|
Calling all COR computer ner- wizzes...
|
View this Thread in Original format
| beats and beeps |
Ok, so im really not all that computer literate, but i know alot of you are. So help me out if you can.
Im using zone alarm firewall (i know its probably not the best but meh) and it when i look in alerts and logs theres always a huge list of "TCP:Flags:S" (im guessing these are "pings") Anyways heres the weird part. Each ping is always from a different ip address! AND! its almost always targetting port 135, or 445 on my computer.
So, does anyone know what this could mean?
Oh yeah, also, although the ip addresses are always different they always start with the same two numbers, as mine. Oh yeah, and its been going on for like half a year now and keeps going even though my ip address changes...
Thanks for helping with this question, which is probably very n00bish. |
|
|
| -=M=- |
135 tcp loc-srv Basic scan Remote Procedure Call (RPC) port 135 is used in client/server applications (might be on a single machine) such as Exchange clients, the recently exploited messenger service, as well as other Windows NT/2K/XP software. If you have remote users who VPN into your network, you might need to open this port on the firewall to allow access to the Exchange server.
There is a RPC (a RPC's Endpoint Mapper component) vulnerability in Windows NT where a malformed request to port 135 could cause denial of service (DoS). RPC contains a flaw that causes it to fail upon receipt of a request that contains a particular type of malformed data. To restore normal functionality victim has to reboot the system. Alternatively, you can upgrade/patch your OS (there is a patch downloadable from Microsoft), or you can close port 135.
MS Security Bulletin MS03-026 outlines another critical Buffer Overrun RPC vulnerability that can be exploited via ports 135, 139, 445, 593 (or any other specifically configured RPC port). You should filter the above mentioned ports at the firewall level and not allow RPC over an unsecure network, such as the Internet.
W32.Blaster.Worm is a widely spread worm that exploits the DCOM RPC vulnerability described above (MS Security Bulletin MS03-026). The worm allows remote access to an infected computer via ports 4444/tcp and 69/UDP, and spreads through port 135/tcp. To avoid being infected consider closing those ports.
Port is also used by Messenger Service (not MSN Messenger) and exploited in popup net send messenger spam: MSKB 330904. To stop the popups you'd need to filter port 135 at the firewall level or stop the messenger service. The service uses all the following ports: 135/tcp, 135/udp, 137/udp 138/udp, 139/tcp, 445/tcp. |
|
|
| -=M=- |
445 tcp microsoft-ds Basic scan TCP port 445 is used for direct TCP/IP MS Networking access without the need for a NetBIOS layer. This service is only implemented in the more recent verions of Windows (e.g. Windows 2K / XP). The SMB (Server Message Block) protocol is used among other things for file sharing in Windows NT/2K/XP. In Windows NT it ran on top of NetBT (NetBIOS over TCP/IP, ports 137, 139 and 138/udp). In Windows 2K/XP, Microsoft added the possibility to run SMB directly over TCP/IP, without the extra layer of NetBT. For this they use TCP port 445.
Port 445 should be blocked at the firewall level. It can also be disabled by deleting the HKLM\System\CurrentControlSet\Services \NetBT\Parameters\TransportBindName (value only) in the Windows Registry.
Leaving port 445 open will leave you vulnerable to some worms, such as W32.Deloader and IraqiWorm (aka Iraq_oil.exe ), W32.HLLW.Moega, W32.Sasser.Worm, as well as the Windows Null Session Exploit.
MS Security Bulletin MS03-026 outlines a critical RPC vulnerability that can be exploited via ports 135, 139, 445, 593 (or any other specifically configured RPC port). You should filter the above mentioned ports at the firewall level and not allow RPC over an unsecure network, such as the Internet.
See also: Microsoft Security Bulletin MS03-049 and Microsoft Security Bulletin MS03-043 |
|
|
| Orbital32 |
| who says zonealarm is not the best. It's damn good if you know how to configure it. It was one of the few ones that was able to pass the hidden ftp leak test. I've been running ZA for the longest time and it does a damn good job. |
|
|
|
|
