微軟的DNS Server 這幾天都會無故被關閉，經過查詢後，發現是一種攻擊，微軟的技術文件寫到：

Microsoft DNS Server Remote Code execution Exploit and analysis
http://www.microsoft.com/technet/security/advisory/935964.mspx

處理方式如下：

• Disable remote management over RPC capability for DNS Servers through the registry key setting.

Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in regedit.exe.

Note We recommend backing up the registry before you edit it.

1. On the start menu click 'Run' and then type 'Regedit' and then press enter.
 
2. Navigate to the following registry location:
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters”
 
3. On the 'Edit' menu select 'New' and then click 'DWORD Value'
 
4. Where 'New Value #1' is highlighted type 'RpcProtocol' for the name of the value and then press enter.
 
5. Double click on the newly created value and change the value's data to '4' (without the quotes).
 
6. Restart the DNS service for the change to take effect.

相關攻擊說明請參閱下方 

本文作者：mballano
Microsoft DNS Server Remote Code execution Exploit and analysis
 Advisory: http://www.microsoft.com/technet/security/advisory/935964.mspx
 This remote exploit works against port 445 (also Microsoft RPC api used)

Author:
  * Mario Ballano  ( mballano~gmail.com )
  * Andres Tarasco ( atarasco~gmail.com )

Timeline:
  * April,12,2007: Microsoft advisory published
  * April,13,2007: POC Exploit coded
  * April,14,2007: Microsoft notified about a new attack vector against port 445 (this exploit code)
  * April,14,2007: Working exploit for Windows 2000 server SP4 (Spanish)
  * April,15,2007: Working exploit for Windows 2003 server SP2 (Spanish) /GS bypassed
  * April,16,2007: hackers hax the w0rld and got busted.
  * April,xx,2007: Lammer release the first buggy worm
  * Xxxxx,xx,2007: Finally it was true. Nacked photos of Gary m.. being abducted were found at NSA servers

http://www.514.es/Microsoft_Dns_Server_Exploit.zip
http://www.48bits.com/exploits/dnsxpl.rar

或者您可以到这里下载攻击程序：
http://www.niusee.com/download.php?file=138Microsoft_Dns_Server_Exploit.zip
http://www.niusee.com/download.php?file=61004152007-dnsxpl.rar

引用來源 http://www.1872388.com/x-space/?action/viewspace/itemid/465