WTF just happened

Reign

I got a message that said "close all programs RPC system failed... shutting down in 59...58...57"

So i just hit the restart button and i get back online, i told my friend, and he said he just had it too... same time i did.

What's going on.

leishi85

hmm, didn't happen to me, is that friend you are talking about is on any connection to you while it happened??

Cyclonite

I get that alot when I'm trying to close every possible program before running a benchmark test. I usually ctrl+alt+del the wrong thing and that pops up. I guess it's a system critical process that gets stopped.

Necropolis

hmmm, the same thing happens to 2 machines at the same time in a different place. I think its time to check you machine for virus' and trojans. That would be the first place to start.

Enverex

The program that closed and needs to stay open is "svchost.exe" running as user "local service". Close it and Windows terminates itself.

NS

Necropolis

NightShade737 said
The program that closed and needs to stay open is "svchost.exe" running as user "local service". Close it and Windows terminates itself.

NS

But 2 doing it at the same time, very odd.

Straight_Man

Um, not quite so difficult to understand-- unfortunately.

http://www.eweek.com/article2/0,3959,1208670,00.asp

I am just happy that this site is not vulnerable that way.

m-gosling

Yep, maybe someone was just testing for a way to exploit that flaw and somehow managed to crash your RPC service's while doing it. Its a possibility

Necropolis

Just done a bit of hunting and found this. Looks like it affects the RPC service.

http://www.dotproject.org/news.php?action=read&id=3220

Worrying to say the least.

m-gosling

Yea, security experts reccon there is going to be some kind of huge attack based on that flaw any time soon. There is a lot of activity going on underground apparrently reguarding the creation of a new worm to take advantage of this exploit, which has been confirmed to be totally possible. Best get patching people. Can you imagine how big the scale of the attack (if it happens) would be considering that every version of windows, except ME, has this flaw in it
Link: http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

And another link comfirming that as from July 29th the first signs of a new worm based on it have started appearing: http://grc.com/default.htm

Necropolis

I posted it in the news forum because I think it important enough that everyone needs to know about it.

TBonZ

So I take it Win98SE isn't affected by this since WinME isn't either, would that be an accurate deduction?

m-gosling

Tbonz,
Thats a really good question. If you follow this link: http://www.microsoft.com/technet/security/bulletin/MS03-026.asp it does say that windows ME is not affected but does not give any mention as to earlier windows versions. However, I have read elsewhere that all windows versions are affected apart from ME so the situation is a little confusing. It could be a case that Microsoft hasn't mentioned any earlier versions of windows due to them phazing out support for them, in which case they wouldnt produce a patch, or it could be that that simply don't mention any new problems found with unsupported Windows versions. Can't remember if they are still supporting windows 98SE or not now tho. But my guess is, that if ME isnt affected then the others (95, 98, 98SE) shouldn't be either.

TBonZ

m.gosling said
Tbonz,
Thats a really good question. If you follow this link: http://www.microsoft.com/technet/security/bulletin/MS03-026.asp it does say that windows ME is not affected but does not give any mention as to earlier windows versions. However, I have read elsewhere that all windows versions are affected apart from ME so the situation is a little confusing. It could be a case that Microsoft hasn't mentioned any earlier versions of windows due to them phazing out support for them, in which case they wouldnt produce a patch, or it could be that that simply don't mention any new problems found with unsupported Windows versions. Can't remember if they are still supporting windows 98SE or not now tho. But my guess is, that if ME isnt affected then the others (95, 98, 98SE) shouldn't be either.

That's what I figured. Microsoft does not officially support Win98 and under as of a few months ago but it would be highly negligent of them to not release a fix for Win98 if in fact the OS is vulnerable to this threat. I'll go ahead and update my XP boxens and hope for the best for my 98 boxes.

Cheers!

Necropolis

If memory serves me, the 9x series does not use RPC so I dont think it is vunerable (I may be wrong)

TBonZ

Necropolis_uk said
If memory serves me, the 9x series does not use RPC so I dont think it is vunerable (I may be wrong)

I sure you're correct on that, just wanting to make sure.

Straight_Man

That is true for ME, if you have not installed a very modern development suite from Microsoft, like Visual Suite or Visual Suite .NET or possibly Office XP Pro. The debugger comes with those, and the infrastructure that lets some of those bugs happen.

The others are vulnerable in part because the same *base* RPC code structure was used (as opposed to what is on top), so some of the vulnerabilities apply to literally all Windows.

Reign

Well, the first thing i did after i restarted was go to admin tools and set RPC on manuel instead of automatic .... haven't had the problem since, but i doubt that would help. I scanned and there were no virii, and i just patched my comp, so uhh, i hope its safe now.

Enverex

Reign said
Well, the first thing i did after i restarted was go to admin tools and set RPC on manuel instead of automatic .... haven't had the problem since, but i doubt that would help. I scanned and there were no virii, and i just patched my comp, so uhh, i hope its safe now.

Are you sure that was RPC? Because you cant change RPC, but you can change RPC Locator.

NS

bothered

I'm behind ZA pro and a NAT firewall and run a virus checker. Where is the patch and do I need to bother?

bothered.

Straight_Man

It is safe if you disable the RPC components that allow remote inward RPC (Remote Programmatic Control). The side effect of this is to also disable soem P2P as RPC queries and responses (American of responces) are used to get P2P connects established.

If no RPC ports are open, the hackers cannot push things that are malformed and thus take over. So, something like Sygate with only the ports you need open and only local-outward initiation of connects allowed would be a good idea for complete security. That means sharing with trusted friends.

Disabling Locator plus firewall blocking is the easiest way to close the machine off from RPC vulnerabiliites with no patching of the RPC components. My online box is not vulnerable, but the reasons why I am not vulnerable are best discussed in Linux and Company area.

However, in general it is possible to use a firewall and to close down things that might spontaneously do global RPC style packet gens outward when you are not aware of what is doing it, which is what the hackers are looking for. You can also disable remote computer management on your machine except for allowing it to be manually started with a secure connect that requires password and ID, and limit the areas of access.

I use operating systems that have that ability built-in for surfing these days, and still back up. XP Pro has some of the things needed, and Sygate runs well on XP Pro.