I have been getting steadily increased activity directed at port 135 over the last day. My firewall is now logging one attempt every couple of minutes or less.
Has anyone else noticed this increase?
Printable View
I have been getting steadily increased activity directed at port 135 over the last day. My firewall is now logging one attempt every couple of minutes or less.
Has anyone else noticed this increase?
Are they connection attempts or just scans? I have seen a lot of people reporting an increase of scans on this port.
At the moment I don't know what they are, I am picking up dropped TCP packets in my firewall log. I am going to firing up netcat to try and capture some traffic. They started getting more frequent in the last hour.
The new RPC exploit is causing this. Make sure you're patched!
More Info
Quote:
Yup, this should be the reason. I've noticed a steady rise over the past week or so, should be due to the RPC flaw.. You can find more information and the patch here: http://support.microsoft.com/default...b;en-us;823980
Thanks DeadCr0w, I suspected it was a the recent RPC thing.
They seem to be scans,
connect to [0.0.0.0] from pcp02763925pcs.grenwy01.pa.comcast.net [68.85.116.17]
2118
sent 0, rcvd 0
I have the ports blocked already and I will patch it.
I'm seeing a BIG increase in port 445 scans, mostly from fairly "local addresses" too. This could be related to the RPC scans I think. In any case, it looks like something might be up.
This is from the link i posted up there:Quote:
I'm seeing a BIG increase in port 445 scans, mostly from fairly "local addresses" too. This could be related to the RPC scans I think. In any case, it looks like something might be up.
Quote:
In both of the attacks described above, a TCP session to port 135 is used to execute the attack. However, access to TCP ports 139 and 445 may also provide attack vectors and should be considered when applying mitigation strategies.
Unless you have a burning need for RPC across the internet ports 135 and 445 should always be blocked..... There is no benefit to having them open and there are tons of bad things that they open you up to. If you have them blocked then the RPC DCOM exploit currently in the news is no danger to you.
Oh, and yes I have noticed a large increase in scan traffic on both ports over the last week. I have my firewall set to automatically place any computer on the internet on the blocked sites list for any attempt to connect to my netwotk on these and some other ports. Yes, I am aware of the potential for DOS...... :p but as far as I am concerned no-one should be trying to connect to this network on either port so there is something not right with any machine that tries so....... It goes in the "blocked bin" for a few days until the timelimit I have set kicks in.
My IP is 81.103.x.x and I'm seeing a lot of other probes coming in from the same range targetted on ports 80, 137, 139 and 445.
20% of all probes are coming in from 81.103.x.x (i.e. pseudo Class B subnet)
An additional 7% of probes are coming in from 81.x.x.x (i.e. psuedo Class A subnet)
The weighting for the pseudo Class B subnet is 13,000 times what you would expect on a random scan, so either my ISP is filtering the probes at its perimiter, or this is most likely doing a Code Red style scan on the local subnets as a priority, either by an automated process or by people running port scanners.
However, this probing activity appears to have been going on for about a month so I'm not sure this is a new threat, but there does seem to be a lot more activity about.
A lot of poeple were fearing a worm based on the RPC exploit. That could be what you see or
maybe a kiddie on cable who's scanning his subnet.
SANS has the Internet Storm Center, where they publish info they gather. The scan report for port 135 is HERE and you can really see the increase in scan against 135, since the exploit code was released just over a week ago.
omalakai: Good work..... Nice to see that the sources are not increasing though. It implies the success rate is not great.
Could be that someone's compromising or cataloging a LOT of machines out there though.
I've got a bad feeling about this one. My hunch is that when the worm does come, and I'm convinced that it will, that it will be a blended attack of a peer-to-peer worm exploiting the RPC flaw, plus a mass-mailer that will be able to drop a worm inside corporate firewalls. So, if you're reliant on the firewall to keep it out, basically you're in deep trouble. I guess the most effective email-based virus at the moment is Sobig, so if you ride piggyback on a variant of that, then you've got a good chance of getting through.
In other words, patch everything that's safe to patch and keep an eye the situation as it develops. :(