Increase in traffic port 135
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Increase in traffic port 135

  1. #1
    Member
    Join Date
    Nov 2002
    Posts
    80

    Increase in traffic port 135

    I have been getting steadily increased activity directed at port 135 over the last day. My firewall is now logging one attempt every couple of minutes or less.

    Has anyone else noticed this increase?

  2. #2
    Senior Member
    Join Date
    Feb 2002
    Posts
    500
    Are they connection attempts or just scans? I have seen a lot of people reporting an increase of scans on this port.
    Ron Paul: Hope for America
    http://www.ronpaul2008.com/

  3. #3
    Member
    Join Date
    Nov 2002
    Posts
    80
    At the moment I don't know what they are, I am picking up dropped TCP packets in my firewall log. I am going to firing up netcat to try and capture some traffic. They started getting more frequent in the last hour.

  4. #4
    Member
    Join Date
    Jan 2002
    Posts
    82
    The new RPC exploit is causing this. Make sure you're patched!
    More Info

  5. #5
    Top Gun Maverick811's Avatar
    Join Date
    Oct 2001
    Posts
    852
    Originally posted here by DeadCr0w
    The new RPC exploit is causing this. Make sure you're patched!
    More Info

    Yup, this should be the reason. I've noticed a steady rise over the past week or so, should be due to the RPC flaw.. You can find more information and the patch here: http://support.microsoft.com/default...b;en-us;823980

  6. #6
    Member
    Join Date
    Nov 2002
    Posts
    80
    Thanks DeadCr0w, I suspected it was a the recent RPC thing.
    They seem to be scans,

    connect to [0.0.0.0] from pcp02763925pcs.grenwy01.pa.comcast.net [68.85.116.17]
    2118
    sent 0, rcvd 0

    I have the ports blocked already and I will patch it.

  7. #7
    I'm seeing a BIG increase in port 445 scans, mostly from fairly "local addresses" too. This could be related to the RPC scans I think. In any case, it looks like something might be up.

  8. #8
    Member
    Join Date
    Jan 2002
    Posts
    82
    I'm seeing a BIG increase in port 445 scans, mostly from fairly "local addresses" too. This could be related to the RPC scans I think. In any case, it looks like something might be up.
    This is from the link i posted up there:
    In both of the attacks described above, a TCP session to port 135 is used to execute the attack. However, access to TCP ports 139 and 445 may also provide attack vectors and should be considered when applying mitigation strategies.

  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Unless you have a burning need for RPC across the internet ports 135 and 445 should always be blocked..... There is no benefit to having them open and there are tons of bad things that they open you up to. If you have them blocked then the RPC DCOM exploit currently in the news is no danger to you.

    Oh, and yes I have noticed a large increase in scan traffic on both ports over the last week. I have my firewall set to automatically place any computer on the internet on the blocked sites list for any attempt to connect to my netwotk on these and some other ports. Yes, I am aware of the potential for DOS...... but as far as I am concerned no-one should be trying to connect to this network on either port so there is something not right with any machine that tries so....... It goes in the "blocked bin" for a few days until the timelimit I have set kicks in.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #10
    My IP is 81.103.x.x and I'm seeing a lot of other probes coming in from the same range targetted on ports 80, 137, 139 and 445.

    20% of all probes are coming in from 81.103.x.x (i.e. pseudo Class B subnet)
    An additional 7% of probes are coming in from 81.x.x.x (i.e. psuedo Class A subnet)

    The weighting for the pseudo Class B subnet is 13,000 times what you would expect on a random scan, so either my ISP is filtering the probes at its perimiter, or this is most likely doing a Code Red style scan on the local subnets as a priority, either by an automated process or by people running port scanners.

    However, this probing activity appears to have been going on for about a month so I'm not sure this is a new threat, but there does seem to be a lot more activity about.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •