Glenn Overholt
Senior HTF Member
- Joined
- Mar 24, 1999
- Messages
- 4,201
A friend of mine got a blank email recently. It was quickly deleated but a few days later got a message saying "Your base belong to me' while surfing.
She is using Zone Alarm and I saw part of her log. The first entry had 'distributed COM services' on it, so I ran a search and found that zone alarm opens up a Windows file called 'RPCSS.EXE'. I did a quick search on distributed com services and ran across this..
"Coming from a heavy Windows NT development background, I can shed some light on what rpcss.exe is actually doing. RPC is short for Remote Procedure Call; it is a means by which two programs can call each other's publically available procedures over a network, and is nothing new (in fact, UNIX systems have had this in sunrpc/portmap for years). While RPC is not, by its nature, connected to any particular service and a program can handle RPC on its own, the Win32 API upon which Windows NT and 9x are based provides a series of RPC function calls which are handled by (you guessed it!) rpcss.exe. Originally, Windows 9x's Winsock service didn't provide RPC, so rpcss.exe was redistributed with the new Winsock that comes with newer Microsoft applications.
In any event, what rpcss.exe does is to handle a number of API calls that relate to RPC. In general (and this is somewhat of a simplification to prevent techie talk overload), a program can register certain entry points (the "procedures" in remote procedure call) that can be accessed by external applications. This is known as the "portmapper" function. Once registered, anyone contacting the RPC port and asking, in the appropriate format, for a particular function provided by a particular program will be allowed to execute the function. Any security checks are up to the contacted program, as all the portmapper does is to make the necessary procedure call on behalf of the client.'..
That looks like a back door into anyone that is using Zone Alarm and now I'm alarmed by this. Can someone fill in the blanks for me?
Glenn
She is using Zone Alarm and I saw part of her log. The first entry had 'distributed COM services' on it, so I ran a search and found that zone alarm opens up a Windows file called 'RPCSS.EXE'. I did a quick search on distributed com services and ran across this..
"Coming from a heavy Windows NT development background, I can shed some light on what rpcss.exe is actually doing. RPC is short for Remote Procedure Call; it is a means by which two programs can call each other's publically available procedures over a network, and is nothing new (in fact, UNIX systems have had this in sunrpc/portmap for years). While RPC is not, by its nature, connected to any particular service and a program can handle RPC on its own, the Win32 API upon which Windows NT and 9x are based provides a series of RPC function calls which are handled by (you guessed it!) rpcss.exe. Originally, Windows 9x's Winsock service didn't provide RPC, so rpcss.exe was redistributed with the new Winsock that comes with newer Microsoft applications.
In any event, what rpcss.exe does is to handle a number of API calls that relate to RPC. In general (and this is somewhat of a simplification to prevent techie talk overload), a program can register certain entry points (the "procedures" in remote procedure call) that can be accessed by external applications. This is known as the "portmapper" function. Once registered, anyone contacting the RPC port and asking, in the appropriate format, for a particular function provided by a particular program will be allowed to execute the function. Any security checks are up to the contacted program, as all the portmapper does is to make the necessary procedure call on behalf of the client.'..
That looks like a back door into anyone that is using Zone Alarm and now I'm alarmed by this. Can someone fill in the blanks for me?
Glenn