 |
 | Whiteice510
join:2001-02-02
Canyon Country, CA
 ·DSL EXTREME
edited
| Re: Port 135?! Let me ask you this,
I run my Norton Anti Virus and keep it updated (Even though this is new, so I doubt Norton has updated itself for this as of yet) and also run my network at home behind NAT. What else can I do to take even more precautions in regards to this?
TIA,
Whiteice
[text was edited by author 2003-08-11 19:48:09] | |
|
| | vic102482
Premium
join:2002-04-30
Upper Marlboro, MD
 ·Verizon FIOS
| Re: Port 135?! said by Whiteice510  :
Let me ask you this,
I run my Norton Anti Virus and keep it updated (Even though this is new, so I doubt Norton has updated itself for this as of yet) and also run my network at home behind NAT. What else can I do to take even more precautions in regards to this?
TIA,
Whiteice
If you are behind NAT that you are pretty much okay. If you dont have port 135 forwarded to any computers for a VPN or something (not required anyways because of the tunnelling blah blah blah).
So you should be fine. Only people running their machines with ports open like others here, or no NAT firewalls at all, would have something to worry about.
You really dont even need a software firewall with NAT but it depends on your browsing habits. OI only get email from 10 people tops, no attachments (mostly) and never any .vbs, exe. pl or whatever that can execute.
--
10,000+ Posts and counting. You aint gonna stop me!!!!w00t!! | |
|
| | | 
Give Me A Break
@63.226.x.x | Dazzled by Brillance ! Quote : If you are behind NAT that you are pretty much okay.
I would call you an idiot, but based on your other posts here that would seem redundant ! | |
|
| | | | vic102482
Premium
join:2002-04-30
Upper Marlboro, MD
·Verizon FIOS
| Re: Dazzled by Brillance ! said by Give Me A Break:
Quote : If you are behind NAT that you are pretty much okay.
I would call you an idiot, but based on your other posts here that would seem redundant !
????
Um yeah okay.....NEways, I have no firewall, no antivirus software, no Windows XP patches, and I am fine. Call me an idiot if you want, but atleast Im not one with worms anonymous coward!:)
--
10,000+ Posts and counting. You aint gonna stop me!!!!w00t!! | |
|
| | | | | 
MrTangent
join:2001-12-28
Earth | Re: Dazzled by Brillance ! Don't worry about him, vic382398826. Just another anonymous person. 
--
"War Is Peace. Freedom Is Slavery. Ignorance Is Strength" | |
|
| | | | | | |
| |
| | |
| | | |
| | |
| | | 
redstepchild
Premium
join:2002-01-04
Birmingham, AL | check out the W32.Blaster.Worm diaries isc.sans.org/diary.html?date=2003-08-11
all the techy stuff you could ask for related to this worm.
--
I'm a Cable girl.. In a Cable World.....RedStepChild@dslr.net | |
|
|
MrTangent
join:2001-12-28
Earth
| said by vic102482 :
Whoever has any numbers below 1024 open is really asking for it!
Matter of fact whoever has any ports open is asking for it!
Yeah, how dare anyone run an FTP on port 21 or a webserver on port 80! Those fools! I can't believe anyone would want to share information! Infidels! :P
I think the better statement would be:
Matter of fact whoever runs anything by Microsoft is asking for it!
And rightly so.
--
"War Is Peace. Freedom Is Slavery. Ignorance Is Strength" | |
|
| | vic102482
Premium
join:2002-04-30
Upper Marlboro, MD
·Verizon FIOS
| Re: Port 135?! said by MrTangent :
said by vic102482 :
Whoever has any numbers below 1024 open is really asking for it!
Matter of fact whoever has any ports open is asking for it!
Yeah, how dare anyone run an FTP on port 21 or a webserver on port 80! Those fools! I can't believe anyone would want to share information! Infidels! :P
I think the better statement would be:
Matter of fact whoever runs anything by Microsoft is asking for it!
And rightly so.
Blah blah blah, shame on you and nil, you guys know what I mean:p lol
If you are browsing the web with no NAT or Firewall, then you are asking for it!
Hows that? MasterMrtangent.:p
--
10,000+ Posts and counting. You aint gonna stop me!!!!w00t!! | |
|
| | | |
| | | | |
| | | | | 
museheart
Premium
join:2002-08-11
Hazel Green, AL
| Re: Port 135?! said by vic102482 :
said by museheart :
Zone Alarm has been blocking 73.165.128.151 to port 2268 TCP Flags SYN all of two weeks now. I haven't looked it up yet, I was about to and saw this thread.
I had Linksys hooked up but due to some computer diagnostic's it isn't right now. I ended up having to re-format the hard drive.
Guess I should hook it back up post haste?
Peace,
Yeah keep the linksys on at all times. I had only 1 computer and I had a NAT box. I dont ever update my machine unless I need to. I havent updated ANY of my computers to patch the worm because I am behind NAT. The firewall is good encase it somehow makes it onto your network, you will see it trying to download the meat and potatoes to your computer. The msblast.exe alone doesnt harm your machine (or so others say), only when it can get out onto the web and start reaking havok on your connection. NATs really cant protect against outgoing connections (although you can block incoming and outgoing ports).
So I'm going to hook it up. What ports if any should I block (and how) on the Linksys?
When you say keep the Linksy's on at all times, do you mean as well as the modem? Someone told me to keep them both on all the time and I thought they were in idiot.
I used to always keep the Linksy's on but turn the modem off, sometimes un-plug it.
Thanks,
--
MuSe
Visit Fighting Back! - Quick links to the best freeware anywhere!
»home.mchsi.com/~museheart/fight.html | |
|
| | Alky
join:2001-08-12
Cleveland, OH
| Hee hee! Why would anyone even own a pc for that matter? 95% of worms, virii, and nasty scripts are written for the M$ platform. The other 5% are diviied up between Mac and Linux. I haven't run a virus scanner on my Mac in years. My pc I find I'm constantly checking for all kinds of crap. I spend more time doing maintenance on it than anything else. What fun is there in that? I'm way more productive on my Mac. | |
|
| | |
DogmaBast
@206.169.x.x
 from:
rchandra
| Re: Port 135?! Alky-
You are preaching to the choir here. My desk is surrounded with 2 Mac's (G3/G4 OSX) and 1 Intel Linux (RedHat 9) Desktop, 1 Linux RedHat Notebook.
(almost) Everyone in my office building is running around like heads with their chickens cut off. Some offices have high-end firewalling using outboard NetScreen & IPIX iron, but the worm still got through.
Here is the funny part; I had a scheduled sales presentation (remote data disaster recovery services) today and one of the "competitors" whose pitch was 2 hours before mine ran my meeting late...his laptop PP presentation wouldn't fly...his PC laptop kept going into a forced shutdown. My StarOffice demo ran like clockwork.
Why people continue to put up with this "platform" escapes me. | |
|
| | | |
| | 
murdok6100
Avatar. Get It, Avatar?
join:2002-06-20
| said by MrTangent :
Matter of fact whoever runs anything by Microsoft is asking for it!
And rightly so.
Oh but of course (good one!)
Murdok610 | |
|
| 
geierr
Computer Nut
Premium
join:2001-07-07
Yakima, WA
 ·Charter Pipeline
| All of my ports are blocked using Norton Internet Security. Have been using this firewall for over two years now. A port check via the Symantec website lists all of my ports as "stealth." Anyone who uses the Internet, especially via a broadband connection is foolish to not be using a firewall.
--
Robert L. Geier | |
|
| | cableblows
join:2001-06-17
Indianapolis, IN
| Re: Port 135?! said by geierr :
All of my ports are blocked using Norton Internet Security. Have been using this firewall for over two years now. A port check via the Symantec website lists all of my ports as "stealth." Anyone who uses the Internet, especially via a broadband connection is foolish to not be using a firewall.
good reading and a port scan
»grc.com/np/pa-features.htm
»grc.com/default.htm | |
|
| | | 
FLea973
Premium
join:2001-02-27
Morristown, NJ
clubs:
| Re: Port 135?! cableblows ] said by »grc.com/np/pa-features.htm :
The steadily decreasing security of the industry's most prevalent operating system (Microsoft Windows) warrants more comprehensive testing.
A good read... a humorous one too - and to think Microsoft is "focusing" on making very secure software... funny I felt safer when they weren't focusing on it. | |
|
| Myrrdin
join:2003-02-13
Atlantis
clubs:
| A lot of home users don't use NATs like linksys because they only have one PC and they don't download software like Zone Alarm because they aren't aware they need it.
I just cleaned this off of two systems today (not my own).
First was around 3pm the second was around 6pm. | |
|
| | wtansill
Ncc1701
join:2000-10-10
Falls Church, VA | Re: Port 135?! Well, my SMC Barricade is blocking things nicely... Lots of log hits, no responses to the originating queries...
--
That which does not kill me merely prolongs the agony. | |
|
| hubs187
join:2003-01-21
Lisle, IL
| i got hit by it this morning.....if ive already been infected is there anytihng i can do to get it out...or quarentined?.....i put up my built in windows firewall is that enough.....now how do i stop it form infecting other computers from mine? please respond | |
|
| | Myrrdin
join:2003-02-13
Atlantis
clubs:
| Re: Port 135?! Disable system resore if using XP or Windows ME.
Open registry editor, go to:
HKEY_Local_Machine
Software
Microsoft
Windows
Current Version
RUN
delete the entry for Windows Update which has a value that executes MSBLAST.EXE
Restart in safe mode, delete the file MSBLAST.exe from C:\Windows\System32
or
C:\Winnt\system32
Reboot and then apply the patch from Windows Update and update antivirus software. | |
|
| biggoofball
join:2003-07-07
Clarkson, KY | I will have to check my system...thanks for the info | |
|
| |
| 
Neophyte101
All Your E-Mail Are Belong To Us
join:2002-01-02
Deep River, CT
| quote:
Matter of fact whoever has any ports open is asking for it!
Yeah ok... did you even realize that if you NEVER EVER had ports open you would NEVER EVER be able to do anything on the internet? Web browsers open ports to transfer data... so do IM clients, FTP clients, multiplayer games and every other piece of software that transfers data over a network. | |
|
| | vic102482
Premium
join:2002-04-30
Upper Marlboro, MD
·Verizon FIOS
| Re: Port 135?! said by Neophyte101 :
quote:
Matter of fact whoever has any ports open is asking for it!
Yeah ok... did you even realize that if you NEVER EVER had ports open you would NEVER EVER be able to do anything on the internet? Web browsers open ports to transfer data... so do IM clients, FTP clients, multiplayer games and every other piece of software that transfers data over a network.
See above smarty pants.;)
--
10,000+ Posts and counting. You aint gonna stop me!!!!w00t!! | |
|
| jgoldring
join:2002-03-11
Burlington, ON | For christ sakes...take your hit (IF ANY!)
MS has patches out that make up for most common problems. Port 135? Yes, and anything around that!! Netbios is an issue, MS knows it and you are just re-starting a simple problem to begin with.
J. | |
|
| | 
Maggs
Premium
join:2002-11-29
Woodside, NY
clubs: | Re: Port 135?! MS Patches fudged my PC 3 times. I would be careful installing Service Pack 1, or Satan's Paradise 1 as I call it for messing up my PC 3 times.
--
Let's get right to the . | |
|
| jennjen
join:2003-08-12
Rohnert Park, CA
| I'm sorry.. but I'm not too computer literate. I have the worm and it keeps replicating itself in my system. I delete the file (msblast.exe) but it comes back again and again. I must not have a firewall up. Can someone please guide me through the procedure?
thank you. | |
|
| | crazylike
join:2003-08-12
canada
|  you need to lock the door
you could do a search for files ending in .sah .bak .pid .bat these files are common to sdbots and to msblast.exe as there seems to be 3 parts to this bot 1st a ftp 2nd a irc xdccbot 3rd a self contained scanner and auto rooter very fancy piece of programming to bad i found all three peices man people will be mad at me lol | |
|
| crazylike
join:2003-08-12
canada
| people just goto the computer management and then to the sub dir user and group accounts close and password all you accounts and delete the ones the windows makes at instal.
then go find the msblast as you call it its actually a sdbot you can remove it by finding the host folder it usually is c:winnt/system32/drivers/etc or c:/winnt/system32/config
best idea is look for folders that just do not belong eg Certserv or Jobs Cpuidle these folder will be in system32 folder so look there they will be hidden folders and files look in the reg and edit the HKEY which controls rundll32.exe Microsoft does know about this pronlem but chooses not to fix it | |
|
RedPhoenix
Premium
join:2000-11-07
Danvers, MA
edited
| Thanks for the heads up port 135 blocked now , not that it wasn't already...
[text was edited by author 2003-08-11 19:35:54] | |
|
|
See 6 replies to this post |
|
DaSneaky1D
Tell me, where is your father?
Premium,MVM
join:2001-03-29
The Lou | I've been blocking ports 137-139 for quite the while now. | |
|
| kpatz
Premium
join:2003-06-13
Manchester, NH | Re: Thanks for the heads up You should block more than 137-139, you should block 135, 137-139, and 445 at the very least. Better yet, block everything incoming... | |
|
|
mansoalamo
@adelphia.net | My firewall has been taking hits all day on UDP port 135. | |
|
|
| |
Supafly
Premium
join:2000-07-15
Lancaster, CA
| The article is wrong, port 135 is not NetBIOS, those are reserved for 137-139.
Port 135: Microsoft's DCOM (Distributed, i.e. networked, COM) Service Control Manager (also known as the RPC Endpoint Mapper) uses this port in a manner similar to SUN's UNIX use of port 111. The SCM server running on the user's computer opens port 135 and listens for incoming requests from clients wishing to locate the ports where DCOM services can be found on that machine. | |
|
| 
nil
Java Geek
join:2000-11-27
Host:
Webmasters and Dev..
Forum Feature Requ..
| Re: Port 135 is not netbios. The article isn't wrong.. it's just not as detailed as your post.. most security people lump 135/tcp in with NETBIOS even though it's not strictly the same thing.
--
Life is too short to be boring | |
|
| |
Supafly
Premium
join:2000-07-15
Lancaster, CA | Re: Port 135 is not netbios. Oh okay, I take it it's now part of the NetBIOS suite? | |
|
| | | 
Steve
SAS-70 is extortion
Consultant
join:2001-03-10
Tustin, CA
| Re: Port 135 is not netbios. said by Supafly :
Oh okay, I take it it's now part of the NetBIOS suite?
It's "close enough" - though it's not strictly part of NETBIOS in the sense of file mapping and the like, it's so intricately related to "windows networking" that most of us have long considered RPC portmapper to be part of NETBIOS. Perhaps this is sloppy, but not much.
Steve
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site | |
|
|
|
scsiguru
join:2000-11-18
Parkersburg, WV | ...by default everything is blocked. My log file is filling up fast with dropped hits on port 135...going to get really ugly out there... | |
|
| cableblows
join:2001-06-17
Indianapolis, IN
| Re: I'm running a Sonicwall SOHO2said by scsiguru :
...by default everything is blocked. My log file is filling up fast with dropped hits on port 135...going to get really ugly out there...
135 and 6882 here on a dlink router. all ports show stealth besides 113 ident tho' it shows closed. so safe for now | |
|
| |
GigahertZ420
join:2001-10-02
Fairbanks, AK
| I got hit by this worm this morning. My roomate was playing project IGI 2 when I saw for a brief second the message informing you that the system will shut down in 60 seconds. I told him to save the game and quit. Sure enough as soon as he exited out of the game it rebooted.
When my computer came back up (XP PRO SP1) I noticed that the activity lights on my router were going nuts. I enabled the firewall packaged with XP and checked the log. Sure enough my computer was scanning class A networks in the 19.xx.xx.xx range on port 135. I checked my task manager and started killing things until the network traffic died. As soon as I killed MSBLAST.EXE my network traffic stopped. I did a search on my C drive and found 2 files - MSBLAST.EXE and MSBLAST.EXE-09FF84F2.pf a prefetch file.
I moved msblast.exe to my desktop and changed the extension from .exe to .txt
subsequent running of the program prompted more network traffic which was confirmed by my firewall logs.
so YES GET YOUR FIREWALLS UP!!
and do a search on your hard drive for 'msblast' to see if you have been infected. and delete it quickly.
I did a search on msblast.exe in all search engines and came up with nothing. I must have been one of the first hit by this worm. It is very small only 8K and the prefetch file is only 16K so it is easily propagated even on dialup. | |
|
| crazylike
join:2003-08-12
canada
| you sound like ya smart do this be safe
goto computermanagement and password the administrator account you didn't make then delete all accounts that you didn't make then send a note to M$ saying how much you appriciate there leaving open doors in your os and not telling you... | |
|
| | 
alanhdsl
Premium
join:1999-10-09
Phoenix, AZ | Re: you sound like ya smart do this be safe Changing the administrator password won't help in this case. This worm works by hijacking a process (DCOM server) that's already running as administrator. Once it's running in place of the DCOM code, can do whatever it wants, no password required. | |
|
| |
museheart
Premium
join:2002-08-11
Hazel Green, AL | How do you disable prefetch? I mean you don't really need it, do you?
Peace, | |
|
| crazylike
join:2003-08-12
canada
| as i said you must remove the file But if you do not close the administrator password then they will just keep rerooting your computer trust me i know how this worm as you call it is passed..
it is not a worm it is a trojan designed to serve MIRC it is designed to root new hosts etc but it also serves movies games and what ever else its master wants it to serve. if you remove the reg key and you delete the files close the admin account it will stop the bot... i have post other responces with very percise insturctions as to how to stop these intrutions... | |
|
simkar
join:2002-09-30
Monroe Township, NJ
| Today 2 of my friends told me of this problem, sounded weird their computer would shut down after a time-limit thing expired.
I thought it was a coincidence, than later THREE more of my friends told me they had the same thing going on. I KNEW this was something new, and it looks like I was right. | |
|
alex69s
Alex S
join:2002-03-02
Richmond Hill, ON
clubs:
edited
| I have this problem too, but after installing a firewall it was fixed. Later, I installed this: »www.microsoft.com/technet/treevi···-026.asp patch, turned off my firewall, and it was fixed aswell.
[text was edited by author 2003-08-11 20:55:33] | |
|
stupergenius
Stop Drinking That Whiskey.
join:2002-01-20
Thornville, OH | I just finished building my PC this weekend and haven't had time to set up my firewall or anything yet and guess what happened today, a friggan virus, oh that's just great  . | |
|
| scsiguru
join:2000-11-18
Parkersburg, WV | Re: Well this sucks. Isn't Thornville, OH near Lancaster? D/L a free firewall program...it's better than nothing. | |
|
|
GOD I hope I don't have to reformat again its been my 3rd time this month, since I installed Satan's Pack I from Windows Update.
·
