The picture is in italian,but the Norton Firewall users can understand what is it.

http://www.uploadit.org/files/191003-strangefirewall.jpg

Is saying that a remote system is trying to access Microsoft Generic Host Process.What a hell is that'

It accsessing the internet, i wouldn't worry. Its just over reacting.

i get the same message sometimes shared, for me it's something called "SVCHOST.exe"

but bill can explain it better than me :D

microsoft - "svchost.exe" (http://search.microsoft.com/search/results.aspx?st=b&View=en-us&na=82&qu=svchost.exe+xp)

It's the clock in the lower right corner of Windows XP.

Right click the clock and choose Adjust Date/Time>Click 'Internet Time' tab.

See the automatic time sync? Well that's what is trying to communicate with the internet. Try it out. Remove the rule from the firewall (if you have allowed it before) then click the [Update Now] button and you will see that same message box appear.

http://www.uploadit.org/files/191003-strangefirewall.jpg

Just allow the automatic configuration from Norton to happen. Let it communicate. It keeps you clock proplerly set.

Hey i didnt know that VB1234 thank for the info.

No problem. My pleasure. :)

jeah...
Xp's nice like dat.
no dos command for NTP
/me uses tick.uh.edu

a remote system is trying to access Microsoft Generic Host Process

Time server?

NO!

Morons!





There is vulnerability in the part of RPC that deals with message exchange over TCP/IP. This failure is caused by incorrect handling of malformed messages. This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC which listens on TCP/IP port 135, 139 or 445.

This interface handles DCOM object activation requests that are sent by client machines (such as Universal Naming Convention (UNC) paths) to the server. An attacker who successfully exploited this vulnerability would be able to run code with Local System privileges on an affected system.

The DCOM interface with RPC typically runs with system privileges. As a result of the buffer overflow condition a remote attacker could potentially execute code with the same privileges that the DCOM interface is running with.
Sygate Personal Firewall STD and Sygate Personal Firewall PRO are able to stop this vulnerability with default settings of network neighborhood file and print sharing disabled within SPF.

If a user needs to use network neighborhood file sharing the following can be done to prevent the vulnerability using Sygate software products:

Note: No action is needed if you are running Sygate Personal Firewall STD or Sygate Person Firewall PRO with Network Neighborhood file and print sharing disabled within SPF.

For users of Sygate Personal Firewall and Personal Firewall PRO you should use the following steps to restrict access to DCOM by creating an application rule under the “Applications” button, to only allow trusted IP’s to communicate with the Windows “Generic Host Processes” application. (Note: For NT users please use the "Distribute COM Services - RpcSs.exe" application):

1) Select the “Applications” button on the main screen.
2) Highlight the “Generic Host Processes for Win32 service”.
3) Select the “Advanced” button on the Applications Panel.
4) Type IP addresses of the trusted systems which you need to file and print share with in the “Application Restrictions” box for “Trusted IPs for Applications”.
5) Click “OK” to close the “Advanced settings panel”.
6) Click “OK” again on the “Application Panel”


]

http://www.securityfocus.com/bid/8205/exploit/

i agree in most of your post except where you insult everyone...

i do know about this Generic host process.... its just a service...

its funny tho...

k i got a question..... HOW DID YOU GET TO THE CONCLUSION that it was the time server?

im just wondering...

DWk

from what DL. said, its the blaster worm

Originally posted by Mik3ll@20 October 2003 - 02:38
from what DL. said, its the blaster worm
No, just hack

It's not the blaster worm. As my first post shows, it's the automatic synchronization of the clock. I even showed that if you click the [Update Now] button tha same communication warning window pops up.

Here I even made it happen again.

See an English version: http://www.uploadit.org/files/201003-genhost.gif

You can also remove the [ ] check mark so that it no longer happens.

How simple can it get?

VB1234 is right, DL. just wants to insult people on his first post.

So.. No RPC vulnerability exists then, is all made up. I see. Good to know ;) I will ignore updates then.

Originally posted by DL.@19 October 2003 - 19:19
So.. No RPC vulnerability exists then, is all made up. I see. Good to know ;) I will ignore updates then.
What you said does exist, just for a differant situation. This was just the clock messing with norton. You can get people scared when you tell them that they have a virus/worm.

Originally posted by Agent Smith@20 October 2003 - 03:23
This was just the clock messing with norton.
You think. Better to say maybe.. Do backtrace. Same netlock or gateway? Better worry!

@DL. Take a good look at the picture I posted. It says UDP Protocol. The vulnerability is TCP. (high risk message too, not low).

Anyway I won't argue. I just recreated the cause.

How often do you see this message?

The default setting for the clock is for it to update every seven days.

Where is udp in Shareholder's image?

http://www.uploadit.org/files/191003-strangefirewall.jpg

Still maybe!

You will see it only once if you click the ok button in the Norton warning window.

It will keep reappearing if you block the communication with Norton.

Where is udp in Shareholder's image?
It's there but hidden under 'mostra dettagli' or 'show details' button.

I know this because it says "Rischio basso" which is "low risk" in English.

Oh well wait till SH gets back and says if he has fixed it. Then that will tell you what was wroung.


@VB1234, if you delete the first fram of the anamation it will keep spinning. Instead of stopping. I just wanted to point that out, you probly want it the way you have it. :)

delete the first fram of the anamation it will keep spinning. Instead of stopping

I set that pause myself. :lol:

Originally posted by Virtualbody1234@19 October 2003 - 19:42

delete the first fram of the anamation it will keep spinning. Instead of stopping

I set that pause myself. :lol:
Thoght so, sorry for the hyjack.

/Rpc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir
/Rpc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir
/Rpc/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir
/Rpc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir

For XP would be /Rpc/..%255c..%255c..%255cwindows/system32/cmd.exe?/c+dir instead of winnt

Easy you see?

http://www.microsoft.com/technet/treeview/...in/MS03-026.asp (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp)


Best practices recommend blocking all TCP/IP ports that are not actually being used, and most firewalls including the Windows Internet Connection Firewall (ICF) block those ports by default. For this reason, most machines attached to the Internet should have RPC over TCP or UDP blocked. RPC over UDP or TCP is not intended to be used in hostile environments such as the Internet. More robust protocols such as RPC over HTTP are provided for hostile environments

Listen DL. We just let communication though for a specific type of UDP communication from a specific 'low risk' built in setting for Norton firewall.

Any other type of communication and Norton Will alert us, ok?

Maybe ok ;)

exactly why I hate software firewalls.
snake oil is really all they are...

*OOh! look! I'm ur firewall! I'm blocking stuff! You'd be haxored without meh!*

:rolleyes:

Snake oil?

Anyway I also have a hardware firewall.

Btw, Sparsely, That's a neat sig.


Edit to add: Hey I almost forgot... Welcome to the discussion board, DL. http://www.mcbriens.net/liam/img/smilies/beerchug.gif http://www.mcbriens.net/liam/img/smilies/thmbup.gif

Originally posted by Sparsely@19 October 2003 - 20:12
exactly why I hate software firewalls.
snake oil is really all they are...

*OOh! look! I'm ur firewall! I'm blocking stuff! You'd be haxored without meh!*

:rolleyes:
Yeah your right, it makes you think the worst when that crap comes up.

:lol: :lol: Is not a worm,VB1234 is right . :lol: :lol: