svchost and rpcss out of control

[joe]

I'm running w2k server with exchange and have implemented
sp4 and the kb824146 patch for rpc denial of service. The
machine is running behind a proxy server.

Upon a reboot the machine runs fine. Then minutes or
hours later the CPU becomes overwhelmed with one of the
svchost processes. Based on a tlist review it is the one
which is running RpcSs. Once this starts, the CPU becomes
100% dedicated to two services, svchost and system,
sharing time between them in a ratio of about 2/3-1/3.

The result is effectively denial of service for our
exchange users. Can anyone help?????

 

[MadDog]

-----Original Message-----
I'm running w2k server with exchange and have implemented
sp4 and the kb824146 patch for rpc denial of service. The
machine is running behind a proxy server.

Upon a reboot the machine runs fine. Then minutes or
hours later the CPU becomes overwhelmed with one of the
svchost processes. Based on a tlist review it is the one
which is running RpcSs. Once this starts, the CPU becomes
100% dedicated to two services, svchost and system,
sharing time between them in a ratio of about 2/3-1/3.

Perhaps this will help:

http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/security/bulletin/MS03-039.asp


MD

 

[joe]

Thanks, I had just implemented this patch (the kb824146 is
what is referred to in your link) prior to posting my
question and was in the process of rebooting. The machine
has now been fine for a couple of hours but has gone this
long without issue in the last couple of days only to have
the problem return. I won't be sure if this fixes the
problem or not until some period of time has passed.

joe

 

[Steve Nielsen]

Has it been scanned for viruses/worms/trojans? Seems suspiciously like
viral activity.

Steve

 

[joe]

Steve,
I have to agree. I scanned with NAV (with updated
definitions) several times in the past few days without
finding anything. After implementing the patch referenced
in other mails I did come across a virus in test.exe. The
virus is w32.Mimail.M@mm. I'm not familiar with it nor
with the possibility that it would be responsible for such
activity - haven't had time to investigate yet.

so far so good after implementing the patch.

Joe

 

[Steve Nielsen]

Yup. I think you may have nipped it Joe.

Quickly reading what Symantec has on that worm it certainly would make
the host machine quite busy:

"The DoS routine is designed to have 15 attacking threads active at any
moment.
Each thread performs one TCP connection or an ICMP attack, and then
sleeps for five seconds.
Randomly chooses to perform a TCP connection on port 80 or to perform an
ICMP attack.
The packets sent to the victim carry a 2k payload filled with random data.
Uses a random ICMP type when performing the ICMP attack.
The sent data is either the GET request or some random data when
performing the HTTP connection."

Keep the mental fingers crossed.

Steve