Questions

DCOM 10009

+
0 Votes

DCOM 10009

artanyis
I get about 30-40 errors of event 10009 every 3-4 seconds.

DCOM was unable to communicate with the computer (computer name) using any of the configured protocols.
Log Name: system
Source: DistributedCOM
Event ID: 10009
Level: Error
User: N/A

Here is the full situation, a distributor has brought his laptop to this site, from another domain, and it is spamming DNS requests for computers from his domain, which in turn our server is picking them up and re-requesting them, then giving a DCOM error every time it cant find one of the computers from that other domain. We are talking thousands of errors a minute, it is overflowing the eventlog and has caused the event log to crash a few times now, plus it is causing the network to slow down because the server is using a good chunk of resources handling the thousands of connection requests its creating.

I need a way to stop system from searching for these devices that don't exist.
I have spent days searching online and not found a solution to this, or even someone who actually has the same issue as me and not just something similar.

I even went as far as to completely close off the distributors laptop from the network by having the firewall stop all lan and wan communications from his NICs MAC address. It did not help, it continued for over 8 hours with the original machine uncontactable.

Again, the devices DCOM is looking for have never been on the network, they are 100% unknown to this network except for the one non-domain computer is looking for them.

How do I make the server stop looking for them also?

Thank you in advance for any helpful information you can give.

Member Answers

    • +
      0 Votes
      Sven2157

      I have dealt with numerous vendors, and they sell computer software/hardware, program complex code but cannot maintain their own computers! They have 120 processes running, viruses out the wah-zoo, etc, etc.

      Having said that, his machine most likely inject a virus into your network. From your description, it sounds as though his machine was used in a DDOS attack, and the software is still running. A couple more of those machines on your network, and your mainframes would have to be shutdown! Typically they call non-existent computers, to flood the system with bogus requests - i.e. Denial of Service to machines that have real requests...

      Hunt down the culprit on your system, fix it and send that vendor the bill! That's what I think is happening, and what I would do; very probably I could be wrong though.

      Hope that helps! ;-)

      Sven2157

      +
      0 Votes
      artanyis

      Thanks for the suggestion, but no matter the problem, that's default number 1.

      In case anyone stumbles upon this with the same issue, here is my solution. After bringing in two different of our Software Venders support teams we stumbled across that all of these non-existent computers had somehow been added to the Vipre AV console and THAT is what was forcing the DNS and DCOM broadcast requests. We had to get in to the SQL data base for vipre to remove all of them, but the issue seems to be resolved now.

      C:\ProgramData\GFI Software\VIPRE Business\SQLite\VIPRE.s3db <---- The Vipre Database

      (using SQLite Browser)
      Go to brows data, from the drop-down select Agent (it's near the bottom) and remove the non-existent devices, unfortunately 1 line at a time.

      +
      0 Votes
      Sven2157

      Glad you got it sorted out! ;-)

      +
      0 Votes
      artanyis

      Thanks for the suggestion, but no matter the problem, that's default number 1.

      In case anyone stumbles upon this with the same issue, here is my solution. After bringing in two different of our Software Venders support teams we stumbled across that all of these non-existent computers had somehow been added to the Vipre AV console and THAT is what was forcing the DNS and DCOM broadcast requests. We had to get in to the SQL data base for vipre to remove all of them, but the issue seems to be resolved now.

      C:\ProgramData\GFI Software\VIPRE Business\SQLite\VIPRE.s3db ---- The Vipre Database

      (using SQLite Browser)
      Go to brows data, from the drop-down select Agent (it's near the bottom) and remove the non-existent devices, unfortunately 1 line at a time.

    • +
      0 Votes
      Sven2157

      I have dealt with numerous vendors, and they sell computer software/hardware, program complex code but cannot maintain their own computers! They have 120 processes running, viruses out the wah-zoo, etc, etc.

      Having said that, his machine most likely inject a virus into your network. From your description, it sounds as though his machine was used in a DDOS attack, and the software is still running. A couple more of those machines on your network, and your mainframes would have to be shutdown! Typically they call non-existent computers, to flood the system with bogus requests - i.e. Denial of Service to machines that have real requests...

      Hunt down the culprit on your system, fix it and send that vendor the bill! That's what I think is happening, and what I would do; very probably I could be wrong though.

      Hope that helps! ;-)

      Sven2157

      +
      0 Votes
      artanyis

      Thanks for the suggestion, but no matter the problem, that's default number 1.

      In case anyone stumbles upon this with the same issue, here is my solution. After bringing in two different of our Software Venders support teams we stumbled across that all of these non-existent computers had somehow been added to the Vipre AV console and THAT is what was forcing the DNS and DCOM broadcast requests. We had to get in to the SQL data base for vipre to remove all of them, but the issue seems to be resolved now.

      C:\ProgramData\GFI Software\VIPRE Business\SQLite\VIPRE.s3db <---- The Vipre Database

      (using SQLite Browser)
      Go to brows data, from the drop-down select Agent (it's near the bottom) and remove the non-existent devices, unfortunately 1 line at a time.

      +
      0 Votes
      Sven2157

      Glad you got it sorted out! ;-)

      +
      0 Votes
      artanyis

      Thanks for the suggestion, but no matter the problem, that's default number 1.

      In case anyone stumbles upon this with the same issue, here is my solution. After bringing in two different of our Software Venders support teams we stumbled across that all of these non-existent computers had somehow been added to the Vipre AV console and THAT is what was forcing the DNS and DCOM broadcast requests. We had to get in to the SQL data base for vipre to remove all of them, but the issue seems to be resolved now.

      C:\ProgramData\GFI Software\VIPRE Business\SQLite\VIPRE.s3db ---- The Vipre Database

      (using SQLite Browser)
      Go to brows data, from the drop-down select Agent (it's near the bottom) and remove the non-existent devices, unfortunately 1 line at a time.