[BiGBrOwNPimpsta]

My friend was telling me that there is a RPC exploit going on? is this true he told me to disable the RPC service.... or this a trick lol

[BiGBrOwNPimpsta]

YES THIS IS REAL it happened 2 of my friends

goto administrative tools goto services
open Remote Procedure Call (RPC)
goto logon press disable at the bottom
then in Recovery Set First,Second,Subsequent Failurs to TAKE NO ACTION
press ok, logoff and logon

[PangingJr]

its not a good idea at all to disble "Remote Procedure Call(RPC)" in win XP,
if disble it.. very possible in damaging to windows system files and/or some of 3rd party softwares, and you could end up with a dead XP.
i would recommend, to check at MS windows update web site, if your system need a hotfix (critical patch)called "KB823980" pls consider to install it.. install it online or you can d/l the version for win XP(32) and do it offline at...http://microsoft.com/downloads/detai...displaylang=en

note- also would recommend to d/l and install this patch from windows update/MS's site only. for win XP this critical patch is the most must have since the SP1 came out.

below info from my local system atm, if it's not corr... anyone pls feel free to add..
to determine whether you have the hotfix on your system or not..
in ...\system32 folder, look for a file named "rpcrt4.dll", check its version..
if it's.. "5.1.2600.1230 (xpsp2.030527-2026)" you already had it.
if it's.. something like 5.1.2600.1140 (xpsp2.020921-0842) or older, you need to install the hotfix.

[Judas]

i've been hearing alot about theis RPC thing showing up.... must be lucky as i've got a firewall..which appears to be blocking alot... BTW, i've notice that when it finds this theres been nurmours attacks... i can't send specific information out such as files through different setups (kazaa or msn messangers)

[PangingJr]

i know and am looking on my system atm for poss ports block.. if i've someting i'll get back to you. in the mean time, frequentlycheck you f/w logs.

[PangingJr]

man where's letter a... in the above posted... edit -- from "disble" to "disable" lol.

-----------------------------------------

Quote:

Originally posted by Judas
i've been hearing alot about theis RPC thing showing up.... must be lucky as i've got a firewall..which appears to be blocking alot... BTW, i've notice that when it finds this theres been nurmours attacks... i can't send specific information out such as files through different setups (kazaa or msn messangers)

i've let my system for a very wide open so its supposed to be a good target but i cant find anything yet.
so i would recommend, you to check at your end, it may be easier to find out if you use some helper utility,
i have a few here for you.... and Good Luck!

Process Explorer http://www.sysinternals.com/
Regmon (Registry Monitor) http://www.sysinternals.com/
Active Ports http://www.ntutility.com/freeware.html

all above utilities is avail in free version and all worked well with XP i've tested it before, i'm currently use the full retailed of its but in the functions that you're really needed, they are about the same..

use the Active Ports to minitor your connection.. between local (you) and remote, if you think you're having prob with the Remote Procedure Call(RPC) you should closely look at "svchost.exe" for its activity you may find some info there.

the Process Explorer is a very good tool for any NTs system also, use it to see the internal behavior of all applications, as well as tracking down handle leaks, you may fine some useful info as well.

the Regmon is a must have tool for me, imo it's the best. use it to see all registry movements.
especially with the problem you're having now you can use the "Filter" function to log the process for any request on "SetValue",
its the "Log Writes" option of the program. you might find if something bad trying to instruct windows to do things
i know its sometime very hard to track down the bad things in windows.

[krazy1]

A simple way to make sure you don't get this is make sure you are behind a firewall and have ports 135 and 445 closed. Those are the main ports that they are hitting with this. I watch my firewall log file daily and I get hit now between 400-600 times a day on those ports..... it seems to be increasing every day...... damn hackers.... Eh.. they won't get through my firewall unless they come to my house and turn it off.....heheheh

[sinjin]

To read a CNN News article regarding this vulnerability, go here

To read the Microsoft Security Bulletin that was released regarding this vulnerability, go here

To run Windows Update and install the patch along with other updates, go here

To download a direct patch for a particular operating system, go here

[Matth]

My firewall log looks like a war zone - and it's ALL RPC

This is bigger than the last worm that generated a storm of UDP 137 traffic

[krazy1]

To add to the ports I stated earlier Symantec and MS now say these ports:

69
135
445
44444

Keep those closed and install the patch and you should be good...... The suggestion has been made that even dial-up users should now use a firewall. All our dial-in laptops here at work have been infected. I HATE hackers....

[astrolabos]

Here in Greece things are tragic. Almost all pc are infected. The problem is that the patch from MS was out early this summer.
My opinion? USE THE *&^(*^)^(*_& Windows Update often

[Judas]

....i can't seem to get into MS Update... it's like the sites getting nailed ...and hard....

[BiGBrOwNPimpsta]

yea it was getting nailed because after i installed SP 1 i had redownload every damn update upto this week. Guys lots of people i know have disabled RPC how can I get it back working???? I reformatted, but others dont want to how do we do it?

[PangingJr]

Quote:

Originally posted by BiGBrOWnPimpsta
I reformatted, but others dont want to how do we do it?

you may experience more problems if you try to start the Remote Procedure Call (RPC) service in windows nor in registry.

try the following.. and Good Luck!
-- start your computer with the XP CD
-- when the welcome to setup dialog box is displayed, press "R" to repair, and then press "C" to start Recovery Console.
-- choose to install windows and log on to your computer with the "Administrator" (real) account.
-- from the %systemroot%\system32 folder at the command prompt, type "listsvc" and then press enter.
locate the service that is causing the problem in the list that is provided.(in your case its the "RpcSs")
-- type "enable RpcSs" (no quotes) and then press enter.
-- type "exit", and the computer restarts automatically. allow the computer to boot normally.

[BiGBrOwNPimpsta]

just what i what I wanted man! thx panging!

[PangingJr]

Quote:

Originally posted by BiGBrOWnPimpsta
just what i what I wanted man! thx panging!

you had enough man i just cant see it do to you anymore..