04 Aug 2003

A vulnerability was recently discovered in RPC Interface on Windows servers, which can be exploited by attackers to run code with Local System privileges.

You can tell your server has been hacked if:

• The RPC Service is stopped
• When domain applications are created, the user gets the following error in the browser:
  Server Application Error
  The server has reached the maximum recovery limit for the application during the processing of your request.
  Please contact the server administrator for assistance.

To recover WinBox from an attack:

1. Start the RPC service
2. Kill the inetinfo.exe process
3. From the command prompt, run:
   iisreset /restart
4. Restart hsphere by running:
   NET STOP HSSVC
   NET START HSSVC

To correct this vulnerability, install the corresponding patch published in the Microsoft Security Bulletin MS03-026.

To prevent other possible security issues, we highly recommend installing ServicePack 4 on your Windows servers and all latest critical updates that you can find at: http://windowsupdate.microsoft.com