oct 1, 2003
Loading...

Share This Page