Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cyber Security Awareness Month - Day 21 - Port 135

Published: 2009-10-21
Last Updated: 2009-10-21 20:34:22 UTC
by Pedro Bueno (Version: 1)
1 comment(s)

 

Welcome to day 21. Today we will talk about port 135.

In a simple way, we have these basic information:

Port: 135
Service Name: epmap/loc-srv
Popular Name: Microsoft DCE locator
Udp or Tcp: Both

Description:
Port 135 hosts an important service on Windows hosts. When a host wants to connect to a RPC service on a remote machine,
it firsts checks with the destination machine on port 135, to know which port is being used by the service it wants to connect into. (Yes, quite close to *nix Portmap)
The Microsoft DCE locator, which runs on port 135 will then return the port on which the desired service is running.
The original requester host will then connect to this port.

May be used by:    
*  DHCP server
* DNS server
* WINS server

What makes this a port of interest is that in the past, it used have lots of vulnerabilities, which were exploited by malicious users and for worms,
as the old Blaster or for bots that had the exploit on its database, like the old phatbot/sdbot.


A good move form Microsoft was to include on Windows XP ServicePack 2 a firewall default rule to block external access to this port.

However, there are still some situations where you may need to add some exceptions to remote connection on this port, such as:

- some MS SQL Server scenarios.

- some WMI (Windows Management Instrumentation), which is quite useful for CLI administration.

Whatever is the reason you need it to be open, make sure you will restrict it at the maximum possible way.

Example of a port 135 traffic (from pcapr):

01:48:35.511258 IP 1.0.0.1.3949 > 1.0.0.2.135: S 2182823608:2182823608(0) win 8760 <mss 1460,nop,nop,sackOK>
01:48:35.536500 IP 1.0.0.2.135 > 1.0.0.1.3949: S 3596070259:3596070259(0) ack 2182823609 win 17424 <mss 1452,nop,nop,sackOK>
01:48:35.974438 IP 1.0.0.1.3949 > 1.0.0.2.135: . ack 1 win 10164
01:48:35.999130 IP 1.0.0.1.3949 > 1.0.0.2.135: P 1:73(72) ack 1 win 10164
01:48:36.035866 IP 1.0.0.2.135 > 1.0.0.1.3949: P 1:61(60) ack 73 win 17352
01:48:36.561338 IP 1.0.0.1.3949 > 1.0.0.2.135: . 73:1525(1452) ack 61 win 10104
01:48:36.575457 IP 1.0.0.1.3949 > 1.0.0.2.135: P 1525:1681(156) ack 61 win 10104
01:48:36.580581 IP 1.0.0.1.3949 > 1.0.0.2.135: F 1681:1681(0) ack 61 win 10104
01:48:36.601318 IP 1.0.0.2.135 > 1.0.0.1.3949: . ack 1681 win 17424
01:48:36.605455 IP 1.0.0.2.135 > 1.0.0.1.3949: P 61:101(40) ack 1681 win 17424
01:48:36.614687 IP 1.0.0.2.135 > 1.0.0.1.3949: F 101:101(0) ack 1682 win 17424
01:48:39.871749 IP 1.0.0.2.135 > 1.0.0.1.3949: FP 61:101(40) ack 1682 win 17424
01:48:46.433952 IP 1.0.0.2.135 > 1.0.0.1.3949: FP 61:101(40) ack 1682 win 17424
01:48:59.558881 IP 1.0.0.2.135 > 1.0.0.1.3949: FP 61:101(40) ack 1682 win 17424

------------------------------------------------------------

Pedro Bueno (pbueno /%%/ isc. sans. org)

Twitter: http://twitter.com/besecure

1 comment(s)

Rapid7 purchases Metasploit

Published: 2009-10-21
Last Updated: 2009-10-21 15:44:11 UTC
by Joel Esler (Version: 1)
12 comment(s)

Woke up this morning to find the news in my inbox, that Vulnerability Management company Rapid7 purchased Metasploit.  Personally, I think this is a good thing.  Anytime there can be commercial funding and backing put behind an Open Source program in order to further it's development, I consider it a good thing.   I know this model works, as I work for Sourcefire.  We have a few open source programs ourselves.

Better funding = better (more) exploits = better pen-test tool.  Not that Metasploit isn't already awesome, because it is, but this will make Metasploit turn another corner in its (already successful) evolution.

I applaud HD's (and of course everyone else on the Metasploit team's) work, and may this acquisition further the success of the platform.

Read more about the purchase here.

 

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

Keywords:
12 comment(s)

WordPress Hardening

Published: 2009-10-21
Last Updated: 2009-10-21 05:11:40 UTC
by Pedro Bueno (Version: 1)
0 comment(s)

 

Today one of our readers sent an interesting post from the developers of WordPress. It is about a just released version 2.8.5.

This version is called as the "Hardening Release", which I thought was quite great! According the post, these were new security features from the new 2.9 series that they decided to backport to the 2.8.x tree.

Among the new features/fix you can see:

  • "A fix for the Trackback Denial-of-Service attack that is currently being seen.
  • Removal of areas within the code where php code in variables was evaluated.
  • Switched the file upload functionality to be whitelisted for all users including Admins.
  • Retiring of the two importers of Tag data from old plugins."

Why does this news deserve a diary? For two reasons:

1) Wordpress is one of the most popular "publishing plataform" (blogs,etc...) and free...

2) In 2008 there were 23 vulnerabilities for it and in 2009 there are 12 vulnerabilities found so far...

So, this effort from the developers really deserves our attention and kudos...

---------------------------------------------------------------------------------------------------------------------------

Pedro Bueno (pbueno /%%/ isc. sans. org)

Twitter: http://twitter.com/besecure

Keywords: exploit wordpress
0 comment(s)
Diary Archives