DCom exploit

H

HavocXphere

Honorary Master
Joined
Oct 19, 2007
Messages
33,153
Reaction score
1,297
Location
Europe
I've got a security problem thats confusing me.

On my dad's PC I just got this message from Avast.

Network shield: Blocked DCOM Exploit from 41.244.etc

The part that is confusing me is that this is clearly an external IP (not my own btw)....but I thought the router (DLink) blocks incoming traffic.:confused:...so why the hell is an exploit reaching the PC?:(

What are the chances that this is coming in via wifi? afaik WPA-PSK is set with a decent password.

Oh and would Telkom hunt down the clowns doing this if I give the the IP and time/date?
 
I got this last night when updating my newly installed Comodo Firewall. I didn't understand why Comodo didn't block it, but Avast did.

The IP addresses appeared to be on the Telkom dial up network range (155.xxx.xxx.xx), so it's eaither script kiddies, or infected computers spreading the love :(

One can never have enough security measures these days :(
 
Ok, this has been happening a lot more lately now than ever before.

Annoyed, I went to go do some research on this. Turns out it is the way that the Sasser worm and some of those other buggers spread themselves, by using a flaw in Dcom.

Avast picking it up is very good, but this should be stopped by your firewall. I went to go find out how to do it with Comodo, and now all is good. As I'm sitting here writing this, I've had 19 attempts to get in using that port.

To me this feels like some poor people's computers are infected, and transmitting for all their worth. I may be wrong, but all my attempts have been on 155.239 Ip range. Seems like the Telkom dial up range, which explains a lot. Most dial up computers are not kept up to date with such things.

Sigh
 
So thats what it is. Good to see the AV catching it cause the Windows firewall was down.

Weird that the Dcombulator indicates that the port is stealthed.:confused:

Thanks guys.
 
I'm still on dial upat home, so I have no router lol.

This would also apply to anyone using Neotel, as that device is a modem, not a router.

Anyway, even disabling Dcom won't make the problem vanish entirely, as the attempts to get in will go on and on until the source computers are cleaned. Still, it is a good idea :)
 
Well, it's a week since I made the last post. In that time, I've had about a hundred attempts to get in on port 135. Thankfully Comodo just silently blocks and prevents it.

Looking at my logs, most of the addresses seem to be on dial up range, or something similar. As posted earlier, these people may not even be aware that their computer is infected.

If you are on Neotel using their phone modem, on dial up, running your router in bridged mode, or are using Iburst, you need a good personal firewall to stop this. I never realised just what a good job even a plain routers firewall does in dropping these "garbage" connections.

Hard to believe that the Sasser and Blaster worms are still doing the rounds even today. :(
 
Asha'man X said:
I never realised just what a good job even a plain routers firewall does in dropping these "garbage" connections.
Click to expand...
Thats what puzzled me. My router isn't in bridged mode. NAT and router firewall was on...yet the attempt was only blocked once it hit the PC.:eek:
 
HavocXphere said:
Thats what puzzled me. My router isn't in bridged mode. NAT and router firewall was on...yet the attempt was only blocked once it hit the PC.:eek:
Click to expand...

That is a funny one, since your router should have stopped that cold in it's tracks. I really can't think of a reason why it would let port 135 through, especially since you have NAT and the firewall enabled. :confused:

I've only had 8 attempts so far this morning, which isn't so bad compared to last night.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X