|tcp135 and ICMP Continue to Decline; Solaris 8 Hacks
|An Exchange Client computer on a LAN or WAN link uses remote procedure call (RPC) to communicate with an Exchange Server computer. The Exchange Server computer, an RPC- based application, uses TCP port 135, also referred to as the location service that helps RPC applications to query for the port number of a service. The Exchange Server computer monitors port 135 for client connections to the RPC endpoint mapper service. After a client connects to a socket, the Exchange Server computer allocates the client two random ports to use to communicate with the directory and the information store. The client does not communicate with other components of the Exchange Server computer. Please note that these information were found from the Microsoft Knowledge Base
|It appears this port is being used as the starting point of Windows "NET SEND" spam messages that use the Messenger service. A connection is made to port 135 to determine what high-numbered port the Messenger service is running on.
|Looks like msblast is on it's way... If you manage to sniff any of the packets you will see one of these messages: "billy gates why do you make this possible?" "Stop making money and fix your software!!" Mblast can be found in c:\windows\system32\ as well as: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ And the 'patch' from windows at: http://microsoft.com/downloads/details.aspx?FamilyId=2354406C-C5B6-44AC-9532-3DE40F69C074&displaylang=en
|Hi, Today (9-17-2003), I have noticed several computers scanning external IP addresses on UDP:135. The computers are doing ascending IP scan, similar to Blaster. This is the payload : "CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!" More on this can be found at : http://www.securityfocus.com/news/6975 Does anybody else have similar problems? Do you know what worm is this? join #inSecurity @ FreeNode a1fa
|Some well known Root kits also use this port to transmit data back to home base and download more malware. I also suspect may be an entry point for some root kit /malware for un patched systems or systems that did not patch correctly.
|Please see http://www.nipc.gov/warnings/advisories/2003/Potential7302003.htm for the latest on an RPC exploit against Microsoft operating systems. Also, from the vendor: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp Please ensure that all unnecessary TCP/UDP ports are blocked and particularly TCP 135, TCP 139, TCP 445, or any other specifically configured RPC port. Unapproved CVE #: CAN-2003-0352 (As of July 31st, 2003)
|Marcus H. Sachs, SANS Institute
|SANS Top-20 Entry: W5 Windows Remote Access Services http://www.sans.org/top20/index1.php#w5 Remote Procedure Calls Many versions of Microsoft operating systems (Windows NT 4.0, 2000, XP, and 2003) provide an inter-process communication mechanism that allows programs running on one host to execute code on remote hosts. Three vulnerabilities have been published that would allow an attacker to run arbitrary code on susceptible hosts with Local System privileges. One of these vulnerabilities was exploited by Blaster/MSblast/LovSAN and Nachi/Welchia worms. There are also other vulnerabilities that would allow attackers to mount Denial of Service attacks against RPC components.
|Port of entry for RPC bug exploiting Worms like lovSan, msblaster on unfixed Windows 32bit systems. Potentialy very dangerous.
|port used by Blaster32 worm for propogation
|Port 135 is essential to the functionality of Active Directory and Microsoft Exchange mail servers, among other things.
|Faiz Ahmad Shuja
|http://www.cert.org/advisories/CA-2003-20.html W32/Blaster worm The W32/Blaster worm exploits a vulnerability in Microsoft's DCOM RPC interface as described in VU#568148 and CA-2003-16. Upon successful execution, the worm attempts to retrieve a copy of the file msblast.exe from the compromising host. Once this file is retrieved, the compromised system then runs it and begins scanning for other vulnerable systems to compromise in the same manner. In the course of propagation, a TCP session to port 135 is used to execute the attack. However, access to TCP ports 139 and 445 may also provide attack vectors and should be considered when applying mitigation strategies. Microsoft has published information about this vulnerability in Microsoft Security Bulletin MS03-026. http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
|CVE: CAN-2003-0352 Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352
|This port is used for Windows RPC. Windows RPC allows for the display of popup messages.
|Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms.