Zone Alarm Questions (1 Viewer)

[Glenn Overholt]

A friend of mine got a blank email recently. It was quickly deleated but a few days later got a message saying "Your base belong to me' while surfing.

She is using Zone Alarm and I saw part of her log. The first entry had 'distributed COM services' on it, so I ran a search and found that zone alarm opens up a Windows file called 'RPCSS.EXE'. I did a quick search on distributed com services and ran across this..

"Coming from a heavy Windows NT development background, I can shed some light on what rpcss.exe is actually doing. RPC is short for Remote Procedure Call; it is a means by which two programs can call each other's publically available procedures over a network, and is nothing new (in fact, UNIX systems have had this in sunrpc/portmap for years). While RPC is not, by its nature, connected to any particular service and a program can handle RPC on its own, the Win32 API upon which Windows NT and 9x are based provides a series of RPC function calls which are handled by (you guessed it!) rpcss.exe. Originally, Windows 9x's Winsock service didn't provide RPC, so rpcss.exe was redistributed with the new Winsock that comes with newer Microsoft applications.

In any event, what rpcss.exe does is to handle a number of API calls that relate to RPC. In general (and this is somewhat of a simplification to prevent techie talk overload), a program can register certain entry points (the "procedures" in remote procedure call) that can be accessed by external applications. This is known as the "portmapper" function. Once registered, anyone contacting the RPC port and asking, in the appropriate format, for a particular function provided by a particular program will be allowed to execute the function. Any security checks are up to the contacted program, as all the portmapper does is to make the necessary procedure call on behalf of the client.'..

That looks like a back door into anyone that is using Zone Alarm and now I'm alarmed by this. Can someone fill in the blanks for me?

Glenn

 

[Andre F]

What OS is you friend using? I've done some work with RPC in the past from what I understand it's suppose to be secure. Regardless I would check to what services your friend has running. RPC is used a lot for services and since services run in the background in protected memory this could have been running while calling RPC while since the day your friend got the PC. If you do see something funny you might want to run a virus scan and something like Ad-Aware...
-Andre F

 

[Glenn Overholt]

She's running Win 98 at home for a home business. To me, it just looks funny that a program that is supposed to be protecting your system would run a program that allows someone else to 'tap in' to a computer.

I think someone hacked into a web page for transferring photos over the internet and thus got her address, and 'spammed' her, but with the proper knowledge, anyone could just about get into anyone else's PC, and do whatever they want. Really scary.

Glenn

 

[Andre F]

Here is some info I dug up...enjoy
"Behavior
RPCSS opens ports on your machine (usually 135 as well as some "random" ports in the low 1000s) and proceeds to try and access the Internet, setting off programs such as Zone Alarm and firewalls with its suspicious activity. While the RPCSS program is probably supposed to serve some kind of legitimate purpose, it has nonetheless been cited for numerous stability problems as well as security concerns. (Not to mention the unverified, but fairly wide-spread, other allegations...)
The Microsoft Machine Debug Manager (mdm.exe), to my knowledge, does not connect to the Internet itself. However, it is still a rather ill-behaved program that leaves scads of temporary files on the hard drive that it never deletes, and fails to unload properly (on shared computers, when a user logs on a new instance of mdm.exe may start, but it won't necessarily exit when the user logs off. Depending on how many users have used the PC since the last reboot, dozens of copies of this program could be simultaneously running, eating up CPU and memory!).
Solutions
While privacy implications of these programs have yet to be established, the RPCSS program is known to cause crashes and fatal errors on some PCs using Dial-Up Networking, as described here. The program doesn't seem to do anything useful for most people, and several users have reported deleting it without any ill effects. (Note: RPCSS appears to be critical to Windows NT operation--see warning below.) The Debug Manager may be useful to power users and software developers, but for the majority of users it is probably just wasting memory. My recommendation for Windows 95 users is to rename these files (rpcss.exe -> rpcss.ex_, mdm.exe -> mdm.ex_) if you are concerned about them, or if they cause problems on your system. The RPCSS file is normally located in C:WindowsSystem and the MDM.EXE file may be located either there or C:Windows -- but for best results, use Windows' Find to locate all copies. Renaming the files allows you to restore them later if you ever need to.
Note: Microsoft suggests that users can safely remove mdm.exe without ill effects. See http://support.microsoft.com/support.../q221/4/38.asp for more information.
Warning: Do not tamper with RPCSS.EXE on Windows NT: I have received a report that removing RPCSS on a Windows NT system severely crippled it (to almost non-functional status); apparently many of the NT Services require it. See description below:"
-Andre F

 

[Brad_V]

I wish I could remember the differences, but there's a reason people use Zone Alarm along with something else such as Black Ice. One kind stops external threats, while the other stops internal threats. (PC security isn't my strong suit, obviously, so I'm just being general.)
I know people who can get past either without too much trouble, and they're not even "computer guys." After reading many reviews and comparisons, I use Tiny Personal Firewall, myself.
This is also why I avoid using Internet Explorer. Because it's so popular, it's more easily targeted. I avoid using Netscape because, well, it sucks. Ok, ok, I use it for email but not for browsing.

 

[Andre F]

I don't use Tiny Personal Firewall anymore because of some flaws I found while developing a DCOM based server application. Without going into too many details, I developed a server that would accept requests and serve them back to the requesting application. It's a good way to keep the server and requesting application isolated. An example would be too keep one outside the firewall and one inside it (obviously targeting a specific port). Anyway, it wouldn't work for the longest time and I knew code was right. It was weird, the first request wouldn't work but anything after that would work albiet very slowly. Once I uninstalled Tiny Personal Firewall everything worked. I thought the whole thing was rather odd...
-Andre F