vic102482
Premium
join:2002-04-30
Upper Marlboro, MD
| Port 135?!
Whoever has any numbers below 1024 open is really asking for it!
Matter of fact whoever has any ports open is asking for it!
--
10,000+ Posts and counting. You aint gonna stop me!!!!w00t!! |
|
Rothan Tik
Premium
join:2000-11-07
Danvers, MA
| Thanks for the heads up
port 135 blocked now  , not that it wasn't already...
[text was edited by author 2003-08-11 19:35:54] |
|
DaSneaky1D
one wall to block them all
Premium,MVM
join:2001-03-29
The Lou | I've been blocking ports 137-139 for quite the while now. |
|
Bowersdmstec
join:2001-02-02
Washington, IL
| reply to vic102482
Re: Port 135?!
Let me ask you this,
I run my Norton Anti Virus and keep it updated (Even though this is new, so I doubt Norton has updated itself for this as of yet) and also run my network at home behind NAT. What else can I do to take even more precautions in regards to this?
TIA,
Whiteice
[text was edited by author 2003-08-11 19:48:09] |
|
nil
Java Geek
join:2000-11-27
Host:
Webmasters and Dev..
Forum Feature Requ..
| reply to vic102482
said by vic102482  :
Matter of fact whoever has any ports open is asking for it!
Oh, I don't know, I'd say my server would have some problems operating as a web/mail server w/o ports 80 and 25 open.. and of course I have to pick up my mail.. that's 110.. and have to get in there somehow! that's 22
--
Life is too short to be boring |
|
Halo5
join:2000-07-20
Dayton, OH
clubs: 
| It sure did
I work at a local ISP. We got a call about this about 4pm. By 5, we had over 20 people call in about the system wanting to shut down every 2-3 minutes due to a NT authoritative failure to talk to the RPC.
Better make my coffee extra strong tomorrow, gonna be a mess out there.
--
»www.thismodernworld.com A cartoon that tells it like it is. |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH | reply to DaSneaky1D
Re: Thanks for the heads up
You should block more than 137-139, you should block 135, 137-139, and 445 at the very least. Better yet, block everything incoming... |
|
MrTangent
join:2001-12-28
Earth
| reply to vic102482
Re: Port 135?!
said by vic102482 :
Whoever has any numbers below 1024 open is really asking for it!
Matter of fact whoever has any ports open is asking for it!
Yeah, how dare anyone run an FTP on port 21 or a webserver on port 80! Those fools! I can't believe anyone would want to share information! Infidels! :P
I think the better statement would be:
Matter of fact whoever runs anything by Microsoft is asking for it!
And rightly so.
--
"War Is Peace. Freedom Is Slavery. Ignorance Is Strength" |
|
Supafly
Premium
join:2000-07-15
Elk Grove, CA
| Port 135 is not netbios.
The article is wrong, port 135 is not NetBIOS, those are reserved for 137-139.
Port 135: Microsoft's DCOM (Distributed, i.e. networked, COM) Service Control Manager (also known as the RPC Endpoint Mapper) uses this port in a manner similar to SUN's UNIX use of port 111. The SCM server running on the user's computer opens port 135 and listens for incoming requests from clients wishing to locate the ports where DCOM services can be found on that machine. |
|
tsalesnyc
join:2000-08-12
Elmhurst, NY |  Get Patched
»support.microsoft.com/default.as···s;823980 |
|
Halo5
join:2000-07-20
Dayton, OH
clubs:
| reply to Halo5
Re: It sure did
You should also have TCP port 4444 blocked.
Here's what Symantec has so far on this quick moving worm...
»securityresponse.symantec.com/av···orm.html
--
»www.thismodernworld.com A cartoon that tells it like it is. |
|
mansoalamo
@adelphia.net | reply to DaSneaky1D
Re: Thanks for the heads up
My firewall has been taking hits all day on UDP port 135. |
|
nil
Java Geek
join:2000-11-27
Host:
Webmasters and Dev..
Forum Feature Requ..
| reply to Supafly
Re: Port 135 is not netbios.
The article isn't wrong.. it's just not as detailed as your post.. most security people lump 135/tcp in with NETBIOS even though it's not strictly the same thing.
--
Life is too short to be boring |
|
Bobcat
Premium
join:2001-02-04
Bedminster, NJ | Detected by Mcafee last week
This worm is detected by McAfee Viruscan's DAT files dated August 6.
See - »vil.nai.com/vil/content/v_100547.htm |
|
twd660
join:2001-06-06
Huntington, WV | reply to Rothan Tik
Re: Thanks for the heads up
how do i block my ports , im using sygate pro, pleade help |
|
Supafly
Premium
join:2000-07-15
Elk Grove, CA | reply to nil
Re: Port 135 is not netbios.
Oh okay, I take it it's now part of the NetBIOS suite? |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| said by Supafly :
Oh okay, I take it it's now part of the NetBIOS suite?
It's "close enough" - though it's not strictly part of NETBIOS in the sense of file mapping and the like, it's so intricately related to "windows networking" that most of us have long considered RPC portmapper to be part of NETBIOS. Perhaps this is sloppy, but not much.
Steve
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site |
|
scsiguru
join:2000-11-18
Parkersburg, WV | I'm running a Sonicwall SOHO2
...by default everything is blocked. My log file is filling up fast with dropped hits on port 135...going to get really ugly out there... |
|
GigahertZ420
join:2001-10-02
Fairbanks, AK
|  Discovered it this morning...
I got hit by this worm this morning. My roomate was playing project IGI 2 when I saw for a brief second the message informing you that the system will shut down in 60 seconds. I told him to save the game and quit. Sure enough as soon as he exited out of the game it rebooted.
When my computer came back up (XP PRO SP1) I noticed that the activity lights on my router were going nuts. I enabled the firewall packaged with XP and checked the log. Sure enough my computer was scanning class A networks in the 19.xx.xx.xx range on port 135. I checked my task manager and started killing things until the network traffic died. As soon as I killed MSBLAST.EXE my network traffic stopped. I did a search on my C drive and found 2 files - MSBLAST.EXE and MSBLAST.EXE-09FF84F2.pf a prefetch file.
I moved msblast.exe to my desktop and changed the extension from .exe to .txt
subsequent running of the program prompted more network traffic which was confirmed by my firewall logs.
so YES GET YOUR FIREWALLS UP!!
and do a search on your hard drive for 'msblast' to see if you have been infected. and delete it quickly.
I did a search on msblast.exe in all search engines and came up with nothing. I must have been one of the first hit by this worm. It is very small only 8K and the prefetch file is only 16K so it is easily propagated even on dialup. |
|
geierr
Computer Nut
Premium
join:2001-07-07
Yakima, WA
 ·Charter Pipeline
| reply to vic102482
Re: Port 135?!
All of my ports are blocked using Norton Internet Security. Have been using this firewall for over two years now. A port check via the Symantec website lists all of my ports as "stealth." Anyone who uses the Internet, especially via a broadband connection is foolish to not be using a firewall.
--
Robert L. Geier |
|
