-
March 9th, 2004, 09:42 PM
#1
Junior Member
firewall log
As soon as i connect to internet through my isp (dialup) my computer is attacked on port 135.What i understood is that 135 port is attacked by blaster and other viruses . i am attaching my firewall log.It looks like port 135 is scanned by some random ip .i need some detail comment on this log and is my computer is on risk? thanks in advance
-
March 9th, 2004, 11:25 PM
#2
"Intrusion: MS_RPC_DCOM_BufferOverflow.Intruder: 207.93.174.16(4626).Risk Level: High.Protocol: TCP.Attacked IP: VaioLaptop(207.93.174.103).Attacked Port: epmap(135)
You can see in the log listed above that it clearly states the nature of the attack. Most likely a Blaster variant. You could defend yourself a great number of ways. First, you need to make sure you have downloaded all the Windows Critical Updates. Because if your firewall is disabled, then the attacker could gain control of your computer. After that, you need to tweak your firewall. I like block any service i dont use, or cant turn off. (such as netbios) Block all traffic to TCP 135. Just a thought...
It is better to be HATED for who you are, than LOVED for who you are NOT.
THC/IP Version 4.2
-
March 9th, 2004, 11:44 PM
#3
virtam,
The Dr. provided a great prognosis and for XP, if you want to close port 135 using a hexedit here ya go:
A step by step provided by a chap named Rodney from another forum:
http://www.security-forums.com/foru...5&view=next
well i tried many ways to close it and last i got it.
1) run regedit.exe
2) goto HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\RpcSs
save ImagePath data.
3) restart the computer. it may take longer time to start, and it may give you some errors, & also it may change windows xp taskbar but this will return to normal after returning the ImagePath data (click the file you have exported) or you can pasting the data you saved.
4) you need hex editor to open this file
c:\windows\system32\rpcss.dll in hex,binary
find this number 1.3.5 in hex 31 00 33 00 35 in the file(this is the port number)
5) change this to 0.0.0 in hex 30 00 30 00 30 (port 0 does not exist)
6)run regedit.exe and goto HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\RpcSs and
returning the ImagePath data (you can just click the file you have exported) or you can pasting the data you saved.
7)restart the computer
8)run netstat -a in cmd to check the port
If you don't want to use a hexeditor here's a post by HTRegz on 3/7/2004 that show's you how to close it by registry editting:
Hey Hey,
So you want to do it without hexeditting eh... How about a lot of registry editting?
quote:
Source: DSLReports.com
Re: How do I..
Basically you can close the port but if you do
you are shutting a lot of functionality off...
Its also not an easy task to do....
I wrote up a breakdown on how to harden your system in kerio security forum once...
But only I just mentioned this since its a difficult process...I will include a similar breakdown here:
A secure system is one that doesn't advertise shares using netbios and closes ports 135-139 and port 445.
However you can skip Section 1, to try and avoid losing some functionality.
Section 1: Turning off Netbios
(Warning this will disable your ability to share anything.)
(If you truly need to share files,
consider running a ftp server such as raiden.)
Summary: Basically Disable all netbios drivers,
reboot, your ports should be closed.
How to do it:
1. First go into your services and turn off netbios helper. 2. Then go to my computer\hardware\Device Manager,
click on view, show hidden devices,
look for non-plug and play drivers,
then look for netbios, disable it..
3. Reboot, if no errors occurs..your set.
4. Go to a dos prompt, and double check,
to see if port 135 is closed.
Type: netstat -an.
5. If not go to Section 2.
(You should see ports 135-139 are missing and port 445,
is closed as well.)
Section 2: The hard way of closing port 135, you
1. Open regedt32
2. Export below keys into a backup reg file.
3. Change items below in registry.
Basically find:
HKLM\Software\Microsoft\OLE
Look for: EnableDCOM
Look for: EnableRemoteConnect
Change value from: Y to N
(If not present then add it.)
(Reg_SZ)
Then go to:
HKLM\Software\Microsoft\RPC\ClientProtocols
Look for: ncacn_ip_tcp
Look for: ncagd_ip_udp
Remove Them.
(Reg_SZ)
HKLM\Software\Microsoft\RPC\DCom Protocols
Look for: ncacn_ip_tcp
Remove It.
(Reg_Multi_SZ)
Section 3: Closing Port 445.
HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Param
eters
Look for: SMBDeviceEnabled
Change it to: 00000000
(If not present then add it.)
(To simplify some of it, copy below to a text file name it Dcom-Smboff.reg. Double click on file and it should make changes automatically remember this will not remove any of the ncacn reg entries those have to be done by hand.)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="N"
"EnableRemoteConnect"="N"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi
ces\NetBT\Parameters]
"SMBDeviceEnabled"=dword:00000000
If you perform all these steps this should turn off port 135 and 445, and stop remote users from running any programs.
Reply to this message if you have questions.
Hardened.
I haven't tried this, but the logic seems sound. You really do lose a LOT of functionality though. Say goodbye to file/print sharing. Good luck with your efforts.
Peace,
HT
PS: That took less than 3 minutes of searching on google using this search. It's the second result.
Both of these and more info is available on this discussion:
http://www.antionline.com/showthread...hreadid=255547
Good Luck,
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|