 |
 | Whiteice510
join:2001-02-02
Canyon Country, CA
| Re: Port 135?! Let me ask you this,
I run my Norton Anti Virus and keep it updated (Even though this is new, so I doubt Norton has updated itself for this as of yet) and also run my network at home behind NAT. What else can I do to take even more precautions in regards to this?
TIA,
Whiteice
[text was edited by author 2003-08-11 19:48:09] | |
|
| | vic102482
Premium
join:2002-04-30
Upper Marlboro, MD
| Re: Port 135?! said by Whiteice510  :
Let me ask you this,
I run my Norton Anti Virus and keep it updated (Even though this is new, so I doubt Norton has updated itself for this as of yet) and also run my network at home behind NAT. What else can I do to take even more precautions in regards to this?
TIA,
Whiteice
If you are behind NAT that you are pretty much okay. If you dont have port 135 forwarded to any computers for a VPN or something (not required anyways because of the tunnelling blah blah blah).
So you should be fine. Only people running their machines with ports open like others here, or no NAT firewalls at all, would have something to worry about.
You really dont even need a software firewall with NAT but it depends on your browsing habits. OI only get email from 10 people tops, no attachments (mostly) and never any .vbs, exe. pl or whatever that can execute.
--
10,000+ Posts and counting. You aint gonna stop me!!!!w00t!! | |
|
| | | 
Give Me A Break
@63.226.x.x | Dazzled by Brillance ! Quote : If you are behind NAT that you are pretty much okay.
I would call you an idiot, but based on your other posts here that would seem redundant ! | |
|
| | | | vic102482
Premium
join:2002-04-30
Upper Marlboro, MD
| Re: Dazzled by Brillance ! said by Give Me A Break:
Quote : If you are behind NAT that you are pretty much okay.
I would call you an idiot, but based on your other posts here that would seem redundant !
????
Um yeah okay.....NEways, I have no firewall, no antivirus software, no Windows XP patches, and I am fine. Call me an idiot if you want, but atleast Im not one with worms anonymous coward!:)
--
10,000+ Posts and counting. You aint gonna stop me!!!!w00t!! | |
|
| | | | | 
MrTangent
join:2001-12-28
Earth | Re: Dazzled by Brillance ! Don't worry about him, vic382398826. Just another anonymous person. 
--
"War Is Peace. Freedom Is Slavery. Ignorance Is Strength" | |
|
| | | | | | |
| |
| | 
Maggs
Premium
join:2002-11-29
Woodside, NY
 ·RCN CABLE
| Re: Port 135?! Sounds like the football calls. Blue 80, Blue 22 Hike. I got my Linky up and running, My Norton AV fully updated, Zone Alarm going, and for safe measure, why not try a fresh & friendly DSLR port scan. Have the techies run free if I don't secure it.  GOD I hope I don't have to reformat again its been my 3rd time this month, since I installed Satan's Pack I from Windows Update.
--
Let's get right to the .
[text was edited by author 2003-08-11 23:26:19] | |
|
| | | |
| | |
| | | 
redstepchild
Premium
join:2002-01-04
Birmingham, AL | check out the W32.Blaster.Worm diaries isc.sans.org/diary.html?date=2003-08-11
all the techy stuff you could ask for related to this worm.
--
I'm a Cable girl.. In a Cable World.....RedStepChild@dslr.net | |
|
|
MrTangent
join:2001-12-28
Earth
| said by vic102482 :
Whoever has any numbers below 1024 open is really asking for it!
Matter of fact whoever has any ports open is asking for it!
Yeah, how dare anyone run an FTP on port 21 or a webserver on port 80! Those fools! I can't believe anyone would want to share information! Infidels! :P
I think the better statement would be:
Matter of fact whoever runs anything by Microsoft is asking for it!
And rightly so.
--
"War Is Peace. Freedom Is Slavery. Ignorance Is Strength" | |
|
| | vic102482
Premium
join:2002-04-30
Upper Marlboro, MD
| Re: Port 135?! said by MrTangent :
said by vic102482 :
Whoever has any numbers below 1024 open is really asking for it!
Matter of fact whoever has any ports open is asking for it!
Yeah, how dare anyone run an FTP on port 21 or a webserver on port 80! Those fools! I can't believe anyone would want to share information! Infidels! :P
I think the better statement would be:
Matter of fact whoever runs anything by Microsoft is asking for it!
And rightly so.
Blah blah blah, shame on you and nil, you guys know what I mean:p lol
If you are browsing the web with no NAT or Firewall, then you are asking for it!
Hows that? MasterMrtangent.:p
--
10,000+ Posts and counting. You aint gonna stop me!!!!w00t!! | |
|
| | | |
| | | | |
| | | | | 
museheart
Premium
join:2002-08-11
Hazel Green, AL
| Re: Port 135?! said by vic102482 :
said by museheart :
Zone Alarm has been blocking 73.165.128.151 to port 2268 TCP Flags SYN all of two weeks now. I haven't looked it up yet, I was about to and saw this thread.
I had Linksys hooked up but due to some computer diagnostic's it isn't right now. I ended up having to re-format the hard drive.
Guess I should hook it back up post haste?
Peace,
Yeah keep the linksys on at all times. I had only 1 computer and I had a NAT box. I dont ever update my machine unless I need to. I havent updated ANY of my computers to patch the worm because I am behind NAT. The firewall is good encase it somehow makes it onto your network, you will see it trying to download the meat and potatoes to your computer. The msblast.exe alone doesnt harm your machine (or so others say), only when it can get out onto the web and start reaking havok on your connection. NATs really cant protect against outgoing connections (although you can block incoming and outgoing ports).
So I'm going to hook it up. What ports if any should I block (and how) on the Linksys?
When you say keep the Linksy's on at all times, do you mean as well as the modem? Someone told me to keep them both on all the time and I thought they were in idiot.
I used to always keep the Linksy's on but turn the modem off, sometimes un-plug it.
Thanks,
--
MuSe
Visit Fighting Back! - Quick links to the best freeware anywhere!
»home.mchsi.com/~museheart/fight.html | |
|
| | Alky
join:2001-08-12
Cleveland, OH
| Hee hee! Why would anyone even own a pc for that matter? 95% of worms, virii, and nasty scripts are written for the M$ platform. The other 5% are diviied up between Mac and Linux. I haven't run a virus scanner on my Mac in years. My pc I find I'm constantly checking for all kinds of crap. I spend more time doing maintenance on it than anything else. What fun is there in that? I'm way more productive on my Mac. | |
|
| | |
DogmaBast
@206.169.x.x
 from:
rchandra
| Re: Port 135?! Alky-
You are preaching to the choir here. My desk is surrounded with 2 Mac's (G3/G4 OSX) and 1 Intel Linux (RedHat 9) Desktop, 1 Linux RedHat Notebook.
(almost) Everyone in my office building is running around like heads with their chickens cut off. Some offices have high-end firewalling using outboard NetScreen & IPIX iron, but the worm still got through.
Here is the funny part; I had a scheduled sales presentation (remote data disaster recovery services) today and one of the "competitors" whose pitch was 2 hours before mine ran my meeting late...his laptop PP presentation wouldn't fly...his PC laptop kept going into a forced shutdown. My StarOffice demo ran like clockwork.
Why people continue to put up with this "platform" escapes me. | |
|
| | | ricep5
Premium
join:2000-08-07
Jacksonville, FL
 ·AT&T CallVantage
·Comcast Formerly ..
| Hey Alky,
Thats the same argument most people have used just before they got AIDS.
"Hey, I only get involved with 5% of the people I date, I am OK" "What fun is there in protection" "I am way more active doing it my way"
Oops, sorry we are talking about computers, not people here. | |
|
| | 
murdok6100
Avatar. Get It, Avatar?
join:2002-06-20
| said by MrTangent :
Matter of fact whoever runs anything by Microsoft is asking for it!
And rightly so.
Oh but of course (good one!)
Murdok610 | |
|
| 
geierr
Computer Nut
Premium
join:2001-07-07
Yakima, WA
·Charter Pipeline
| All of my ports are blocked using Norton Internet Security. Have been using this firewall for over two years now. A port check via the Symantec website lists all of my ports as "stealth." Anyone who uses the Internet, especially via a broadband connection is foolish to not be using a firewall.
--
Robert L. Geier | |
|
| | cableblows3
join:2001-06-17
Indianapolis, IN
| Re: Port 135?! said by geierr :
All of my ports are blocked using Norton Internet Security. Have been using this firewall for over two years now. A port check via the Symantec website lists all of my ports as "stealth." Anyone who uses the Internet, especially via a broadband connection is foolish to not be using a firewall.
good reading and a port scan
»grc.com/np/pa-features.htm
»grc.com/default.htm | |
|
| | | 
FLea973
Premium
join:2001-02-27
Morristown, NJ
clubs:
| Re: Port 135?! cableblows3 ] said by »grc.com/np/pa-features.htm :
The steadily decreasing security of the industry's most prevalent operating system (Microsoft Windows) warrants more comprehensive testing.
A good read... a humorous one too - and to think Microsoft is "focusing" on making very secure software... funny I felt safer when they weren't focusing on it. | |
|
| x____
join:2003-02-13
____
clubs:
| A lot of home users don't use NATs like linksys because they only have one PC and they don't download software like Zone Alarm because they aren't aware they need it.
I just cleaned this off of two systems today (not my own).
First was around 3pm the second was around 6pm. | |
|
| | wtansill
Ncc1701
join:2000-10-10
Falls Church, VA | Re: Port 135?! Well, my SMC Barricade is blocking things nicely... Lots of log hits, no responses to the originating queries...
--
That which does not kill me merely prolongs the agony. | |
|
| hubs187
join:2003-01-21
Lisle, IL
| i got hit by it this morning.....if ive already been infected is there anytihng i can do to get it out...or quarentined?.....i put up my built in windows firewall is that enough.....now how do i stop it form infecting other computers from mine? please respond | |
|
| | x____
join:2003-02-13
____
clubs:
| Re: Port 135?! Disable system resore if using XP or Windows ME.
Open registry editor, go to:
HKEY_Local_Machine
Software
Microsoft
Windows
Current Version
RUN
delete the entry for Windows Update which has a value that executes MSBLAST.EXE
Restart in safe mode, delete the file MSBLAST.exe from C:\Windows\System32
or
C:\Winnt\system32
Reboot and then apply the patch from Windows Update and update antivirus software. | |
|
| biggoofball
join:2003-07-07
Clarkson, KY | I will have to check my system...thanks for the info | |
|
| |
| 
Neophyte101
All Your E-Mail Are Belong To Us
join:2002-01-02
Deep River, CT
| quote:
Matter of fact whoever has any ports open is asking for it!
Yeah ok... did you even realize that if you NEVER EVER had ports open you would NEVER EVER be able to do anything on the internet? Web browsers open ports to transfer data... so do IM clients, FTP clients, multiplayer games and every other piece of software that transfers data over a network. | |
|
| | vic102482
Premium
join:2002-04-30
Upper Marlboro, MD
| Re: Port 135?! said by Neophyte101 :
quote:
Matter of fact whoever has any ports open is asking for it!
Yeah ok... did you even realize that if you NEVER EVER had ports open you would NEVER EVER be able to do anything on the internet? Web browsers open ports to transfer data... so do IM clients, FTP clients, multiplayer games and every other piece of software that transfers data over a network.
See above smarty pants.;)
--
10,000+ Posts and counting. You aint gonna stop me!!!!w00t!! | |
|
| jgoldring
join:2002-03-11
Burlington, ON | For christ sakes...take your hit (IF ANY!)
MS has patches out that make up for most common problems. Port 135? Yes, and anything around that!! Netbios is an issue, MS knows it and you are just re-starting a simple problem to begin with.
J. | |
|
| |
Maggs
Premium
join:2002-11-29
Woodside, NY | Re: Port 135?! MS Patches fudged my PC 3 times. I would be careful installing Service Pack 1, or Satan's Paradise 1 as I call it for messing up my PC 3 times.
--
Let's get right to the . | |
|
| jennjen
join:2003-08-12
Rohnert Park, CA
| I'm sorry.. but I'm not too computer literate. I have the worm and it keeps replicating itself in my system. I delete the file (msblast.exe) but it comes back again and again. I must not have a firewall up. Can someone please guide me through the procedure?
thank you. | |
|
| | crazylike
join:2003-08-12
canada
|  you need to lock the door
you could do a search for files ending in .sah .bak .pid .bat these files are common to sdbots and to msblast.exe as there seems to be 3 parts to this bot 1st a ftp 2nd a irc xdccbot 3rd a self contained scanner and auto rooter very fancy piece of programming to bad i found all three peices man people will be mad at me lol | |
|
| crazylike
join:2003-08-12
canada
| people just goto the computer management and then to the sub dir user and group accounts close and password all you accounts and delete the ones the windows makes at instal.
then go find the msblast as you call it its actually a sdbot you can remove it by finding the host folder it usually is c:winnt/system32/drivers/etc or c:/winnt/system32/config
best idea is look for folders that just do not belong eg Certserv or Jobs Cpuidle these folder will be in system32 folder so look there they will be hidden folders and files look in the reg and edit the HKEY which controls rundll32.exe Microsoft does know about this pronlem but chooses not to fix it | |
|
Rothan Tik
Destroyer of worlds
Premium
join:2000-11-07
Danvers, MA
| Thanks for the heads up port 135 blocked now , not that it wasn't already...
[text was edited by author 2003-08-11 19:35:54] | |
|
|
See 6 replies to this post |
|
DaSneaky1D
one wall to block them all
Premium,MVM
join:2001-03-29
The Lou | I've been blocking ports 137-139 for quite the while now. | |
|
| kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH | Re: Thanks for the heads up You should block more than 137-139, you should block 135, 137-139, and 445 at the very least. Better yet, block everything incoming... | |
|
|
mansoalamo
@adelphia.net | My firewall has been taking hits all day on UDP port 135. | |
|
|
| |
Supafly
Premium
join:2000-07-15
Lancaster, CA
| The article is wrong, port 135 is not NetBIOS, those are reserved for 137-139.
Port 135: Microsoft's DCOM (Distributed, i.e. networked, COM) Service Control Manager (also known as the RPC Endpoint Mapper) uses this port in a manner similar to SUN's UNIX use of port 111. The SCM server running on the user's computer opens port 135 and listens for incoming requests from clients wishing to locate the ports where DCOM services can be found on that machine. | |
|
| 
nil
Java Geek
join:2000-11-27
Host:
Webmasters and Dev..
Forum Feature Requ..
| Re: Port 135 is not netbios. The article isn't wrong.. it's just not as detailed as your post.. most security people lump 135/tcp in with NETBIOS even though it's not strictly the same thing.
--
Life is too short to be boring | |
|
| |
Supafly
Premium
join:2000-07-15
Lancaster, CA | Re: Port 135 is not netbios. Oh okay, I take it it's now part of the NetBIOS suite? | |
|
| | | 
Steve
Pipe Wrench Fight
Consultant
join:2001-03-10
Yorba Linda, CA
| Re: Port 135 is not netbios. said by Supafly :
Oh okay, I take it it's now part of the NetBIOS suite?
It's "close enough" - though it's not strictly part of NETBIOS in the sense of file mapping and the like, it's so intricately related to "windows networking" that most of us have long considered RPC portmapper to be part of NETBIOS. Perhaps this is sloppy, but not much.
Steve
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site | |
|
|
|
scsiguru
join:2000-11-18
Parkersburg, WV | ...by default everything is blocked. My log file is filling up fast with dropped hits on port 135...going to get really ugly out there... | |
|
| cableblows3
join:2001-06-17
Indianapolis, IN
| Re: I'm running a Sonicwall SOHO2said by scsiguru :
...by default everything is blocked. My log file is filling up fast with dropped hits on port 135...going to get really ugly out there...
135 and 6882 here on a dlink router. all ports show stealth besides 113 ident tho' it shows closed. so safe for now | |
|
| |
GigahertZ420
join:2001-10-02
Fairbanks, AK
| I got hit by this worm this morning. My roomate was playing project IGI 2 when I saw for a brief second the message informing you that the system will shut down in 60 seconds. I told him to save the game and quit. Sure enough as soon as he exited out of the game it rebooted.
When my computer came back up (XP PRO SP1) I noticed that the activity lights on my router were going nuts. I enabled the firewall packaged with XP and checked the log. Sure enough my computer was scanning class A networks in the 19.xx.xx.xx range on port 135. I checked my task manager and started killing things until the network traffic died. As soon as I killed MSBLAST.EXE my network traffic stopped. I did a search on my C drive and found 2 files - MSBLAST.EXE and MSBLAST.EXE-09FF84F2.pf a prefetch file.
I moved msblast.exe to my desktop and changed the extension from .exe to .txt
subsequent running of the program prompted more network traffic which was confirmed by my firewall logs.
so YES GET YOUR FIREWALLS UP!!
and do a search on your hard drive for 'msblast' to see if you have been infected. and delete it quickly.
I did a search on msblast.exe in all search engines and came up with nothing. I must have been one of the first hit by this worm. It is very small only 8K and the prefetch file is only 16K so it is easily propagated even on dialup. | |
|
| crazylike
join:2003-08-12
canada
| you sound like ya smart do this be safe
goto computermanagement and password the administrator account you didn't make then delete all accounts that you didn't make then send a note to M$ saying how much you appriciate there leaving open doors in your os and not telling you... | |
|
| | 
alanhdsl
Premium
join:1999-10-09
Phoenix, AZ | Re: you sound like ya smart do this be safe Changing the administrator password won't help in this case. This worm works by hijacking a process (DCOM server) that's already running as administrator. Once it's running in place of the DCOM code, can do whatever it wants, no password required. | |
|
| |
museheart
Premium
join:2002-08-11
Hazel Green, AL | How do you disable prefetch? I mean you don't really need it, do you?
Peace, | |
|
| crazylike
join:2003-08-12
canada
| as i said you must remove the file But if you do not close the administrator password then they will just keep rerooting your computer trust me i know how this worm as you call it is passed..
it is not a worm it is a trojan designed to serve MIRC it is designed to root new hosts etc but it also serves movies games and what ever else its master wants it to serve. if you remove the reg key and you delete the files close the admin account it will stop the bot... i have post other responces with very percise insturctions as to how to stop these intrutions... | |
|
simkar
join:2002-09-30
Monroe Township, NJ
| Today 2 of my friends told me of this problem, sounded weird their computer would shut down after a time-limit thing expired.
I thought it was a coincidence, than later THREE more of my friends told me they had the same thing going on. I KNEW this was something new, and it looks like I was right. | |
|
alex69s
Alex S
join:2002-03-02
Richmond Hill, ON
clubs:
| I have this problem too, but after installing a firewall it was fixed. Later, I installed this: »www.microsoft.com/technet/treevi···-026.asp patch, turned off my firewall, and it was fixed aswell.
[text was edited by author 2003-08-11 20:55:33] | |
|
stupergenius
Stop Drinking That Whiskey.
join:2002-01-20
Columbus, OH | I just finished building my PC this weekend and haven't had time to set up my firewall or anything yet and guess what happened today, a friggan virus, oh that's just great  . | |
|
| scsiguru
join:2000-11-18
Parkersburg, WV | Re: Well this sucks. Isn't Thornville, OH near Lancaster? D/L a free firewall program...it's better than nothing. | |
|
| | |
|
stupergenius
Stop Drinking That Whiskey.
join:2002-01-20
Columbus, OH
| Hello scsiguru, yes actually I go to school there .
I've already installed the Sygate Firewall and it is up and running, I posted the other message on my old computer while I was researching the best way to rid myself of the worm, thanks for all the help guys. | |
|
| |
mrwicked
join:2002-03-20
Escondido, CA
| Yea unfortunately I have this POS virus and my norton system works isnt picking it up even thought I've ran live update 20 times...I managed to contain it somewhat...I deleted the two msblast files and deleted the registry string...How can I block port 135??? It may already be blocked, but how would I go about doing it on my router?? I have a D-Link DI-804...Man this sucks...I also read that embeded in the virus was a sentence that read, "I Love SANS!!! billy gates why do you let us do this. Stop making money and fix windows!!". "SANS" refering to its alias Lovesans i'm assuming. | |
|
koitsu
Premium
join:2002-07-16
Mountain View, CA
| Turns your workstation into a DDoS client against predominantly IRC servers -- port 80 has little to do with it. There was a major network-wide (all servers) attack on all EFnet IRC servers with over 50,000 compromised Windows machines.
Who did it? One person. *One*.
Recommendation: do not try to get rid of this thing, just format and re-install. *shrug* It's just not worth the risk.
EDIT: Here's an applicable URL over at CNet that contains information about what it actually does. Yes, it installs a service, registry keys, and all sort-of other fun stuff.
--
Making life hard for others since 1977.
[text was edited by author 2003-08-11 21:26:50] | |
|
Lion7
join:2003-05-08
Here
| CAUSE: The worm will exploit the DCOM RPC vulnerability. The purpose of the virus is to spread to as many machines as possible. By exploiting an unplugged hole in Windows, the virus is able to execute without requiring any action on the part of the user.
Resolution if you have Norton and the subscription is current.
1. Disable system Restore.
a. Click Start, settings control panel
b. Windows XP classic control panel double click system or in Windows XP category view click Performance and Maintenance, then click system.
c. Click the System Restore tab in the system properties box.
d. Select “Turn off system restore” or “Turn off system restore on all drives”
e. Click Apply
f. A system restore box will come up, “Do you want to turn off system restore?” Click YES
g. Click OK
2. Update virus definitions. Run LiveUpdate. NOTE: If you are unable to download the update follow step 2 in the resolution below “Resolution if you don’t have a current Norton subscription.” then attempt it again.
3. Scanning for and deleting the infected files.
a. Run a full system scan.
b. If any files are detected as infected with W32.Blaster.Worm, click Delete.
4. Deleting the registry value.
a. Delete the registry value.
b. Click Start, and then click Run
c. Type regedit
d. Click OK
e. Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
f. Delete the value “windows auto update” “msblast.exe” in the right panel.
g. Exit the registry editor.
5. Enable system Restore
a. Click Start, settings control panel
b. Windows XP classic control panel double click system or in Windows XP category view click Performance and Maintenance, then click system.
c. Click the System Restore tab in the system properties box.
d. Clear the “Turn off System Restore” or “Turn off system restore on all drives.
e. Click Apply and then OK.
6. Do a Windows update and download all critical updates.
Resolution if you don’t have a current Norton subscription.
1. Disable system Restore.
a. Click Start, settings control panel
b. Windows XP classic control panel double click system or in Windows XP category view click Performance and Maintenance, then click system.
c. Click the System Restore tab in the system properties box.
d. Select “Turn off system restore” or “Turn off system restore on all drives”
e. Click Apply
f. A system restore box will come up, “Do you want to turn off system restore?” Click YES
g. Click OK
2. Enable the Microsoft Firewall. (This should allow you to download without losing the connection.)
a. Click Start, settings control panel
b. Windows XP classic control panel double click network connections or in Windows XP category view click Network and Internet connections, then click Network connections.
c. Right click on the local area connection and select properties.
d. Click on the advanced Tab.
e. Click Protect my computer.
f. Click OK
g. Close the control panel.
3. Download update.
Download and install the MS03-026 patch
MICROSOFT PATCH: www.microsoft.com – go to [resources] in left-frame and downloads. Under [Most Popular Downloads]: Windows XP Security Patch: Buffer Overrun In RPC Interface Could Allow Code Execution
4. Deleting the registry value, and files.
Delete the registry value.
a. Click Start, and then click Run
b. Type regedit
c. Click OK
d. Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
e. Delete the value “windows auto update” “msblast.exe” in the right panel.
f. Exit the registry editor.
End task on msblast.exe
g. Hit
h. Select Task Manager
i. Choose the Processes tab.
j. Select msblast.exe then click the end process button.
Delete msblast.exe.
k. Click start then Search
l. Select all files and folders.
m. In all or part of the file name type msblast
n. Verify look in has your local hard drives.
o. Click search.
p. After it searches delete the files msblast.exe
q. Empty the recycle bin.
5. Enable system Restore
a. Click Start, settings control panel
b. Windows XP classic control panel double click system or in Windows XP category view click Performance and Maintenance, then click system.
c. Click the System Restore tab in the system properties box.
d. Clear the “Turn off System Restore” or “Turn off system restore on all drives.
e. Click Apply and then OK.
If this does not resolve the issue a format and reload will be required, please use your system restoration process.
--
Subnetting Sucks! | |
|
| crazylike
join:2003-08-12
canada
| MAKE SURE YOU CLOSE THE DOOR
you must close the DOOR people to do this you must add a password to the Administrator account that windows makes at install.... you find that in the control panel, preformance and maintenance, Administrative Tools, Computer Management then sub dir system tools you see local users and groups go through there and any account you didn't make delete the 2 it will not allow you to delete you need to password protect... this will stop it from happening it will also allow you to see if the rest of it is still working... there are 3 parts the ftp the sdbot and the ddos bot part of it... to see this activety open up windows task manager by pressing alt ctrl delete one time all at same time... do not do repeatedly or computer will reboot... | |
|
| |
museheart
Premium
join:2002-08-11
Hazel Green, AL | Re: MAKE SURE YOU CLOSE THE DOOR About closing the door. Isn't there a program that allows you to close certain ports? | |
|
|
| JPCass
join:2001-01-23
Denver, CO
|  Re: Me Got it
said by livininarizona :
I just can't imagine what kind of impact this has on 2k3 servers on some buisness machines...the kind that never shut down, will now be constantely shutting themselves down unless patched.
They, and their connected clients, should be inside of a good hardware firewall perimiter - if not, they shortsightedly set themselves up for just this sort of problem. Servers that for some reason have to have a network connection direct to the outside or have ports like that forwarded through the firewall, need to have arrangements in place for constant monitoring and maintenance. Any business that has to run servers has to set up and maintain them properly and safely, just like any other piece of equipment. You can make an argument about whether home users should have a hardware firewall with a broadband connection, but not a business running servers. | |
|
Cajunlady163
join:2003-08-10
Seguin, TX | I just checked my zone alarm firewall and wow!! the hits on that port are huge!! Thanks for the heads up. | |
|
| 
fauzt0
CT GOONER
Premium
join:2001-04-07
New London, CT
clubs: | Re: Port 135 So if im using a linksys router...im ok...i dont need to manually block any ports? | |
|
| | bigbeartech
Goo?
join:2001-09-23
Saint Louis, MO
| Re: Port 135 If DMZ is not setup, generally yes, but you should block the port 135 and 4444 in your Router just in case.
4444 block is in case you have the worm, so you dont spread it.
--
guycad: It may take you days and large clumps of hair to get it to work,CyberSchnook:I am so screwed--I haven't had large clumps of hair for years. | |
|
|
|
mrwicked
join:2002-03-20
Escondido, CA | Re: no wonder.... How do I see if my port 135 is being hit? | |
|
| | 
user726195
Premium
join:2002-11-23
South Pole
| Re: no wonder.... not sure what firewall you are using but in ZA Pro/ZA Free there is a log link, and it shows the log, under Destination IP and after the IP address is the port number.
--
Need a Web Developer?
The Community Forums | |
|
| | |
mrwicked
join:2002-03-20
Escondido, CA | Re: no wonder.... Im using Kerio, but I see nothing relating to port 135... | |
|
jimahrens
join:2002-05-30
Owego, NY | zonealarm 2.6 (the free one) has been logging about 10 hits every 60 seconds on port 135...
I am only on a dialup modem too | |
|
UnKown
The Underground Network
join:2002-09-08
Orlando, FL | this was reported by microsoft on july 16 and i have been using this exploit since the begining of august. | |
|
| 
deadmeat
Premium
join:2003-03-21
Sonoma, CA | Re: this is new? The patch came out for this on june 17. | |
|
| |
museheart
Premium
join:2002-08-11
Hazel Green, AL
| Re: this is new? said by deadmeat :
The patch came out for this on june 17.
Is that the latest and greatest? I thought there was one within the last few days.
Peace,
--
MuSe
Visit Fighting Back! - Quick links to the best freeware anywhere!
»home.mchsi.com/~museheart/fight.html | |
|
| aadic
Premium
join:2002-12-14
Trenton, NJ
| said by UnKown :
this was reported by microsoft on july 16 and i have been using this exploit since the begining of august.
And you are proud of that? | |
|
| |
UnKown
The Underground Network
join:2002-09-08
Orlando, FL | Re: this is new? used it internally to see if any of my boxes could be infected. so yes i am proud of that. | |
|
|
|
|
