BangBang
join:2000-07-05
West New York, NJ
 ·RoadRunner Cable
| RPC exploits/scans Anyone else notice an explosion in scans from RR users?
Over the past 5 hrs I've had over 700 individual IP hits from RR users in the 24.168 block. If you are in this block which includes NYC,NJ,Staten Island, please check your system and make sure someone hasnt dropped a scanner into your system. | |
|
 |
|
Kip patterson
Premium
join:2000-10-23
Columbus, OH
| I am no longer getting hits, and the amount of ARP traffic is down to its usual 4/sec.
I used Shields UP to check port 135, and it appears to have been blocked inbound by RR.
Edit: I no sooner posted than I noticed that the activity light was on solid. The sniffer showed that it was an attack (60 per second) on the block (10.32.x.x) used locally for the cable-side modem IP addresses. It went away in a few minutes.
[text was edited by author 2003-08-12 04:58:08] | |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| RR is not blocking port 135 here in Hawaii. That port is open on my W98SE box as of about a week ago. I have been closing it each time I boot using Trojan Hunter's Process Viewer to terminate RPCSS.exe. Since this all started yesterday, I have rebooted periodically and checked to see if the port is open before terminating RPCSS.exe. It is still open (after rebooting) as of about one-half hour ago so I know RR is not filtering it here.
--
"Everything can be taken from a man or woman but one thing: the last of the human freedoms - to choose one's attitude in any given set of circumstances, to choose one's destiny." Victor Frankl - Man's Search for Meaning | |
|
 | 
Straphanger
Express is Back
Premium,Mod
join:2001-12-08
Jackson Heights, NY
clubs: | Re: RPC exploits/scans I thought this exploit did not apply to Win 9x systems. | |
|
| | |
| | |
Straphanger
Express is Back
Premium,Mod
join:2001-12-08
Jackson Heights, NY
clubs: | Re: RPC exploits/scans Ah Microsoft loves to protect its consumers. | |
|
| Kip patterson
Premium
join:2000-10-23
Columbus, OH
| I should have pointed out that the block was installed sometime late last night, between 10 pm and 4 am EDT. It would have to be blocked at the RDC, as there is no way to block it nationally at one place. I suppose it might be a local decision to do so. | |
|
| 
Qumahlin
Never Enough Time
Premium,MVM
join:2001-10-05
united state
| said by Mele20  :
RR is not blocking port 135 here in Hawaii. That port is open on my W98SE box as of about a week ago. I have been closing it each time I boot using Trojan Hunter's Process Viewer to terminate RPCSS.exe. Since this all started yesterday, I have rebooted periodically and checked to see if the port is open before terminating RPCSS.exe. It is still open (after rebooting) as of about one-half hour ago so I know RR is not filtering it here.
Instead of terminating RPcss (you are still vuln even after terminating the process) If you know you don't need RPC then disable it from the administrative tools.
--
Forum Posts:3100 | |
|
| | Mele20
Premium
join:2001-06-05
Hilo, HI
| Re: RPC exploits/scans Said by Qumahlin:
>Instead of terminating RPcss (you are still vuln even after terminating the process) If you know you don't need RPC then disable it from the administrative tools.
Why would I still be vulnerable after terminating RPCSS as that closes port 135 and I have no other ports open?
As far as I know, I don't need it. However, some application that I got recently must be using it, otherwise, why would port 135 suddenly have become open when it has always tested closed at GRC, PC Flank, HackerWhacker, etc.? I'm leery of changing the registry values until I can figure out how and why that port suddenly became open. I thought it was possibly the update for NOD32 which I just started using that was doing it, but I have been told no in the NOD32 official forum.
I can't disable from the OLE/COM Object Viewer because I get a strange error message when I try to access the Viewer. So, I would have to change the two values associated with this manually in the registry which I have been reluctant to do since I don't know what or why the port suddenly became open.
--
"Everything can be taken from a man or woman but one thing: the last of the human freedoms - to choose one's attitude in any given set of circumstances, to choose one's destiny." Victor Frankl - Man's Search for Meaning | |
|
| | | 
Bubba
GIT-R-DONE
Premium,MVM
join:2002-08-19
Around, Us
·Comcast
| Re: RPC exploits/scans said by mele20:
I'm leery of changing the registry values until I can figure out how and why that port suddenly became open. I thought it was possibly the update for NOD32 which I just started using that was doing it, but I have been told no in the NOD32 official forum.
You could consider downloading....Port Explorer ....made available as a 60 day evaluation.
BTW....Gavin Coe\DiamondCS Analyst is a member at BBR.... Gavin_TH
said by DiamondCS:
What is Port Explorer?
Port Explorer allows you to see all the open ports on your system and what programs own them (called Port to Process mapping). Along with this ability it also has many tools including a packet sniffer, bandwidth throttling and country detection to name just a few. Port Explorer has an intuitive GUI that allows you to quickly see all the network activity your computer is involved in, and thanks to its ease of use is allowing people everywhere to do advanced network activities.
--
Hatred causes destruction....Love causes construction | |
|
| | | | Mele20
Premium
join:2001-06-05
Hilo, HI
| Re: RPC exploits/scans > You could consider downloading....Port Explorer ....made available as a 60 day evaluation.
Thank you Bubba. I did just that. Most interesting application! I didn't really learn anything though about why port 135 suddenly became open. Port Explorer simply reports that it is RPcss listening there which I already knew. That doesn't tell me why though it suddenly started listening on that port. What have I done to activate this? Port Explorer did confirm for me that port 1025 is also open because of RPcss. What exactly is port 1025 for? I see it is used to play a game called Blackjack. I suppose alot of things use this port? I can't use that part of the Port Explorer program....available only to registered users. Why doesn't GRC and PCFlank report 1025 as open also?
--
"Everything can be taken from a man or woman but one thing: the last of the human freedoms - to choose one's attitude in any given set of circumstances, to choose one's destiny." Victor Frankl - Man's Search for Meaning | |
|
|
Straphanger
Express is Back
Premium,Mod
join:2001-12-08
Jackson Heights, NY
clubs: | There's also a note about it on Neowin.net | |
|
rr_tech
join:2002-09-17
Orleans, ON | ports 135-139 and 445 will now be filtered. it may take some time for us to get this to all divisions but i would recommend downloading the patch from windowsupdate.com and blocking those ports on your firewall. | |
|
| psloss
Premium
join:2002-02-24
Alpharetta, GA
| Re: RPC exploits/scans said by rr_tech :
ports 135-139 and 445 will now be filtered. it may take some time for us to get this to all divisions but i would recommend downloading the patch from windowsupdate.com and blocking those ports on your firewall.
Do you know if the filtering is a permanent change?
Thanks,
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org | |
|
| | rr_tech
join:2002-09-17
Orleans, ON
| Re: RPC exploits/scans said by psloss :
said by rr_tech :
ports 135-139 and 445 will now be filtered. it may take some time for us to get this to all divisions but i would recommend downloading the patch from windowsupdate.com and blocking those ports on your firewall.
Do you know if the filtering is a permanent change?
Thanks,
Philip Sloss
looks like it right now, but that may change if it dies down. we will put special access lists up, if that will cause problems for your buisness account. i don't know what they will do about residential customers... probably nothing. to get your IP's on a special access lists, you can call and request it, if you're a buisness customer. | |
|
| | | psloss
Premium
join:2002-02-24
Alpharetta, GA
| Re: RPC exploits/scans said by rr_tech :
looks like it right now, but that may change if it dies down. we will put special access lists up, if that will cause problems for your buisness account. i don't know what they will do about residential customers... probably nothing. to get your IP's on a special access lists, you can call and request it, if you're a buisness customer.
Just a residential customer. Pretty much all the activity I've seen on the ports that are now blocked was malicious; the filters have caused all that to cease.
Thanks,
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org | |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| I just called the National Help Desk and got a recorded message telling me that if I was affected by the worm to call 1-877-909-8333 for recorded instructions. The message went on to say that the call volume was extremely high and that if I had other reasons for calling that I should expect to be on hold for a long time. I still see no evidence of filtering here in Hawaii and no update from yesterday's notice about the worm on our status page. I am strongly opposed to the filtering on a PERMANENT basis.
--
"Everything can be taken from a man or woman but one thing: the last of the human freedoms - to choose one's attitude in any given set of circumstances, to choose one's destiny." Victor Frankl - Man's Search for Meaning | |
|
| rr_tech
join:2002-09-17
Orleans, ON
| Re: RPC exploits/scans said by Mele20 :
I just called the National Help Desk and got a recorded message telling me that if I was affected by the worm to call 1-877-909-8333 for recorded instructions. The message went on to say that the call volume was extremely high and that if I had other reasons for calling that I should expect to be on hold for a long time. I still see no evidence of filtering here in Hawaii and no update from yesterday's notice about the worm on our status page. I am strongly opposed to the filtering on a PERMANENT basis.
yeah, i know for sure that the filters are in place in almost all divisions other than midsouth. no word on hawaii but it wasn't mentioned. i would imagine it'll either happen soon or never.
NHD  lol, that used to be me. sure glad i'm not working there now, although there have been many calls about this on commercial. i've never seen a virus with an impact on this scale. | |
|
| | Mele20
Premium
join:2001-06-05
Hilo, HI
| Re: RPC exploits/scans >yeah, i know for sure that the filters are in place in almost all divisions other than midsouth. no word on hawaii but it wasn't mentioned. i would imagine it'll either happen soon or never.
Well, I just rebooted and port 135 is still open until I use either Process Viewer in Trojan Hunter or Port Explorer to terminate RPCss.exe. I suppose Hawaii might be last since we are way out in the middle of the Pacific Ocean! Still no new notice on the local status page. I emailed csrsupport but haven't heard anything back.
Yeah...I might have talked you when you worked there! I don't call much as I have a direct, toll free number from the Big Island to tier 3 support at Oceanic on Oahu. I haven't called about this because I know they are swamped. It is not a large number of techs so I don't want to contribute to making their job even harder. I am very curious though to know if this filtering will be implemented here also. Guess I just have to wait and see.
Port 135 now tests "stealthed" (even though I have no firewall) at GRC so Hawaii RR now has the filtering implemented.
--
"Everything can be taken from a man or woman
but one thing: the last of the human freedoms
- to choose one's attitude in any given set of
circumstances, to choose one's destiny."
Victor Frankl - Man's Search for Meaning
[text was edited by author 2003-08-13 06:26:22] | |
|
| | | 
dib22
join:2002-01-27
Kansas City, MO | Re: RPC exploits/scans *cough nmap cough nmap* | |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| There's a report over in the Security forum that RR has ceased blocking port 135. Is this true? I can't check because I have disabled RPC in the registry so the port is closed for me no matter what RR does.
»port 135 alive again....
--
"Everything can be taken from a man or woman but one thing: the last of the human freedoms - to choose one's attitude in any given set of circumstances, to choose one's destiny." Victor Frankl - Man's Search for Meaning | |
|
| 
Konaguy
Live From Kailua-Kona, Hawaii
Premium
join:2000-10-21
Kailua Kona, HI
 ·Hawaiian Telcom
| Re: RPC exploits/scans said by Mele20 :
I have disabled RPC in the registry so the port is closed for me no matter what RR does.
Huh why did you do that ? As far as I understand
this virus doesn't effect Windows 9x- Only NT/2000/XP
--
Forum Posts: 1000 | |
|
| | Mele20
Premium
join:2001-06-05
Hilo, HI
| Re: RPC exploits/scans I test about once a month at GRC, DSLR, PC Flank, Hackerwhacker, etc. to make sure all my ports are closed because I haven't used a firewall in over a year. They have always tested closed at all test sites until suddenly about three weeks ago (before Blaster) I tested at GRC and port 135 was open! I confirmed this at the other test sites.
I don't how or why it became open. Even after RR closed it, it was open outbound which is strange because when I called National Help Desk a few days ago with modem trouble the technician read me the memo that was sent to them and the memo said that these ports were being blocked both in and outbound by RR and yet according to Port Explorer (which I downloaded the trial) port 135 was open outbound and I could see that it would go from the listening state to "established" every so often briefly. I could not determine what was using the port as it was so brief when it was in the established state and Port Explorer has some things crippled in the trial version.
I asked in this forum, Microsoft Help and Security about this and the best advice I got was to disable RPC in the registry which is what Microsoft advises if you don't need DCOM. I thought whatever was holding the port open would complain after I disabled RPC and then I would know what was using that port...but nothing has complained...so the whole thing remains a mystery. As soon as I killed the process (this was before RR closed port 135) using either Port Explorer or Trojan Hunter (which I also downloaded the trial in case I had acquired a Trojan that opened port 135), the port would test closed at GRC, etc. but outbound 135 remained open in Port Explorer. It remained open outbound also after RR closed the port so I finally killed RPC for good in the registry. (Well, not necessarily for good as it is easy to change the values back to yes).
BTW, did you see my thread »Modem power level?? Does it seem odd to you? Do you know if Oceanic has been doing anything that would suddenly cause this much change (for the better...but still...I think it more likely that the modem is not reporting properly and it trips off line frequently now).
--
"Everything can be taken from a man or woman
but one thing: the last of the human freedoms
- to choose one's attitude in any given set of
circumstances, to choose one's destiny."
Victor Frankl - Man's Search for Meaning
[text was edited by author 2003-08-23 05:04:29] | |
|
| | |
Konaguy
Live From Kailua-Kona, Hawaii
Premium
join:2000-10-21
Kailua Kona, HI | Re: RPC exploits/scans I tested my computer at GRC and port 135 is stealthed.
(But I have a D-Link router)
--
Forum Posts: 1000 | |
|
| Kip patterson
Premium
join:2000-10-23
Columbus, OH | I think it is still closed. Testing reports it as stealth. Packet sniffing shows a lot of pings from machines not on RR that are NOT followed by port 135 probes. I do see port 135 probes from machines on RR.
I'm in Columbus, OH | |
|
pharcide
join:2002-07-30
Houston, TX | in houston at least we had to remove the port filtering because our UBR's are over 90% utilization
--
I came here to chew bubblegum and kick ass... I'm all out of bubble gum! | |
|
|
|
|
