[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference powdml::pc_security

Title:	PERSONAL COMPUTER SECURITY
Notice:	SWEEP servers Note 5; more info on www-is-security.mso.dec.com
Moderator:	BSS::BOREN

Created:	Wed Jan 02 1991
Last Modified:	Fri Jun 06 1997
Last Successful Update:	Fri Jun 06 1997
Number of topics:	504
Total number of notes:	2905

478.0. "NT's RpcSs.exe getting all CPU" by NETCAD::ATKINSON (Dave Atkinson) Wed Feb 05 1997 11:07

        I saw this on a newsletter last week.  This morning, our NT DOMAIN
        server was running a RpcSs.exe getting 96% of system.  We could not
        locate why RpcSs.exe had recieved the 17+ hours of CPU time but a
        reboot set the process back to normal.  The system appears fine.

        Dave
 
Subj:   TBTF for 1/29/97: An invisible hand
                To read this issue of TBTF on the Web see
               <http://www.tbtf.com/archive/01-29-97.html>

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

||| A new NT 4.0 security hole, and a workaround |||

Skinny DuBaud's rumor column [1] in news.com alerted me to a Windows NT
4.0 security problem that allows anyone to consume all the CPU time on
an NT Server or Workstation box from across the Internet. A description
[2] of the problem was posted anonymously to 32bit.com's Pipeline site
on 1/21:

> From your "Start" button, choose "Run..." and then type:
>
>   telnet some.nt.host.somewhere 135
>
> Once telnet connects, type 10-20 characters, any characters...
> Then disconnect or exit telnet... CPU usage on the NT 4.0
> machine... will hit 100% and remain there until rebooted. The
> 'rpcss.exe' process will eat the CPU out of house and home.

Two days later another user, Hector Isias, posted this workaround [3]:

> You can enable IP security (Control Panel / Network / protocols /
> tcp ip / properties / advanced) and filter TCP ports. You should
> permit only the neccessary ports: 20, 21, 25, 53, 70, 80, 110,
> 111, 119, 137, 138, 139 and any other required for your specific
> needs. The list above allow you to use NETBIOS over TPC/IP, HTTP,
> Gopher, TCP, etc. It should work even for a proxy server.

[1]  <http://www.news.com/Rumors/0%2C29%2C%2C00.html?nd>
[2]  <http://www.32bit.com/pipeline/pipenews.phtml?news=jan97/01219701>
[3]  <http://www.32bit.com/pipeline/pipenews.phtml?news=jan97/01239701>

T.R	Title	User	Personal Name	Date	Lines