GEN:SID 1:2252
Message NETBIOS SMB-DS DCERPC Remote Activation bind attempt
Summary This event is generated when an attempt is made to exploit a known
vulnerablity in Microsoft RPCSS service for RPC.
Impact Denial of Service. Possible execution of arbitrary code leading to
unauthorized remote administrative access.
Detailed Information A vulnerability exists in Microsoft RPCSS Service that handles RPC DCOM
requests such that execution of arbitrary code or a Denial of Service
condition can be issued against a host by sending malformed data via RPC.

The Distributed Component Object Model (DCOM) handles DCOM requests sent
by clients to a server using RPC. A malformed request to the host
running the RPCSS service may result in a buffer overflow condition that
will present the attacker with the opportunity to execute arbitrary code
with the privileges of the local system account. Alternatively the
attacker could also cause the RPC service to stop answering RPC requests
and thus cause a Denial of Service condition to occur.
Affected Systems Windows NT 4.0 Workstation and Server
    Windows NT 4.0 Terminal Server Edition
    Windows 2000
    Windows XP
    Windows Server 2003
Attack Scenarios An attacker may make a DCERPC bind request followed by a malicious
DCERPC DCOM remote activation request.
Ease of Attack Simple. Expoit code exists.
Corrective Action Apply the appropriate vendor supplied patches.

Block access to RPC ports 135, 139, 445 and 593 for both TCP and UDP
protocols from external sources using a packet filtering firewall.

Disallow the use of RPC over HTTP and HTTPS.
Additional References Microsoft:
http://www.microsoft.com/technet/security/bulletin/MS03-039.asp

eEye:
http://www.eeye.com/html/Research/Advisories/AD20030910.html
Rule References bugtraq: 8234
bugtraq: 8458
cve: 2003-0528
cve: 2003-0605
cve: 2003-0715
nessus: 11798
nessus: 11835
url: www.microsoft.com/technet/security/bulletin/MS03-039.mspx