February 26th, 2004, 12:40 AM
Need help! My computer is scanning ports 135, 445 and proxy ports!
I feel pretty stupid asking this question because I'm pretty warry about my computer security and I know quite a bit about security but I'm no windows buff or windows security buff I'm a linux guy but I need windows for some things so I can't convert everything to linux *Sad Face*, I have a problem. I find my computer scanning ports 445 and 135 and sometimes proxy ports at different times of the day. I have the current service packs for Windows 2000 installed and all the Security updates installed I also have Norton updated constantly and the newest Adware by Lavasoft along with Spysweeper by Webroot. I've tried everything, I've gone though all my services that are running in Computer Management. Ive gone though my registery and even used some programs to grab my ram (Maybe there was something loaded in RAM) and I've found nothing. I've gone over my computer using forensic tools to determine types of code which will initalize port scans and looked for keywords that maybe helpfull and found nothing suspicious. I've gone though all my windows startup configs and found nothing odd that starts up. I've done numerous sniffing attempts to see if my computer was getting information from something and or was connected somewhere for just a second and then started scanning but still NOTHING (I've sniffed for a week straight). I've used a few programs which maps ports to programs running and nothing odd there. The things I did notice is that svchost.exe and services.exe seems to be processing these scans but its not odd for those services to be processing ports at all. I'm really in a stump right now and I'm sure since my computer is mass scanning that this is publicly know n already anyone have some clues where I could look or what I should do. I really do not want to reinstall this system because I do not have broadband nor a CDRW to backup things on here nor do I feel like having to reinstall a bunch of stuff just because I maybe infected with some type of trojan or something.
February 26th, 2004, 01:09 AM
Sorry to say this old chap but you seem to be owned.
Please find "HijackThis".........run it and save the log file and post that here, so we can see what is going on?
svchost.exe is normal, and you can have several at once, but it can also be malware...and if it is scanning it might well be?
DON'T delete the executable unless you want to use *nix permanently
Try running UPDATED versions of your AV, AdAware and SpyBot S&D in SAFE MODE first.
Post back your hijack this log
February 26th, 2004, 04:09 AM
What you said got me thinking about svchost a little more being somehow malware I figured why couldn't it be misused or infected? so I did a search on the drive for it because I thought that maybe it wasn't a legit svchost and I found svchost sure enough a few times on my drive. Slick little way of hiding it and is the reason I never thought about it.. Well the date was very recent 2/13/04 to be exact and I also found a file which was in IE's Temp file dir that was the same date and time.. Since I don't use IE because it sucks just for that reason I guess while I was out and my girlfriend using my computer she used IE instead of Mozilla so I guess some IE exploit owned my box and upload and ran it. I searched around the net with the information found and it seemed to be a Welchia variant which started on the 11th of this month. Funny how Norton didn't pick this up until I reinstalled it and updated (Maybe it messed with Norton in someway?). Figures even with IE patched and all and running the most current IE (even though I don't use it) sucks. Can't Microsoft suck anymore? Jeez, Well right now I'm in the works of removing it and fixing my system after all the bull I've gone though. I thank you for your advice because if it wasn't for what you said I probably wouldn't of got that idea..
February 26th, 2004, 04:29 AM
wait wait wait dont do anything yet!....remembe the merinjin site being ddosed. He might have a zombie.
Note all these new members claiming they've been hacked. We need to make sure they are not carrying one of the zombies.
Vulnerabilities for this port (from CVE)
CVE ID Protocol Source Port Targetport
CAN-2003-0605 tcp any 135
The RPC DCOM interface in Windows 2000 SP3 and SP4 allows remote attackers to cause a denial of service (crash), and local attackers to use the DoS to hijack the epmapper pipe to gain privileges, via certain messages to the __RemoteGetClassObject interface that cause a NULL pointer to be passed to the PerformScmStage function.
CAN-2003-0528 tcp any 135
Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed RPC request with a long filename parameter, a different vulnerability than CAN-2003-0352 (Blaster/Nachi) and CAN-2003-0715.
CAN-2003-0352 6 any 135
Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN worm.
What's port 445 used for in Windows 2000/XP?
Among the new ports used by Windows 2000, Windows XP and Windows Server 2003, is TCP port 445 which is used for SMB over TCP.
The SMB (Server Message Block) protocol is used among other things for file sharing in Windows NT/2000/XP. In Windows NT it ran on top of NetBT (NetBIOS over TCP/IP), which used the famous ports 137, 138 (UDP) and 139 (TCP). In Windows 2000/XP/2003, Microsoft added the possibility to run SMB directly over TCP/IP, without the extra layer of NetBT. For this they use TCP port 445.
At its simplest NetBIOS on your LAN may just be a necessary evil. NetBIOS on your WAN or over the Internet, however, is an enormous security risk. All sorts of information, such as your domain, workgroup and system names, as well as account information is obtainable via NetBIOS. It really is in your best interests to ensure that NetBIOS never leaves your network.
If you are using a router as your Internet gateway then you will want to ensure that it does not allow inbound or outbound traffic via TCP ports 135-139.
If you're using a Firewall then you should also block the same ports - TCP ports 135-139.
If you are using a multi-homed machine i.e. more than 1 network card, then you should disable NetBIOS on every network card, or Dial-Up Connection under the TCP/IP properties, that is not part of your local network.
How to disable NetBIOS over TCP/IP?
In Windows 2000/XP/2003 you have the possibility to disable NetBIOS over TCP/IP. You do this by right-clicking on My Network Places and selecting Properties. Then right-click on the appropriate Local Area Connection icon, and select Properties.
Next, click on Internet Protocol (TCP/IP) and Properties.
Now click Advanced, and select the WINS tab.
There you can enable or disable NetBIOS over TCP/IP.
The changes take effect immediately without rebooting the system.
You will get an event in your even log if you do not also disable the TCP/IP NetBIOS Helper Service service. You can Disable this service in Control Panel > Administrative Tools > Services if desired.
For more issues on this please read the Disable NetBIOS in W2K/XP/2003 page.
How to disable port 445?
You can easily disable port 445 on your computer. To do so follow these instructions:
Start Registry Editor (Regedit.exe).
Locate the following key in the registry:
In the right-hand side of the window find an option called TransportBindName.
Double click that value, and then delete the default value, thus giving it a blank value.
Close the registry editor.
Reboot your computer.
After rebooting open a command prompt and in it type
See that your computer no longer listens to port 445.
Client/Server port usage
When does Windows 2000/XP/2003 uses port 445, and when it uses 139?
From now on I will refer to the "client" as the computer from where you map drives and other shared resources, and to the "server" as the computer with resources that are shared. I will also refer to NetBIOS over TCP/IP only as NetBT.
If the client has NetBT enabled, it will always try to connect to the server at both port 139 and 445 simultaneously. If there is a response from port 445, it sends a RST to port 139, and continues it's SMB session to port 445 only. If there is no response from port 445, it will continue it's SMB session to port 139 only, if it gets a response from there. If there is no response from either of the ports, the session will fail completely.
If the client has NetBT disabled, it will always try to connect to the server at port 445 only. If the server answers on port 445, the session will be established and continue on that port. If it doesn't answer, the session will fail completely. This is the case if the server for example runs Windows NT 4.0.
If the server has NetBT enabled, it listens on UDP ports 137, 138, and on TCP ports 139, 445. If it has NetBT disabled, it listens on TCP port 445 only.
February 26th, 2004, 04:43 AM
And so the plot thickens, the story once again twist's to another direction.
This is better then day time T.V there's more twists and turns and it's so exciting.
Well anyhow what cybrid says sounds kinda right in a way, if you notice there's been a lot of questions from people thinkin that they have been hacked, maybe there's something going on.
And we are only seing a small portion of it now, but give it time and BAMM it will expose itself.
Maybe some "Skiddie" got himself a knew toy and is trojaning everyone he can, and building up a huge collection of Zombie box's and then use's them to Ddos some unfortunate sole's server??
Well now i'm all confused what was the question again?
Oh that's right, i say if your still paranoid once you' have removed the virus, then just to a clean install. That's right format the drives go crazy and format everything in site.
Then if your still paranoid, then just disconnect from the net and then you'll be safe.
February 26th, 2004, 03:09 PM
setup a linux box as a firewall and monitor it thru that.
Thats what Id do, knowing linux can be used as a firewall box... I have barely learned linux but know this is possible... someone else can probably elaborate how.
this gives you not only a way to monitor things better but a solid firewall...
or get a linksys/other home router and set it up. that will stop incoming 137 stuff. Also
make sure Netbois over TCP/Ip is disabled. believe thats in advanced tcp ip protocol settings under my network(rightclick) properties->tcpip-> properties
ACK... as was mentioned above.
Sorry, have a migrane, skimming the posts,,,
The ark was built by amatures...
The Titanic was built by professionals.