Page 1 of 3 123 LastLast
Results 1 to 10 of 23

Thread: port 135

  1. #1
    alexor Guest

    Default port 135

    hii have ZA 7.0.462.000i noticed 2 week ago when
    test my firewall security in grc.com and it say port 135 is open and yesterday i close it.i have many importan info on pc.can anyone hack my pc from this port? (1 or 2 month ago)sorry for bad english.thanks.

    Operating System:Windows XP Pro
    Software Version:7.0
    Product Name:ZoneAlarm Internet Security Suite

  2. #2
    watcher Guest

    Default Re: port 135

    Dear alexor:

    To close port 135 permanently, you must edit the Registry, specifically:

    HKLM\SYSTEM\CurrentControlSet\Services\RpcSs

    Add the following value name:

    ListenOnInternet=N

    Also, go to the following Registry subkey:

    HKLM\SOFTWARE\Microsoft\OLE

    Change the following value name to this data value:

    EnableDCOM=N

    Please post your results.

    WATCHER

  3. #3
    alexor Guest

    Default Re: port 135

    thanks for your reply.but my question is this:can anyone hack my pc 1 or 2 month ago when my 135 port is open?

  4. #4
    watcher Guest

    Default Re: port 135

    Dear alexor:

    Having an unused port open is a vulnerability. Hackers can use exploits for that port to attack your PC. Port 135 was used by the Blaster worm in 2003. It shut down the vital service, Remote Procedure Call, which caused the PC to reboot. The worm's executable was placed in the HKLM\...\Run subkey so that when the computer rebooted, the RPC service shut down again, causing another reboot, in an unending cycle. In addition, an infected computer connected to the Internet would scan for other vulnerable PCs on the Internet, infecting them. The Blaster worm merely caused a denial of service(DoS)condition, with no actual damage done to the operating system, program files, or data resident on the PC.

    You should be conducting scans weekly with an antivirus and antispyware programs to remove malware infections. The best method, though, is prevention, and a firewall such as ZA's does a good job of closing ports not in actual use.

    There are many types of hackers based upon their motivations and skillset. Many perform reconnaissance of their target prior to attacking. One of the ways they do this is to use the ICMP protocol for pinging IP address ranges looking for active hosts. Port scanning comes next to determine open ports and learn what software/services are running on the target host. What comes next depends upon what the hacker wants to do, which usually falls under data theft/deletion, DoS, extortion, and/or causing as much damage as possible.

    Hope this helps.

    WATCHER

  5. #5
    alexor Guest

    Default Re: port 135

    Thanks a lot.
    i have adsl and have many attacks on port 135 and now ZA block them.but 1 month ago when my port 135 is open i see connection on epmap (port 135) for 1 second with "time_wait" state.any risk?

  6. #6
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: port 135

    First and foremost, the ZA always has all ports always closed and stealthed in it's default settings.
    If the port is found to be open to the internet, by a port scan test, I would suspect either an application in the ZA program list has been given server rights for the internet or the adsl modem or the router(?) has some form of a NAT firewall. The NAT in the modem will have to be adjusted to have the port 135 closed or if a router is being used, then open the router and close the port. .

    The blaster worm vulnerability in the Windows for the port 135 has been corrected in the Windows updates several years ago. Not such a sever issue from a few years ago, when the worm first appeared. If you have all your required updates or SP2, then you are safe from this specific worm.

    The usual methods of closing the port 135 in the Windows OS is to disable the NetBIOS over TCP/IP in the Properties of the Network connections and disable the File and Printer Sharing. Usually followed up by disabling the TCP/IP NetBIOS Helper service.

    But I really suspect the port is opened in the hardware before the PC and not in the PC itself. To verify this issue, start the grc.com port scan ShieldsUp! test and observe the IP shown as being tested at the grc.com site. Then do the ipconfig /all to determine the correct IP of the PC. Now observe both the grc.com IP that is shown and the IP in the ipconfig /allI. If the two IPs match, then it is the PC firewall that will be tested. If the two IPs do not match, then it is the hardware firewall getting tested and not the PC.

    Since the ZA is dropping any connections attempts to the PC throught the port 135, I would also assume the port is not open in the ZA and it is open in the hardware firewall of either the modem or the router.
    Further more, since the ZA is dropping all of the inbound connections attempts, then the ZA is performing it's job and keeping the PC safe and secure.

    Best regards, Oldsod
    Best regards.
    oldsod

  7. #7
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: port 135

    FWIIW

    As far as the ICMP ping isuues as previously discussed, the Echo Reply (type 0) Inbound and the Echo Request (type 8) outbound is really needed for the basic connectivity and obtaining/using the internet. The only issues with these two is if the Echo Request is allowed in (* fixed my typo*) and not just outbound and only then the PC will be at a more vulnerable state.
    But to be truthful, the revealing of the PC IP is not a critical issue no a real security risk. Yes the IP is seen, but the IP of the PC or the hardware firewall is seen or given out anyways. Plus the MAC address of either the PC or the hardware is clearly seen thus permanently identifing the device/pc anyways. Pinging does not actually open ports/allow inbound access or really present any security risks. Allowed ICMP iinbound really can not anything other than what is was originally designed for - it cannot let worms or troyans in. Worms and troyans are allowed into windows ports using the TCP or the UDP, not ICMP.
    Port scans concentrate more on open ports (which reveal both an IP and can pose as a threat if they respond with the SYN/ACK)
    Or port scans find closed port and "stealthed" ports; both which always reveal the IP. But stealthed ports will just drops all the SYN attempts, whereas the closed port does not drop the SYN and accepts the SYN but it does not return the required the SYN/ACK. See three way handshake.</br>

    Time Exceeded (type 11) is also needed for networking and connectivity. Any user on the internet doing a tracert for your IP will also use the Time Exceeded In to find your PC (if it is connected directly to the internet).
    Time Exceeded (type 11) is usually justs allowed out. Using both inbound and outbound again still poses no real security risk.
    Time Exceeded (type 11) Inbound also indicates that an internet address/site is out of reach (hence the full and true name for Time Exceeded (type 11) is actually Time Exceeded for a Datagram). So it is useful and often needed.</br>

    Port scans will use the Destination Unreachable (type 3) is usually allowed out. Not allowing the Destination Unreachable (type 3) Inbound will often "stealth" the PC from scanning. But again the Destination Unreachable (type 3) Inbound is needed for Peer To Peer and certain DNS issues (slow DNS server responses situations will resort to a type 3 to prevent a time out issue). Destination Unreachable (type 3) Inbound is used by denial of service attacks. Something only of risk if running an internet server or you have seriously irked the wrong people the wrong way!</br>

    There is still the IGMP needed and again it is not a security risk.</br>

    There are a multitude of other ICMP Types</font color> and each and every one has a distinct purpose and reason. I just covered the basics.</br>

    But again many users have a hardware firewall in front of the PC and usually set to dropping all inbound pings. However any VPN user or Peer to Peer user and numerous other user all need to have the Reply to Ping enabled in router. And with no ill effects or reduced security.

    Plus the Zone Alarm will drop all unwanted ICMP inbound attempts, as any decent firewall will do. And log these dropped ICMP events. Even the lowly windows firewall can be set to drop the unwanted pings. This is what firewalls do. Port scanner are beaten if the software firewall is applied properly.

    Best regards, Oldsod

    Message Edited by Oldsod on 01-20-2008 09:01 PM
    Best regards.
    oldsod

  8. #8
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: port 135

    A Windows PC can be secured properly from the internet inbound connections without a firewall of any kind. The following images are showing the port scan performed on a computer with no firewall of any kind. The computer is connected directly to a cable modem with no hardware or software firewall in place.

    <hr>
    <center><center>
    <hr>
    <center></center>.
    <hr>
    <center><center>
    <hr>

    A windows PC can secured from the internet inbound connections without a firewall - neither software or hardware. All ports are shown as closed and no security risks are present from inbound connections. The Windows Operating System has been "hardened" and all ports are closed. Yes there will be unusually higher port and internet activity/traffic as the closed ports are clearely visible and will accept the SYN packets from any server seeing the computer. But the closed ports will not properly respond back and the three way handshake never gets finialized to establish a connection. So the port vulnerabilities are non existant with closed ports.


    Oldsod
    Best regards.
    oldsod

  9. #9
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: port 135

    Now to cover open ports. Open ports are not always a threat. Most often it is a risk, but not always.
    A port can be opened by an application or some aspect of windows or in the software firewall itself if a software firewall is being used. The connection can be established, but if the incoming packets do not match the exact purpose of the listening applications then the connection will be dropped by that application itself. It will try and if the packet are not exactly for that application, it will no longer respond to that server's connection. The application basically cannot use the packets not designed for it and will only accept packets specific to it and no other. If the application is not active, then the usually used open ports are naturally seen as closed.

    There will be a possible threat if there is a listening application or windows service/file establishes the connection and then accepts the packets.
    This is where worms and certain troyans can be mistakenly allowed into a PC - the windows operating system applications which have opened ports can be often tricked into "seeing" the rogue packets are for it and it then accept these packets. These rogue packets can then have a chance to enter the PC and infect the PC. But this will infection will happen only if the application actually lets the rogue packets in and not from the established connection attempts itself.
    Or simply put, in a simplied example, the adobe updater cannot use any java packets (or any other packets not designed for it) and so any java packets would be immediately dropped, even after the connection is established.

    It may just happen a "hacker" would sooner or later figure out what ports are open are for and what would respond to these ports and then "customize" some worms/troyans to fool those specific applications into accepting the packets. Then the hacker will have infected the PC.
    However this infection/hacker attempts cannot happen if all ports are closed. It is often said that closed ports are just as safe as stealthed ports. This is a valid statement.

    A software firewall would stop these possible exploits from taking advantage of the open ports, thus providing protection.
    A software firewall goes one step further with open ports - it makes sure the correct packets are always sent to the correct application. If these are the incorrect packets for the application, it will immediately drop the connection and continue to block the connection attempts. Example - adobe updater is allowed an open port, then any incoming packets trying for the open port which are not designated for the adobe will be dropped.
    Plus the software firewalls always makes sure the open port is stealthed at all times. This is very important. The port scanner or inbound connection attempts can never determine if the port actually existin the first place or if the port status is either closed or opened. The inbound attempts or port scanner just can see there is a computer/server with an IP and the exact port status is undetermineable. It cannot see any of the 65535 ports. The firewall will basically always inspect the headers and packets and only then after examing these properly, it will determine if the packets are designated for the correct application on that port and if the packets are to let in. The software firewall always intercepts the connections and verifies the ports/protocols/IP and the applications in question. This holds true for the open/closed ports and not just for the inbound connections, but also the outbound connections.

    Best regards, Oldsod

    Message Edited by Oldsod on 01-20-2008 09:03 PM
    Best regards.
    oldsod

  10. #10
    watcher Guest

    Default Re: port 135

    Dear alexor:

    Oldsod has trumped any response I would have given to you re your question. His responses should answer any questions you may have had. In addition, if you want some more info re port 135, Gibson Research Corporation has both a good article and free utility for testing port 135 status on your PC. Here is the link:

    http://www.grc.com/freeware/dcom.htm

    Hope this helps.

    WATCHER

Page 1 of 3 123 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •