Results 1 to 3 of 3

Thread: firewall log

  1. #1
    Junior Member
    Join Date
    Jan 2004
    Posts
    13

    firewall log

    As soon as i connect to internet through my isp (dialup) my computer is attacked on port 135.What i understood is that 135 port is attacked by blaster and other viruses . i am attaching my firewall log.It looks like port 135 is scanned by some random ip .i need some detail comment on this log and is my computer is on risk? thanks in advance

  2. #2
    AntiOnline Senior Medicine Man
    Join Date
    Nov 2001
    Posts
    724
    "Intrusion: MS_RPC_DCOM_BufferOverflow.Intruder: 207.93.174.16(4626).Risk Level: High.Protocol: TCP.Attacked IP: VaioLaptop(207.93.174.103).Attacked Port: epmap(135)


    You can see in the log listed above that it clearly states the nature of the attack. Most likely a Blaster variant. You could defend yourself a great number of ways. First, you need to make sure you have downloaded all the Windows Critical Updates. Because if your firewall is disabled, then the attacker could gain control of your computer. After that, you need to tweak your firewall. I like block any service i dont use, or cant turn off. (such as netbios) Block all traffic to TCP 135. Just a thought...
    It is better to be HATED for who you are, than LOVED for who you are NOT.

    THC/IP Version 4.2

  3. #3
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675
    virtam,

    The Dr. provided a great prognosis and for XP, if you want to close port 135 using a hexedit here ya go:

    A step by step provided by a chap named Rodney from another forum:

    http://www.security-forums.com/foru...5&view=next

    well i tried many ways to close it and last i got it.

    1) run regedit.exe

    2) goto HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
    es\RpcSs
    save ImagePath data.

    3) restart the computer. it may take longer time to start, and it may give you some errors, & also it may change windows xp taskbar but this will return to normal after returning the ImagePath data (click the file you have exported) or you can pasting the data you saved.

    4) you need hex editor to open this file
    c:\windows\system32\rpcss.dll in hex,binary
    find this number 1.3.5 in hex 31 00 33 00 35 in the file(this is the port number)

    5) change this to 0.0.0 in hex 30 00 30 00 30 (port 0 does not exist)

    6)run regedit.exe and goto HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
    es\RpcSs and
    returning the ImagePath data (you can just click the file you have exported) or you can pasting the data you saved.

    7)restart the computer

    8)run netstat -a in cmd to check the port



    If you don't want to use a hexeditor here's a post by HTRegz on 3/7/2004 that show's you how to close it by registry editting:

    Hey Hey,

    So you want to do it without hexeditting eh... How about a lot of registry editting?


    quote:

    Source: DSLReports.com

    Re: How do I..
    Basically you can close the port but if you do
    you are shutting a lot of functionality off...

    Its also not an easy task to do....
    I wrote up a breakdown on how to harden your system in kerio security forum once...

    But only I just mentioned this since its a difficult process...I will include a similar breakdown here:

    A secure system is one that doesn't advertise shares using netbios and closes ports 135-139 and port 445.
    However you can skip Section 1, to try and avoid losing some functionality.

    Section 1: Turning off Netbios

    (Warning this will disable your ability to share anything.)
    (If you truly need to share files,
    consider running a ftp server such as raiden.)

    Summary: Basically Disable all netbios drivers,
    reboot, your ports should be closed.

    How to do it:

    1. First go into your services and turn off netbios helper. 2. Then go to my computer\hardware\Device Manager,
    click on view, show hidden devices,
    look for non-plug and play drivers,
    then look for netbios, disable it..
    3. Reboot, if no errors occurs..your set.
    4. Go to a dos prompt, and double check,
    to see if port 135 is closed.
    Type: netstat -an.
    5. If not go to Section 2.

    (You should see ports 135-139 are missing and port 445,
    is closed as well.)

    Section 2: The hard way of closing port 135, you

    1. Open regedt32
    2. Export below keys into a backup reg file.
    3. Change items below in registry.

    Basically find:
    HKLM\Software\Microsoft\OLE
    Look for: EnableDCOM
    Look for: EnableRemoteConnect
    Change value from: Y to N
    (If not present then add it.)
    (Reg_SZ)

    Then go to:
    HKLM\Software\Microsoft\RPC\ClientProtocols
    Look for: ncacn_ip_tcp
    Look for: ncagd_ip_udp
    Remove Them.
    (Reg_SZ)

    HKLM\Software\Microsoft\RPC\DCom Protocols
    Look for: ncacn_ip_tcp
    Remove It.
    (Reg_Multi_SZ)

    Section 3: Closing Port 445.

    HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Param
    eters
    Look for: SMBDeviceEnabled
    Change it to: 00000000
    (If not present then add it.)

    (To simplify some of it, copy below to a text file name it Dcom-Smboff.reg. Double click on file and it should make changes automatically remember this will not remove any of the ncacn reg entries those have to be done by hand.)

    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
    "EnableDCOM"="N"
    "EnableRemoteConnect"="N"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi
    ces\NetBT\Parameters]
    "SMBDeviceEnabled"=dword:00000000

    If you perform all these steps this should turn off port 135 and 445, and stop remote users from running any programs.

    Reply to this message if you have questions.

    Hardened.


    I haven't tried this, but the logic seems sound. You really do lose a LOT of functionality though. Say goodbye to file/print sharing. Good luck with your efforts.

    Peace,
    HT

    PS: That took less than 3 minutes of searching on google using this search. It's the second result.



    Both of these and more info is available on this discussion:

    http://www.antionline.com/showthread...hreadid=255547


    Good Luck,

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •