Results 1 to 7 of 7

Thread: port 135.. getting slammed in my router properties

  1. #1
    Super Moderator Super Moderator Big Booger's Avatar
    Join Date
    Apr 2002
    Location
    JAPAN
    Posts
    10,941

    port 135.. getting slammed in my router properties

    Tuesday, October 07, 2003 11:26:52 PM Unrecognized access from 220.99.149.105:1256 to TCP port 135
    Tuesday, October 07, 2003 11:26:55 PM Unrecognized access from 220.99.149.105:1256 to TCP port 135
    Tuesday, October 07, 2003 11:27:01 PM Unrecognized access from 220.99.149.105:1256 to TCP port 135
    Tuesday, October 07, 2003 11:27:14 PM Unrecognized access from 204.215.155.6:5843 to TCP port 80
    Tuesday, October 07, 2003 11:27:20 PM Unrecognized access from 204.215.155.6:5843 to TCP port 80
    Tuesday, October 07, 2003 11:27:53 PM Unrecognized access from 64.91.204.21:1469 to TCP port 80
    Tuesday, October 07, 2003 11:27:54 PM Unrecognized access from 220.99.67.226:4356 to TCP port 135
    Tuesday, October 07, 2003 11:27:56 PM Unrecognized access from 64.91.204.21:1469 to TCP port 80
    Tuesday, October 07, 2003 11:27:57 PM Unrecognized access from 220.99.67.226:4356 to TCP port 135
    Tuesday, October 07, 2003 11:28:02 PM Unrecognized access from 64.91.204.21:1469 to TCP port 80
    Tuesday, October 07, 2003 11:28:03 PM Unrecognized access from 220.99.67.226:4356 to TCP port 135
    Tuesday, October 07, 2003 11:28:12 PM Unrecognized access from 220.97.99.254:4323 to TCP port 445
    Tuesday, October 07, 2003 11:28:15 PM Unrecognized access from 220.97.99.254:4323 to TCP port 445
    Tuesday, October 07, 2003 11:28:20 PM Unrecognized access from 220.99.253.189:4940 to TCP port 135
    Tuesday, October 07, 2003 11:28:23 PM Unrecognized access from 220.99.253.189:4940 to TCP port 135
    Tuesday, October 07, 2003 11:28:29 PM Unrecognized access from 220.99.253.189:4940 to TCP port 135
    Tuesday, October 07, 2003 11:29:46 PM Unrecognized access from 81.152.113.188:1025 to TCP port 135
    Tuesday, October 07, 2003 11:29:50 PM Unrecognized access from 81.152.113.188:1025 to TCP port 135
    Tuesday, October 07, 2003 11:29:55 PM Unrecognized access from 81.152.113.188:1025 to TCP port 135
    Tuesday, October 07, 2003 11:30:56 PM Unrecognized access from 68.74.73.197:3803 to TCP port 135
    Tuesday, October 07, 2003 11:30:59 PM Unrecognized access from 68.74.73.197:3803 to TCP port 135
    Tuesday, October 07, 2003 11:31:05 PM Unrecognized access from 68.74.73.197:3803 to TCP port 135
    Tuesday, October 07, 2003 11:31:49 PM Unrecognized access from 220.97.231.23:4311 to TCP port 135
    Tuesday, October 07, 2003 11:31:52 PM Unrecognized access from 220.97.231.23:4311 to TCP port 135
    Tuesday, October 07, 2003 11:31:58 PM Unrecognized access from 220.97.231.23:4311 to TCP port 135
    Tuesday, October 07, 2003 11:32:53 PM Unrecognized access from 69.133.112.84:3777 to TCP port 80
    Tuesday, October 07, 2003 11:32:56 PM Unrecognized access from 69.133.112.84:3777 to TCP port 80
    Tuesday, October 07, 2003 11:33:02 PM Unrecognized access from 69.133.112.84:3777 to TCP port 80
    Tuesday, October 07, 2003 11:34:26 PM Unrecognized access from 61.117.22.121:3616 to TCP port 135
    Tuesday, October 07, 2003 11:34:29 PM Unrecognized access from 61.117.22.121:3616 to TCP port 135
    Tuesday, October 07, 2003 11:34:35 PM Unrecognized access from 61.117.22.121:3616 to TCP port 135
    Tuesday, October 07, 2003 11:34:42 PM Unrecognized access from 200.84.12.240:1040 to UDP port 137
    Tuesday, October 07, 2003 11:34:43 PM Unrecognized access from 81.152.180.92:2416 to TCP port 135
    Tuesday, October 07, 2003 11:34:46 PM Unrecognized access from 81.152.180.92:2416 to TCP port 135
    Tuesday, October 07, 2003 11:34:52 PM Unrecognized access from 81.152.180.92:2416 to TCP port 135
    Tuesday, October 07, 2003 11:34:52 PM Unrecognized access from 219.184.48.99:1541 to TCP port 135
    Tuesday, October 07, 2003 11:34:56 PM Unrecognized access from 219.184.48.99:1541 to TCP port 135
    Tuesday, October 07, 2003 11:35:02 PM Unrecognized access from 219.184.48.99:1541 to TCP port 135
    Tuesday, October 07, 2003 11:35:14 PM Unrecognized access from 220.99.204.144:2366 to TCP port 135
    Tuesday, October 07, 2003 11:35:17 PM Unrecognized access from 220.99.204.144:2366 to TCP port 135
    Tuesday, October 07, 2003 11:35:23 PM Unrecognized access from 220.99.204.144:2366 to TCP port 135
    Tuesday, October 07, 2003 11:36:03 PM Unrecognized access from 220.98.166.143:1589 to TCP port 135
    Tuesday, October 07, 2003 11:36:06 PM Unrecognized access from 220.98.166.143:1589 to TCP port 135
    Tuesday, October 07, 2003 11:36:12 PM Unrecognized access from 220.98.166.143:1589 to TCP port 135
    Tuesday, October 07, 2003 11:38:21 PM Unrecognized access from 220.97.105.38:3899 to TCP port 135
    Tuesday, October 07, 2003 11:39:03 PM Unrecognized access from 218.63.229.245:4849 to TCP port 80
    Tuesday, October 07, 2003 11:39:06 PM Unrecognized access from 218.63.229.245:4849 to TCP port 80
    Tuesday, October 07, 2003 11:39:12 PM Unrecognized access from 218.63.229.245:4849 to TCP port 80
    Tuesday, October 07, 2003 11:40:21 PM Unrecognized access from 220.97.39.22:2689 to TCP port 445
    Tuesday, October 07, 2003 11:40:24 PM Unrecognized access from 220.97.39.22:2689 to TCP port 445
    Tuesday, October 07, 2003 11:40:42 PM Unrecognized access from 216.250.40.132:33796 to TCP port 80
    Tuesday, October 07, 2003 11:40:45 PM Unrecognized access from 216.250.40.132:33796 to TCP port 80
    Tuesday, October 07, 2003 11:40:47 PM Unrecognized access from 67.70.176.83:4244 to TCP port 135
    Tuesday, October 07, 2003 11:40:50 PM Unrecognized access from 67.70.176.83:4244 to TCP port 135
    Tuesday, October 07, 2003 11:40:51 PM Unrecognized access from 216.250.40.132:33796 to TCP port 80
    Tuesday, October 07, 2003 11:40:56 PM Unrecognized access from 67.70.176.83:4244 to TCP port 135
    Tuesday, October 07, 2003 11:41:01 PM Unrecognized access from 67.65.201.100:4104 to TCP port 80
    Tuesday, October 07, 2003 11:41:10 PM Unrecognized access from 67.65.201.100:4104 to TCP port 80
    Tuesday, October 07, 2003 11:41:15 PM Unrecognized access from 208.61.138.224:2615 to TCP port 80
    Tuesday, October 07, 2003 11:41:18 PM Unrecognized access from 208.61.138.224:2615 to TCP port 80
    Tuesday, October 07, 2003 11:41:24 PM Unrecognized access from 208.61.138.224:2615 to TCP port 80
    Tuesday, October 07, 2003 11:41:51 PM Unrecognized access from 218.72.160.65:64929 to TCP port 80
    Tuesday, October 07, 2003 11:41:53 PM Unrecognized access from 219.28.150.72:2983 to TCP port 80
    Tuesday, October 07, 2003 11:41:56 PM Unrecognized access from 219.28.150.72:2983 to TCP port 80
    Tuesday, October 07, 2003 11:42:00 PM Unrecognized access from 218.72.160.65:64929 to TCP port 80
    Tuesday, October 07, 2003 11:42:02 PM Unrecognized access from 219.28.150.72:2983 to TCP port 80
    Tuesday, October 07, 2003 11:42:15 PM Unrecognized access from 148.221.73.9:1044 to UDP port 137
    Tuesday, October 07, 2003 11:42:17 PM Unrecognized access from 65.40.220.194:19690 to TCP port 80
    Tuesday, October 07, 2003 11:42:20 PM Unrecognized access from 65.40.220.194:19690 to TCP port 80
    Tuesday, October 07, 2003 11:42:26 PM Unrecognized access from 65.40.220.194:19690 to TCP port 80
    Tuesday, October 07, 2003 11:42:43 PM Unrecognized access from 219.140.226.137:2477 to TCP port 80
    Tuesday, October 07, 2003 11:42:46 PM Unrecognized access from 219.140.226.137:2477 to TCP port 80
    Tuesday, October 07, 2003 11:42:52 PM Unrecognized access from 219.140.226.137:2477 to TCP port 80
    Tuesday, October 07, 2003 11:43:01 PM Unrecognized access from 220.96.108.81:3673 to TCP port 135
    Tuesday, October 07, 2003 11:43:50 PM Unrecognized access from 68.55.96.215:3485 to TCP port 135
    Tuesday, October 07, 2003 11:43:53 PM Unrecognized access from 68.55.96.215:3485 to TCP port 135
    Tuesday, October 07, 2003 11:43:59 PM Unrecognized access from 68.55.96.215:3485 to TCP port 135
    Tuesday, October 07, 2003 11:44:21 PM Unrecognized access from 220.99.234.240:4684 to TCP port 135
    Tuesday, October 07, 2003 11:45:03 PM Unrecognized access from 199.97.118.200:30935 to TCP port 80
    Tuesday, October 07, 2003 11:45:06 PM Unrecognized access from 199.97.118.200:30935 to TCP port 80
    Tuesday, October 07, 2003 11:45:10 PM Unrecognized access from 64.199.233.210:4818 to TCP port 80

    I have patched everything... all my machines are patched, virus scanned, sygate firewalled, up-to-date on everything...

    Any ideas why I keep getting traffic over the TCP port 135? I know that is the RPC port... but I have patched it already...

  2. #2
    Super Moderator Super Moderator Big Booger's Avatar
    Join Date
    Apr 2002
    Location
    JAPAN
    Posts
    10,941
    199.97.118.200:30935 to TCP port 80
    Tuesday, October 07, 2003 11:45:13 PM Unrecognized access from 64.199.233.210:4818 to TCP port 80
    Tuesday, October 07, 2003 11:45:19 PM Unrecognized access from 64.199.233.210:4818 to TCP port 80
    Tuesday, October 07, 2003 11:45:22 PM Unrecognized access from 202.9.136.21:54524 to TCP port 80
    Tuesday, October 07, 2003 11:45:26 PM Unrecognized access from 202.9.136.21:54524 to TCP port 80
    Tuesday, October 07, 2003 11:45:32 PM Unrecognized access from 202.9.136.21:54524 to TCP port 80
    Tuesday, October 07, 2003 11:47:02 PM Unrecognized access from 194.52.202.105:3025 to TCP port 135
    Tuesday, October 07, 2003 11:47:05 PM Unrecognized access from 194.52.202.105:3025 to TCP port 135
    Tuesday, October 07, 2003 11:47:11 PM Unrecognized access from 194.52.202.105:3025 to TCP port 135
    Tuesday, October 07, 2003 11:47:15 PM Unrecognized access from 220.57.136.197:2731 to TCP port 135
    Tuesday, October 07, 2003 11:47:16 PM Unrecognized access from 61.185.94.96:4740 to TCP port 80
    Tuesday, October 07, 2003 11:47:18 PM Unrecognized access from 220.57.136.197:2731 to TCP port 135
    Tuesday, October 07, 2003 11:47:19 PM Unrecognized access from 61.185.94.96:4740 to TCP port 80
    Tuesday, October 07, 2003 11:47:24 PM Unrecognized access from 220.57.136.197:2731 to TCP port 135
    Tuesday, October 07, 2003 11:47:24 PM Unrecognized access from 61.185.94.96:4740 to TCP port 80
    Tuesday, October 07, 2003 11:47:29 PM Unrecognized access from 127.0.0.1:80 to TCP port 1335
    Tuesday, October 07, 2003 11:48:27 PM Unrecognized access from 65.229.131.92:1026 to UDP port 137
    Tuesday, October 07, 2003 11:48:32 PM PPPoE start to hang-up
    * PADT sent
    * DOD:192.168.0.15 query DNS for www.google.com
    Tuesday, October 07, 2003 11:59:34 PM PPPoE start to dial-up
    * PADI sent OCN
    * PADO recv 0016 dra02kkg00
    * PADR sent
    * PADS recv 0002 5717
    * CHAP3: OK
    * IPCP3: IP is 220.105.171.7
    Wednesday, October 08, 2003 12:14:20 AM Unrecognized access from 220.105.55.161:3246 to TCP port 135
    Wednesday, October 08, 2003 12:14:26 AM Unrecognized access from 220.105.55.161:3246 to TCP port 135
    Wednesday, October 08, 2003 12:15:51 AM Unrecognized access from 200.66.211.83:1030 to UDP port 137
    Wednesday, October 08, 2003 12:16:45 AM Unrecognized access from 220.105.254.195:4516 to TCP port 135
    Wednesday, October 08, 2003 12:16:48 AM Unrecognized access from 220.105.254.195:4516 to TCP port 135
    Wednesday, October 08, 2003 12:16:54 AM Unrecognized access from 220.105.254.195:4516 to TCP port 135
    Wednesday, October 08, 2003 12:18:53 AM Unrecognized access from 220.108.206.196:2903 to TCP port 135
    Wednesday, October 08, 2003 12:18:56 AM Unrecognized access from 220.108.206.196:2903 to TCP port 135
    Wednesday, October 08, 2003 12:19:02 AM Unrecognized access from 220.108.206.196:2903 to TCP port 135
    Wednesday, October 08, 2003 12:20:04 AM Unrecognized access from 220.107.234.120:2538 to TCP port 135
    Wednesday, October 08, 2003 12:20:07 AM Unrecognized access from 220.107.234.120:2538 to TCP port 135
    Wednesday, October 08, 2003 12:20:13 AM Unrecognized access from 220.107.234.120:2538 to TCP port 135
    Wednesday, October 08, 2003 12:21:42 AM Unrecognized access from 220.105.22.162:3732 to TCP port 135
    Wednesday, October 08, 2003 12:21:45 AM Unrecognized access from 220.105.22.162:3732 to TCP port 135
    Wednesday, October 08, 2003 12:21:51 AM Unrecognized access from 220.105.22.162:3732 to TCP port 135
    Wednesday, October 08, 2003 12:23:01 AM 192.168.0.15 login successful
    Wednesday, October 08, 2003 12:23:29 AM Unrecognized access from 220.108.132.35:3526 to TCP port 135
    Wednesday, October 08, 2003 12:23:32 AM Unrecognized access from 220.108.132.35:3526 to TCP port 135
    Wednesday, October 08, 2003 12:23:38 AM Unrecognized access from 220.108.132.35:3526 to TCP port 135
    Wednesday, October 08, 2003 12:26:40 AM PPPoE start to hang-up
    * PADT sent
    Wednesday, October 08, 2003 12:26:47 AM 192.168.0.15 logged out
    Wednesday, October 08, 2003 12:26:49 AM 192.168.0.15 login successful
    * DOD:triggered internally
    Wednesday, October 08, 2003 12:26:50 AM PPPoE start to dial-up
    * PADI sent OCN
    * PADO recv 0016 dra02kkg00
    * PADR sent
    * PADS recv 0002 B818
    * CHAP3: OK
    * IPCP3: IP is 220.105.170.67
    Wednesday, October 08, 2003 12:27:09 AM Unrecognized access from 220.108.111.37:4625 to TCP port 135
    Wednesday, October 08, 2003 12:27:12 AM Unrecognized access from 220.108.111.37:4625 to TCP port 135
    Wednesday, October 08, 2003 12:27:18 AM Unrecognized access from 220.108.111.37:4625 to TCP port 135
    Wednesday, October 08, 2003 12:27:22 AM Unrecognized access from 220.220.10.153:3550 to TCP port 135
    Wednesday, October 08, 2003 12:27:26 AM Unrecognized access from 220.220.10.153:3550 to TCP port 135
    Wednesday, October 08, 2003 12:27:32 AM Unrecognized access from 220.220.10.153:3550 to TCP port 135
    Wednesday, October 08, 2003 12:27:54 AM Unrecognized access from 220.108.39.203:2083 to TCP port 135
    Wednesday, October 08, 2003 12:27:57 AM Unrecognized access from 220.108.39.203:2083 to TCP port 135
    Wednesday, October 08, 2003 12:28:03 AM Unrecognized access from 220.108.39.203:2083 to TCP port 135
    Wednesday, October 08, 2003 12:28:09 AM Unrecognized access from 220.105.126.235:1834 to TCP port 135
    Wednesday, October 08, 2003 12:28:12 AM Unrecognized access from 220.105.126.235:1834 to TCP port 135
    Wednesday, October 08, 2003 12:28:18 AM Unrecognized access from 220.105.126.235:1834 to TCP port 135
    Wednesday, October 08, 2003 12:30:02 AM Unrecognized access from 220.108.120.46:1328 to TCP port 135
    Wednesday, October 08, 2003 12:30:05 AM Unrecognized access from 220.108.120.46:1328 to TCP port 135

    It continues on and on and on and on every second.

  3. #3
    Titanium Member efc's Avatar
    Join Date
    Sep 2002
    Location
    North Central Arkansas
    Posts
    2,329
    BB - Steve Gibsons page has a utility to close port 135. It is called DCOMbobulator.

    http://grc.com/default.htm
    Linux Mint Debian Edition

  4. #4
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,546
    Port 135
    Summary:
    A vulnerability in the Microsoft Windows operating system is being heavily exploited on campus, has led to over 100 machines being removed from the network, and has resulted in three interruptions in service to the Internet as compromised machines have been used to launch "denial of service" (DoS) attacks against remote sites. As a result, off-campus access to the Microsoft RPC service which runs on port 135 will be blocked at the network boundary. Machines actively and legitimately use this service have been identified and the service will continue for those machines. Additionally, IRC ports 6667-6669 will be temporarily blocked.
    All computers running the Microsoft Windows operating system should run "Windows Update" regularly. However, the critical patch required to address this vulnerability is not identified by Windows Update and must be downloaded and manually installed. Information can be found at: http://www.microsoft.com/technet/sec.../MS03-026.asp.

    Details:
    A buffer-overflow vulnerability in Microsoft Windows RPC service is being widely exploited throughout the network. NSIT identified over 4500 computers on the University of Chicago network that were potentially vulnerable to compromise and identified systems administrators. An unknown number of machines on campus are compromised but have not been activated to attack another system and have not yet been identified.

    Microsoft has released patches for this vulnerability and systems administrators throughout campus have been working to patch these systems. However, over 120 machines have had to be removed from the network when they were used to attack other sites. Some of these attacks caused the University to lose connectivity to the Internet. One such DoS attack took place at approximately 11:00 AM, July 31, 2003 and sporadic network interruptions resulted throughout our network. The source of this attack was two compromised machines which were identified and removed from the network.

    To try to lessen the number and severity of these attacks, NSIT will block access to port 135 (Windows RPC) to any computer on the campus network from any computer outside the campus network. This will not affect any two computers that are both located on the campus network from connecting to port 135. So, services will continue to function within the campus network and will not be affected. However, this vulnerability can be exploited by computers within the campus network.

    Port 135 is essential to the functionality of Active Directory and Microsoft Exchange mail servers, among other things. These services will become unusable from machines off the campus network unless either an exemption from the block is made or our Virtual Private Network (VPN) infrastructure is used.

    For information on installing and using the freely available VPN client, please go to the following URL:
    http://support.uchicago.edu/docs/security/vpn/

    To download the VPN client, go to the following URL:
    http://licensing.uchicago.edu/download/vpn/

    NSIT has used network logs to identify approximately two dozen campus machines that have had traffic to port 135 which originated from off-campus. The systems staff at these sites have been contacted. Exceptions to the port-blocking are being placed on the router for systems that meet the following criteria:

    The system serves a purpose that is important to the mission of the University of Chicago.
    The system is well-secured.
    The system has professional support staff.
    The system supports large numbers of people who are not eligible to use the VPN client.
    After having spoken to the identified sites, we believe that the port-block will not affect them.
    A copy of this message can be found at:
    http://nsit.uchicago.edu/alert/port-135.html

    In case of any problem or question, please contact the NSIT Support Line at support@uchicago.edu.

    Thank you. Bob Bartlett
    Director
    Enterprise Network Services & Security Ron Rusnak
    Director
    Data Networking
    ------------------------------------------------------------



  5. #5
    Super Moderator Super Moderator Big Booger's Avatar
    Join Date
    Apr 2002
    Location
    JAPAN
    Posts
    10,941
    Originally posted by efc
    BB - Steve Gibsons page has a utility to close port 135. It is called DCOMbobulator.

    http://grc.com/default.htm
    Thanks for that. I'll give it a try as soon as I return home from work.

    @egghead,

    Lots of good information. The thing is I patched this before the RPC issue came out.. I don't know why just now it would be an issue???

    I'll give that DCOMbobulator a shot and let you know the results. For now I have shut my PC off, and disconnected my router and modem for the time being.

  6. #6
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,546
    do a good scan of your computer and see why they are picking your port.\

    maybe your ISP has been hit by a worm and is infecting the whole system!

    kinda like a "Dawn of the Dead" movie
    kinda.......
    ------------------------------------------------------------



  7. #7
    Super Moderator Super Moderator Big Booger's Avatar
    Join Date
    Apr 2002
    Location
    JAPAN
    Posts
    10,941
    The thing is for the past couple of days several sites would generate DNS errors.. and I thought it was strange..

    Last night when I checked my router logs... and I got those messages I kind of put 2 and 2 together...

    I'll be running a thorough offline scan as soon as I can get home, with the machine unplugged from the internet.

    I renewed my IP several times last night, to no avail. I'm going to give that tool a shot that efc offered It could very well be the ISP that is responsible. If so I'll give them a ring and ask them what the hell is going on.

    I'll keep you informed.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •