topic Re: Windows RPC DCOM Overflow in Network Security https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow/m-p/1236314#M77820 <HTML><HEAD></HEAD><BODY><P>Thanks.</P></BODY></HTML> Fri, 06 Feb 2009 22:13:05 GMT ncamilli 2009-02-06T22:13:05Z Windows RPC DCOM Overflow https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow/m-p/1236312#M77818 <P>On a daily basis, for as long as my logs go back (over a month), my 1811 router has been flagging %IPS-4-SIGNATURE: Sig:3327 Subsig:1 Sev:5 Windows RPC DCOM Overflow and Subsig:0 multiple times daily from all different external ip addresses on random ports to one of my inside ip on port 135.</P><P></P><P>Does anyone have any idea what is going on?</P><P></P><P>Thanks in advanced.</P> Sun, 10 Mar 2019 11:29:07 GMT https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow/m-p/1236312#M77818 ncamilli 2019-03-10T11:29:07Z Re: Windows RPC DCOM Overflow https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow/m-p/1236313#M77819 <HTML><HEAD></HEAD><BODY><P>It is probably the conficker/downadup worm or a variant attempting to propagate from infected systems out on the Internet. Make sure your Windows systems are all patched and you are blocking TCP ports 135 and 445 inbound to your networks.</P><P></P><P>Hope this helps.</P></BODY></HTML> Fri, 06 Feb 2009 21:46:32 GMT https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow/m-p/1236313#M77819 eddie.mitchell 2009-02-06T21:46:32Z Re: Windows RPC DCOM Overflow https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow/m-p/1236314#M77820 <HTML><HEAD></HEAD><BODY><P>Thanks.</P></BODY></HTML> Fri, 06 Feb 2009 22:13:05 GMT https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow/m-p/1236314#M77820 ncamilli 2009-02-06T22:13:05Z Re: Windows RPC DCOM Overflow https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow/m-p/1236315#M77821 <HTML><HEAD></HEAD><BODY><P></P><P>Well ,it's not actually advisable to publish netbios port (135-139,445) to the internet. Perhaps you should source limit it. </P><P></P><P>cheers </P></BODY></HTML> Mon, 16 Feb 2009 06:56:22 GMT https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow/m-p/1236315#M77821 yuliang13 2009-02-16T06:56:22Z