Handler on Duty: Daniel Wesemann
contact us
contact us
Your session is about to expire. Please reload or submit to avoid getting logged out.
| Protocol | Service | Name |
|---|---|---|
| tcp | epmap | DCE endpoint resolution |
| tcp | loc-srv | NCS local location broker |
| udp | epmap | DCE endpoint resolution |
| udp | loc-srv | Location Service |
| Submitted By | Date |
|---|---|
| Comment | |
| Richard Akerman | 2009-10-04 18:45:22 |
| It appears this port is being used as the starting point of Windows "NET SEND" spam messages that use the Messenger service. A connection is made to port 135 to determine what high-numbered port the Messenger service is running on. | |
| xentheon | 2009-10-04 18:45:22 |
| Looks like msblast is on it's way... If you manage to sniff any of the packets you will see one of these messages: "billy gates why do you make this possible?" "Stop making money and fix your software!!" Mblast can be found in c:\windows\system32\ as well as: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ And the 'patch' from windows at: http://microsoft.com/downloads/details.aspx?FamilyId=2354406C-C5B6-44AC-9532-3DE40F69C074&displaylang=en | |
| a1fa | 2009-10-04 18:45:22 |
| Hi, Today (9-17-2003), I have noticed several computers scanning external IP addresses on UDP:135. The computers are doing ascending IP scan, similar to Blaster. This is the payload : "CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!" More on this can be found at : http://www.securityfocus.com/news/6975 Does anybody else have similar problems? Do you know what worm is this? join #inSecurity @ FreeNode a1fa | |
| VIPER X | 2005-06-12 05:22:59 |
| Some well known Root kits also use this port to transmit data back to home base and download more malware. I also suspect may be an entry point for some root kit /malware for un patched systems or systems that did not patch correctly. | |
| Phil Brammer | 2003-12-17 17:41:44 |
| Please see http://www.nipc.gov/warnings/advisories/2003/Potential7302003.htm for the latest on an RPC exploit against Microsoft operating systems. Also, from the vendor: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp Please ensure that all unnecessary TCP/UDP ports are blocked and particularly TCP 135, TCP 139, TCP 445, or any other specifically configured RPC port. Unapproved CVE #: CAN-2003-0352 (As of July 31st, 2003) | |
| Marcus H. Sachs, SANS Institute | 2003-10-09 22:32:52 |
| SANS Top-20 Entry: W5 Windows Remote Access Services http://www.sans.org/top20/index1.php#w5 Remote Procedure Calls Many versions of Microsoft operating systems (Windows NT 4.0, 2000, XP, and 2003) provide an inter-process communication mechanism that allows programs running on one host to execute code on remote hosts. Three vulnerabilities have been published that would allow an attacker to run arbitrary code on susceptible hosts with Local System privileges. One of these vulnerabilities was exploited by Blaster/MSblast/LovSAN and Nachi/Welchia worms. There are also other vulnerabilities that would allow attackers to mount Denial of Service attacks against RPC components. | |
| Jolly | 2003-10-09 22:32:20 |
| Port of entry for RPC bug exploiting Worms like lovSan, msblaster on unfixed Windows 32bit systems. Potentialy very dangerous. | |
| 2003-10-09 22:32:06 | |
| port used by Blaster32 worm for propogation | |
| oog | 2003-08-26 23:35:00 |
| Port 135 is essential to the functionality of Active Directory and Microsoft Exchange mail servers, among other things. | |
| Faiz Ahmad Shuja | 2003-08-13 20:00:45 |
| http://www.cert.org/advisories/CA-2003-20.html W32/Blaster worm The W32/Blaster worm exploits a vulnerability in Microsoft's DCOM RPC interface as described in VU#568148 and CA-2003-16. Upon successful execution, the worm attempts to retrieve a copy of the file msblast.exe from the compromising host. Once this file is retrieved, the compromised system then runs it and begins scanning for other vulnerable systems to compromise in the same manner. In the course of propagation, a TCP session to port 135 is used to execute the attack. However, access to TCP ports 139 and 445 may also provide attack vectors and should be considered when applying mitigation strategies. Microsoft has published information about this vulnerability in Microsoft Security Bulletin MS03-026. http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp | |
| Brian Porter | 2003-08-10 00:30:30 |
| CVE: CAN-2003-0352 Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352 | |
| Johannes Ullrich | 2003-01-24 18:42:15 |
| This port is used for Windows RPC. Windows RPC allows for the display of popup messages. | |
| CVE # | Description |
|---|---|
| CVE-2003-352 | "Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0 |
| CVE-2003-528 | "Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed RPC request with a long filename parameter |
| CVE-2003-533 | "Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a |
| CVE-2003-717 | "The Messenger Service for Windows NT through Server 2003 does not properly verify the length of the message |
| CVE-2003-813 | "A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request |
