also @ TechSpot: Oculus Rift secures $16 million in Series A round of funding

NT AUTHORITY shutting down my PC

Discussion in 'Windows OS' started by acidosmosis, Aug 2, 2003.

Page 1 of 18

  1. acidosmosis TechSpot Chancellor Posts: 1,574

    A few times a message has appeared on my screen suddenly telling me that NT AUTHORITY/SYSTEM was going to shut down my PC. All you can do is save your work and basically take it like a man unforunately and let your computer reboot.

    This is a security flaw in Microsoft Windows, mainly NT/XP/Server.
    If you see this message you should install Windows updates as soon as possible. There is basically someone out there sending data to your PC causing this to happen.




    Advisory Warning to all users of the following operating systems:

    Microsoft Windows NT 4.0
    Microsoft Windows NT 4.0 Terminal Services Edition
    Microsoft Windows 2000
    Microsoft Windows XP
    Microsoft Windows Server 2003

    Your Microsoft Operating System may potentially be under attack by HACKER ACTIVITY. The vulnerability attack can fool software into accepting insecure commands that could let intruders steal data, delete files or eavesdrop on e-mails.

    Due to the seriousness of this vulnerability the Department of Homeland Security and Microsoft encourages system administrators and computer owners to update vulnerable versions of Microsoft Windows operating systems as soon as possible.

    Our recommendation is to please go to:

    http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp to install the patch immediately.
    acidosmosis, Aug 2, 2003
    #1

  2. XtR-X Newcomer, in training Posts: 1,040

    Thanks for the info. All installed now.
    XtR-X, Aug 2, 2003
    #2

  3. LNCPapa TS Special Forces Posts: 3,974   +125

    Thought I'd pass around some info that's going around at my job about this exploit - not sure if it'll help anyone though

    ****> It should be noted, however, that since the vulnerability
    permitted an attacker to do almost anything with a victim machine, the
    information below may represent only one of many possible attack
    results. Therefore, the absence of the files described below should
    *not* be considered to be a conclusive indication that a system was
    not compromised due to this vulnerability.

    The latest version of McAfee VirusScan Enterprise 7 (and I would guess
    VS 4.5.1 also) does NOT recognize any files related to exploiting the
    RPC DCOM vulnerability as being problematic. This may not be
    surprising, since we're not dealing with a virus - yet. Please don't
    rely on a virus scanner to find these, or similar files on a system at
    this time.

    Files that exploit RPC DCom will only show up on a machine as part of
    kit that one might use to carry out attacks on remote hosts. However,
    because such files can only be installed when an attacker has
    substantial access to a victim machine, the most reliable method of
    clean up is to rebuild the victim machine from known, good media,
    while __NOT__ connected to the network (e.g., rebuild and _fully_
    patch, and enable the XP built-in firewall, while behind a firewall
    device (e.g. Linksys BEFSR41), or while disconnected from the network).

    Hence, if a host is discovered to have been the victim of the RPC DCOM
    exploit, and until organizations such as CERT, NAI, etc can issue more
    definitive information on what the bounds of these exploits might be,
    Information Security can only endorse the recommendation that the
    machine be rebuilt. As soon as we become aware of a less-drastic yet
    more certainly effective means of ensuring identification of whatever
    the attackers may have done, we will pass that along.

    Several of the victim workstations examined have had the following
    characteristics in common (note: these characteristics represent only
    one "footprint" - there are certainly other, different footprints
    related to exploiting RPC DCOM - absence of these files does *NOT*
    mean definitively that the system was not victimized in some other way):

    * Three files located in a directory named "c:\temp"
    + directx.exe
    + cygwin1.dll
    + rpcroot.exe

    * Some of the machines examined had a copy of directx.exe and
    rpcroot.exe in c:\windows\system32.

    * Directx.exe, while a file by that name may normally be present as
    part of the Windows 'Direct-X' display facility, is in this case
    actually an IRC server. When executed, directx.exe will create the
    following registry entries:

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    + C:\test\directx.exe

    HKLM\SOFTWARE\ColdVision
    + (Default)
    + update

    * In addition to the registry entries, directx.exe will generate two
    text files (in the same directory as directx.exe):
    + JoinMe.conf
    + operators.conf
    The "operators.conf" file is empty, while "JoinMe.conf" contains 22
    lines of IRC server configuration variables (with no interesting
    values). It has been reported that directx.exe may contain a client
    component which attempts to connect to an IRC server at 38.115.134.245.

    * After a re-boot, the victim host will be running the IRC server on
    port 6667

    * Turns out that directx.exe and "ColdVision" have a bit of a history.
    See http://vil.nai.com/vil/content/v_100024.htm

    * The rpcroot.exe file is a script-kiddie utility that will allow one
    to reboot vulnerable Windows machines remotely (via the RPC DCom issue).
    Note that rpcroot.exe does not give one a shell on the victim machine
    (other utilities floating around the Internet apparently will provide
    shell access).

    Cygwin1.dll is, of course, probably used in support of the IRC server
    (directx.exe). It's possible for rpcroot.exe to be used for any
    number of bad deeds: e.g., from general troubel making, to remotely
    rebooting other victim Windows machines for the purpose of bringing up
    newly installed IRC servers.
    LNCPapa, Aug 4, 2003
    #3

  4. Exploder98 Newcomer, in training

    Thanks for posting this. I was searching around for "nt authority/ system" and came across this forum. I did the update patch and i hope this doesn't happen to me anymore. This was happening to me yesterday and happened 7 times!
    Exploder98, Aug 6, 2003
    #4

  5. SNGX1275 TS Special Forces Posts: 11,917   +119

    Wow 7 times, lol. Yeh at least you got it patched and hopefully things are in the clear now. :grinthumb
    SNGX1275, Aug 6, 2003
    #5

  6. poertner_1274 secroF laicepS topShceT Posts: 4,745

    I'm glad we could help, and welcome aboard.

    If you stay I hope you enjoy it :)
    poertner_1274, Aug 7, 2003
    #6
     

  7. Tob Newcomer, in training

    Thanks all, I had this problem as well (about 6/7 times). Installed the patch and it seems to have worked. Cheers again for your help. :)
    Tob, Aug 11, 2003
    #7

  8. poertner_1274 secroF laicepS topShceT Posts: 4,745

    No problem Tob, glad we got ya straightened out :D

    I hope you stick around and enjoy your time spent here.
    poertner_1274, Aug 11, 2003
    #8

  9. Tob Newcomer, in training

    Thanks poertner_1274, found you guys through google but will deffo stick about, seems a nice board.
    Tob, Aug 11, 2003
    #9

  10. b magician Newcomer, in training

    i need help on this please i went to ure link acidosmosis but while it was downloading that error came up again and it auto restarted in 60 secs, i have windows xp home
    any1 know how to fix this?
    b magician, Aug 11, 2003
    #10

  11. woodee Newcomer, in training

    Mr magician,i know what your saying about trying to download and then being shutdown,but eventually i managed to get the whole file and once installed it has cured the problem though,stick with it,
    Scary stuff i must say :S thanks all for the help,thought i was truly stuffed for a while :)
    woodee, Aug 11, 2003
    #11

  12. b magician Newcomer, in training

    same here too scary but i think i may have fixed the problem myself im downloading the patch right now but all i just did was went to network wizard and set up a firewall and its seems to have stopped but im still downloading patch just in case to be sure this doesnt happen again
    heh knowing that im only 14 yrs old i did i by myself
    thnx alot guys for the patch i might decide to stick around here to see what goes on..
    b magician, Aug 11, 2003
    #12

  13. chris40 Newcomer, in training

    thanks for the help

    thanks guys for the solution for this dodgy thing
    i had the same problem downloading it just before the thing shut me down
    get a friend to download it maybe if you can't download it in time
    :rolleyes:
    chris40, Aug 11, 2003
    #13

  14. InfantryOnline Newcomer, in training Posts: 17

    Lol.. There is an error message when I install it from a CD to my computer from a different one.. but it hasn't been happening lately.. well anyway.. What did you guys do to make it start doing this? I'll tell you after you guys tell me ;)
    InfantryOnline, Aug 11, 2003
    #14

  15. topjimmy Newcomer, in training

    rrrr fff hhhh

    I had the same problem but after I downloaded the update it seemed to have fixed it, thanks everyone...you are a life saver.
    topjimmy, Aug 11, 2003
    #15

  16. thakidd Newcomer, in training

    sup guys new here seems like a nice page.well that nt crap is happing were can i get the update thanxx
    thakidd, Aug 11, 2003
    #16

  17. Playingkarate Newcomer, in training

    Guys.. :(

    The patch worked, it doesn't force me to restart... But, now i can't seem to ctrl + alt + dlt, at all it just closes it asap, and i see these 2 members named msmoncon or something like that its an exe and a user, i can't delete there exe cuase it says there protected.

    And i can't go into my msconfig, becuase that closes also so i can't take them off user list or ne thing.

    If you guys know ne thing plz help.
    Playingkarate, Aug 11, 2003
    #17

  18. poertner_1274 secroF laicepS topShceT Posts: 4,745

    That sounds like you need to boot into Safe Mode and run your antivirus, as well as adaware or spybot. That should get rid of your new problem with task manager being shut down as soon as you bring it up.

    I'm very glad we could help all of you newcomers. It is nice to know we are getting out there and helping the computing community. :)
    poertner_1274, Aug 11, 2003
    #18

  19. jasonb Newcomer, in training

    New Information

    Hello guys ..

    This patch does work .. however things are getting worse today.

    I work for a Cable ISP in Canada... Our customers are experiencing this bug. However instead of it happening 7 times/day .. its happening every 40-60 Seconds... making it nearly impossible to update there systems.

    Resulting of a lot of floppy disk pickups at the front office :)
    jasonb, Aug 11, 2003
    #19

  20. Julio Franco TechSpot Editor Posts: 6,089   +130

    This post got googled or something, you might have noticed the 1000+ active users in vB at any time, 15333 reads so far.

    Welcome everyone!
    Julio Franco, Aug 11, 2003
    #20
Page 1 of 18
Topic Status:
Not open for further replies.

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...

Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.