TechSpot

NT AUTHORITY shutting down my PC

By acidosmosis
Aug 2, 2003
Topic Status:
Not open for further replies.
  1. A few times a message has appeared on my screen suddenly telling me that NT AUTHORITY/SYSTEM was going to shut down my PC. All you can do is save your work and basically take it like a man unforunately and let your computer reboot.

    This is a security flaw in Microsoft Windows, mainly NT/XP/Server.
    If you see this message you should install Windows updates as soon as possible. There is basically someone out there sending data to your PC causing this to happen.




    Advisory Warning to all users of the following operating systems:

    Microsoft Windows NT 4.0
    Microsoft Windows NT 4.0 Terminal Services Edition
    Microsoft Windows 2000
    Microsoft Windows XP
    Microsoft Windows Server 2003

    Your Microsoft Operating System may potentially be under attack by HACKER ACTIVITY. The vulnerability attack can fool software into accepting insecure commands that could let intruders steal data, delete files or eavesdrop on e-mails.

    Due to the seriousness of this vulnerability the Department of Homeland Security and Microsoft encourages system administrators and computer owners to update vulnerable versions of Microsoft Windows operating systems as soon as possible.

    Our recommendation is to please go to:

    http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp to install the patch immediately.
  2. XtR-X

    XtR-X TS Rookie Posts: 1,040

    Thanks for the info. All installed now.
  3. LNCPapa

    LNCPapa TS Special Forces Posts: 4,308   +265

    Thought I'd pass around some info that's going around at my job about this exploit - not sure if it'll help anyone though

    ****> It should be noted, however, that since the vulnerability
    permitted an attacker to do almost anything with a victim machine, the
    information below may represent only one of many possible attack
    results. Therefore, the absence of the files described below should
    *not* be considered to be a conclusive indication that a system was
    not compromised due to this vulnerability.

    The latest version of McAfee VirusScan Enterprise 7 (and I would guess
    VS 4.5.1 also) does NOT recognize any files related to exploiting the
    RPC DCOM vulnerability as being problematic. This may not be
    surprising, since we're not dealing with a virus - yet. Please don't
    rely on a virus scanner to find these, or similar files on a system at
    this time.

    Files that exploit RPC DCom will only show up on a machine as part of
    kit that one might use to carry out attacks on remote hosts. However,
    because such files can only be installed when an attacker has
    substantial access to a victim machine, the most reliable method of
    clean up is to rebuild the victim machine from known, good media,
    while __NOT__ connected to the network (e.g., rebuild and _fully_
    patch, and enable the XP built-in firewall, while behind a firewall
    device (e.g. Linksys BEFSR41), or while disconnected from the network).

    Hence, if a host is discovered to have been the victim of the RPC DCOM
    exploit, and until organizations such as CERT, NAI, etc can issue more
    definitive information on what the bounds of these exploits might be,
    Information Security can only endorse the recommendation that the
    machine be rebuilt. As soon as we become aware of a less-drastic yet
    more certainly effective means of ensuring identification of whatever
    the attackers may have done, we will pass that along.

    Several of the victim workstations examined have had the following
    characteristics in common (note: these characteristics represent only
    one "footprint" - there are certainly other, different footprints
    related to exploiting RPC DCOM - absence of these files does *NOT*
    mean definitively that the system was not victimized in some other way):

    * Three files located in a directory named "c:\temp"
    + directx.exe
    + cygwin1.dll
    + rpcroot.exe

    * Some of the machines examined had a copy of directx.exe and
    rpcroot.exe in c:\windows\system32.

    * Directx.exe, while a file by that name may normally be present as
    part of the Windows 'Direct-X' display facility, is in this case
    actually an IRC server. When executed, directx.exe will create the
    following registry entries:

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    + C:\test\directx.exe

    HKLM\SOFTWARE\ColdVision
    + (Default)
    + update

    * In addition to the registry entries, directx.exe will generate two
    text files (in the same directory as directx.exe):
    + JoinMe.conf
    + operators.conf
    The "operators.conf" file is empty, while "JoinMe.conf" contains 22
    lines of IRC server configuration variables (with no interesting
    values). It has been reported that directx.exe may contain a client
    component which attempts to connect to an IRC server at 38.115.134.245.

    * After a re-boot, the victim host will be running the IRC server on
    port 6667

    * Turns out that directx.exe and "ColdVision" have a bit of a history.
    See http://vil.nai.com/vil/content/v_100024.htm

    * The rpcroot.exe file is a script-kiddie utility that will allow one
    to reboot vulnerable Windows machines remotely (via the RPC DCom issue).
    Note that rpcroot.exe does not give one a shell on the victim machine
    (other utilities floating around the Internet apparently will provide
    shell access).

    Cygwin1.dll is, of course, probably used in support of the IRC server
    (directx.exe). It's possible for rpcroot.exe to be used for any
    number of bad deeds: e.g., from general troubel making, to remotely
    rebooting other victim Windows machines for the purpose of bringing up
    newly installed IRC servers.
  4. Exploder98

    Exploder98 TS Rookie

    Thanks for posting this. I was searching around for "nt authority/ system" and came across this forum. I did the update patch and i hope this doesn't happen to me anymore. This was happening to me yesterday and happened 7 times!
  5. SNGX1275

    SNGX1275 TS Forces Special Posts: 12,539   +301

    Wow 7 times, lol. Yeh at least you got it patched and hopefully things are in the clear now. :grinthumb
  6. poertner_1274

    poertner_1274 secroF laicepS topShceT Posts: 4,745

    I'm glad we could help, and welcome aboard.

    If you stay I hope you enjoy it :)
  7. Tob

    Tob TS Rookie

    Thanks all, I had this problem as well (about 6/7 times). Installed the patch and it seems to have worked. Cheers again for your help. :)
  8. poertner_1274

    poertner_1274 secroF laicepS topShceT Posts: 4,745

    No problem Tob, glad we got ya straightened out :D

    I hope you stick around and enjoy your time spent here.
  9. Tob

    Tob TS Rookie

    Thanks poertner_1274, found you guys through google but will deffo stick about, seems a nice board.
  10. b magician

    b magician TS Rookie

    i need help on this please i went to ure link acidosmosis but while it was downloading that error came up again and it auto restarted in 60 secs, i have windows xp home
    any1 know how to fix this?
  11. woodee

    woodee TS Rookie

    Mr magician,i know what your saying about trying to download and then being shutdown,but eventually i managed to get the whole file and once installed it has cured the problem though,stick with it,
    Scary stuff i must say :S thanks all for the help,thought i was truly stuffed for a while :)
     
  12. b magician

    b magician TS Rookie

    same here too scary but i think i may have fixed the problem myself im downloading the patch right now but all i just did was went to network wizard and set up a firewall and its seems to have stopped but im still downloading patch just in case to be sure this doesnt happen again
    heh knowing that im only 14 yrs old i did i by myself
    thnx alot guys for the patch i might decide to stick around here to see what goes on..
  13. chris40

    chris40 TS Rookie

    thanks for the help

    thanks guys for the solution for this dodgy thing
    i had the same problem downloading it just before the thing shut me down
    get a friend to download it maybe if you can't download it in time
    :rolleyes:
  14. InfantryOnline

    InfantryOnline TS Rookie Posts: 17

    Lol.. There is an error message when I install it from a CD to my computer from a different one.. but it hasn't been happening lately.. well anyway.. What did you guys do to make it start doing this? I'll tell you after you guys tell me ;)
  15. topjimmy

    topjimmy TS Rookie

    rrrr fff hhhh

    I had the same problem but after I downloaded the update it seemed to have fixed it, thanks everyone...you are a life saver.
  16. thakidd

    thakidd TS Rookie

    sup guys new here seems like a nice page.well that nt crap is happing were can i get the update thanxx
  17. Playingkarate

    Playingkarate TS Rookie

    Guys.. :(

    The patch worked, it doesn't force me to restart... But, now i can't seem to ctrl + alt + dlt, at all it just closes it asap, and i see these 2 members named msmoncon or something like that its an exe and a user, i can't delete there exe cuase it says there protected.

    And i can't go into my msconfig, becuase that closes also so i can't take them off user list or ne thing.

    If you guys know ne thing plz help.
  18. poertner_1274

    poertner_1274 secroF laicepS topShceT Posts: 4,745

    That sounds like you need to boot into Safe Mode and run your antivirus, as well as adaware or spybot. That should get rid of your new problem with task manager being shut down as soon as you bring it up.

    I'm very glad we could help all of you newcomers. It is nice to know we are getting out there and helping the computing community. :)
  19. jasonb

    jasonb TS Rookie

    New Information

    Hello guys ..

    This patch does work .. however things are getting worse today.

    I work for a Cable ISP in Canada... Our customers are experiencing this bug. However instead of it happening 7 times/day .. its happening every 40-60 Seconds... making it nearly impossible to update there systems.

    Resulting of a lot of floppy disk pickups at the front office :)
  20. Julio Franco

    Julio Franco TechSpot Editor Posts: 6,534   +316

    This post got googled or something, you might have noticed the 1000+ active users in vB at any time, 15333 reads so far.

    Welcome everyone!
  21. realillusion

    realillusion TS Rookie

    Wow, thanks so much.

    This message was coming up every time my computer booted up. Thank god I found this post using google! I had to bookmark it (and later, the microsoft page) so I could read through and finish in time...

    Luckily, I was able to download the patch within my 60 seconds :-S I had to save it, and boot up in safe mode, to get the thing running in time, but now everything looks like it's working!

    I don't know what we would have done without you! Thanks :)
  22. ilson

    ilson TS Rookie

    i've been having this problem for the past few days...
    but i woke up this morning to it happening more frequently...
    then once i got to my computer to see if there were any fixes it would start rebooting almost as soon as windows was finished loading.
    so i decided to shut it down when i got the chance, and go look on my roomates computer for help...now i cant seem to start my machine back up, its dead to the world...and perhaps its just me over reacting but i swear i smelt fried electronics when i walked back in my room to turn it on
    if anyone has ideas as to how i can get my computer back up and running so i can try the update, or reformat, i would be greatful
    thanls for the info so far, its helped alot...this is the only plac ei found so far thats had any info related to this problem
  23. ORC-MASTER

    ORC-MASTER TS Rookie

    This is happeing to me about every 5 min and want stop i installed the patch and have my fingers crossed but i dont know i was jsut curious if this is a hacker thing and what exactlly they can do thank you
  24. SinFayth

    SinFayth TS Rookie

    Thanks so much for the info - my girlfriend is having this problem, but as she's a 56ker, she cant download the 5.5mb patch in time.

    I have broadband, i've tried sending the file by msn, but still no luck.

    Any tips? I cant even compress the file with winzip. She's very upset... and poor Sin cant make it better.... :(

    unless she pays me 50p for a CD :p lol

    Anyway i can reduce the file size?
  25. iss

    iss TechSpot Chancellor Posts: 2,896

    looks like D Day for this exploit. tech forums all over the net are being bombarded with pleas for help. I have seen several links to this article posted at many places if reference to resolving the problem.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.