I have been getting steadily increased activity directed at port 135 over the last day. My firewall is now logging one attempt every couple of minutes or less.
Has anyone else noticed this increase?
Printable View
I have been getting steadily increased activity directed at port 135 over the last day. My firewall is now logging one attempt every couple of minutes or less.
Has anyone else noticed this increase?
Are they connection attempts or just scans? I have seen a lot of people reporting an increase of scans on this port.
At the moment I don't know what they are, I am picking up dropped TCP packets in my firewall log. I am going to firing up netcat to try and capture some traffic. They started getting more frequent in the last hour.
The new RPC exploit is causing this. Make sure you're patched!
More Info
Quote:
Yup, this should be the reason. I've noticed a steady rise over the past week or so, should be due to the RPC flaw.. You can find more information and the patch here: http://support.microsoft.com/default...b;en-us;823980
Thanks DeadCr0w, I suspected it was a the recent RPC thing.
They seem to be scans,
connect to [0.0.0.0] from pcp02763925pcs.grenwy01.pa.comcast.net [68.85.116.17]
2118
sent 0, rcvd 0
I have the ports blocked already and I will patch it.
I'm seeing a BIG increase in port 445 scans, mostly from fairly "local addresses" too. This could be related to the RPC scans I think. In any case, it looks like something might be up.
This is from the link i posted up there:Quote:
I'm seeing a BIG increase in port 445 scans, mostly from fairly "local addresses" too. This could be related to the RPC scans I think. In any case, it looks like something might be up.
Quote:
In both of the attacks described above, a TCP session to port 135 is used to execute the attack. However, access to TCP ports 139 and 445 may also provide attack vectors and should be considered when applying mitigation strategies.
Unless you have a burning need for RPC across the internet ports 135 and 445 should always be blocked..... There is no benefit to having them open and there are tons of bad things that they open you up to. If you have them blocked then the RPC DCOM exploit currently in the news is no danger to you.
Oh, and yes I have noticed a large increase in scan traffic on both ports over the last week. I have my firewall set to automatically place any computer on the internet on the blocked sites list for any attempt to connect to my netwotk on these and some other ports. Yes, I am aware of the potential for DOS...... :p but as far as I am concerned no-one should be trying to connect to this network on either port so there is something not right with any machine that tries so....... It goes in the "blocked bin" for a few days until the timelimit I have set kicks in.
My IP is 81.103.x.x and I'm seeing a lot of other probes coming in from the same range targetted on ports 80, 137, 139 and 445.
20% of all probes are coming in from 81.103.x.x (i.e. pseudo Class B subnet)
An additional 7% of probes are coming in from 81.x.x.x (i.e. psuedo Class A subnet)
The weighting for the pseudo Class B subnet is 13,000 times what you would expect on a random scan, so either my ISP is filtering the probes at its perimiter, or this is most likely doing a Code Red style scan on the local subnets as a priority, either by an automated process or by people running port scanners.
However, this probing activity appears to have been going on for about a month so I'm not sure this is a new threat, but there does seem to be a lot more activity about.