# RpcEptMapper virus



## ashbeck (Jun 1, 2006)

Hi everyone, 

I have an usual problem and hopefully someone can help. We are running a Windows 2008 r3 server which is used as our file server. I have run a multiple virus scans and nothing has been flagged. 

The issue is that on our firewall we are seeing up to 10 attempts to random IP addresses all over the world (we block them). 

However, would be nice to know the cause. I have done netstat -o -b -s to identify the PID. 

From there I have done tasklist /fi "imagename eq svchost.exe" svc to see exactly what is causing it and comes back as RpcEptMapper and RpcSs.

Why should they be attempting to contact IPs from all over the world every second? 

Any help??:huh::huh:


----------



## ashbeck (Jun 1, 2006)

Anyone have any thoughts on this? Even just some ideas to bounce about would be great as I am totally stuck with this


----------



## Wand3r3r (Sep 17, 2010)

Try shutting the processes down via task manager and see what events are logged in event viewer to try and determine the source program.


----------



## ashbeck (Jun 1, 2006)

Thank you I will try that. The issue is that the RpcEptMapper is used by many users when they are communicating with the file server. Therefore I will do this but have to be middle of the night as we have a huge number of users constantly using it. 

Would looking through the event viewer after shutting the process down give more information than the tasklist /fi "imagename eq svchost.exe" command though?


----------



## Wand3r3r (Sep 17, 2010)

We aren't concerned about the services but what program is using them. 

Both are involved in RPC [remote procedure calls] which is how Microsoft systems talk to each other.

What Is RPC?: Remote Procedure Call (RPC)

Could you post a screen shot of the firewall screen you are referring to concerning these foreign ip addresses?


----------



## ashbeck (Jun 1, 2006)

Sure, as attached. This was in 5 seconds


----------



## Wand3r3r (Sep 17, 2010)

If I try to go to one of those ips I get a 403 error which indicates possible web sites but the site is not posting a display.

Where are you located? 

Any time I see Russia [RU] I think hackers. Add Turkey and South Korea I get very suspicious.

Where is the rest of the information like the source ip?
What are you using for antivirus?


----------



## ashbeck (Jun 1, 2006)

Located in the UK. We are using avast, and have two firewalls and an IDS. The source IP is always the file servers internal address and the data is always attempting to go out, never in


----------



## Stancestans (Apr 26, 2009)

Those don't seem like random IPs. They appear to be random at first, but you'll notice its a few IPs making several attempts. It's important we find out what processes are actually using those services. It's possible you might have picked a worm or some other malicious program and it's now trying to join your server to a botnet. Botnet tools can be quite ingenious at evading antivirus detection, it's a good thing you've blocked those attempts. Let's see if we can investigate those IPs further.


----------



## ashbeck (Jun 1, 2006)

I suspected it is some kind of worm, I just need to get further into the process and what program it is exactly using. 

I will try the method suggested above and stop the process and look into the event viewer. Can't think how else I can find what program is using that process


----------



## Stancestans (Apr 26, 2009)

Another way could be using Process Monitor. It may seem difficult to use at first, but with some filtering and a keen eye it can easily point out the culprit program straight to the executable that's exploiting the windows service. I've used it before to track a troublesome process that turned out to be malware that passed av scans!


----------



## ashbeck (Jun 1, 2006)

Unfortunately I tried that and all it came back was that svchost was the issue and the specific PID of the culprit was linked only to RpcEptMapper. Perhaps I need to use the tool again and see if it can go deeper than just showing me RpcEptMapper


----------



## Wand3r3r (Sep 17, 2010)

I use avast at home but I would suggest using something like Sophos
Managed Cloud Endpoint Protection for Business | Sophos Cloud Antivirus Security or other enterprise software.

Are these only coming from your server and not other workstations?


----------



## ashbeck (Jun 1, 2006)

Yeah just from the one server. I'll see if I can get sophos, it certainly seems like a virus/worm of some sort


----------



## Wand3r3r (Sep 17, 2010)

Since those are not invalid ips I would suspect the same.


----------



## Stancestans (Apr 26, 2009)

ashbeck said:


> Unfortunately I tried that and all it came back was that svchost was the issue and the specific PID of the culprit was linked only to RpcEptMapper. Perhaps I need to use the tool again and see if it can go deeper than just showing me RpcEptMapper


Take a look at the filesystem activity, you could spot some out-of-place exe most likely in a tmp directory that's making lots of calls to the services.


----------



## ashbeck (Jun 1, 2006)

I have browsed around the filesystem and not seen anything that looks unfamiliar. I have noticed in the system logs that it is reporting DCOM events failing (due to the firewall block). So I am thinking now it could be malware attached to DCOM. 

Just finding it now is the issue, I really don't want to have to rebuild it from scratch


----------

