Results 1 to 10 of 10

Thread: Re: Heavy Volume of Alerts to Port 135

  1. #1
    billmart Guest

    Default Re: Heavy Volume of Alerts to Port 135

    I 'am being bombarded with unrelenting attempts to reach Port 135 on my computer and can't figure out why. These are coming local from my own ISP. As of Jan. 24, 2007 I have disabled Distributed COM on my computer for increased security purposes. Also I have I checked the registry for the global setting to disable DCOM:

    ( HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole Value: EnableDCOM )
    and it shows "N" (to disable).

    I have sent two email msgs. to the host master reporting the activity along with
    supporting extracts from ZA logs. One showed about 35 blocked attempts with the frequency of the scans at regular, short intervals - 8 or 9 minutes approximately.
    On the first contact , 22 Feb 2007,I got a reply asking for my identity which I forgot to include in the msg. After submitting this, I noticed later on the sight was shutdown for awhile. There was no further contact from them. However, for about two weeks there was a welcome reprieve with hardly a blip.

    I thought this got solved pretty quickly. However, the activity resumed in earnest on 2007/03/01 with the perpetrator looking to land on port 445 for 21 consecutive attempts. The activity varied, but the concentrated efforts were for ports 135 and 445.

    Again I contacted the host master reporting the activity with no reply this time - these guys seem reticent to open up with any dialog. Again there was a welcome lull for a few days then it began all over again.

    I 'am somewhat at a loss for a possible explanation for all this. I was kind of hoping the host master could supply a clue, but nothing came forth.

    Can anyone advise me if there might be something I overlooked relative to computer settings, so forth. I don't think I 'am sending anything Remote from my computer to prompt all these scans, otherwise ZA would throw an outgoing warning pop up - I think. Any help will be appreciated.

    Bill Martins

    Operating System: Windows2000 Pro
    Product Name: ZoneAlarm version:7.0.302.000
    TrueVector version:7.0.302.000
    Driver version:7.0.302.000

    Some Sample Alerts

    ----------------------------------------------------

    Description Packet sent from 205.237.192.146 (TCP Port 1795) to 205.237.202.88 (TCP Port 135) was blocked
    Rating Medium
    Date / Time 2007/03/17 19:19:44-5:00 GMT
    Type Firewall
    Protocol TCP (flags:S)
    Program
    Source IP 205.237.192.146:1795
    Destination IP 205.237.202.88:135
    Direction Incoming
    Action Taken Blocked
    Count 1
    Source DNS
    Destination DNS U7G2C7

    ------------------------------------------------------------

    Description Packet sent from 205.237.202.74 (TCP Port 4699) to 205.237.202.88 (TCP Port 135) was blocked
    Rating Medium
    Date / Time 2007/03/17 19:24:12-5:00 GMT
    Type Firewall
    Protocol TCP (flags:S)
    Program
    Source IP 205.237.202.74:4699
    Destination IP 205.237.202.88:135
    Direction Incoming
    Action Taken Blocked
    Count 1
    Source DNS
    Destination DNS U7G2C7

  2. #2
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Heavy Volume of Alerts to Port 135

    Hi

    Continue with this with advice from...


    http://www.markusjansson.net/exp.html

    Give extra attention to the Properties of the NetWork connection section.

    Another article about this ....

    http://www.hsc.fr/ressources/breves/...win.en.html.fr


    I usually add keys to the registry to block certain ports, 135 TCP and 445 TCP included.

    Something like this...

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\GloballyOpenPorts\List

    Then add the 445:TCP as a String Value and select Modify and type-in 445:UDP:LocalSubNet: Disabled Do the same or 135:TCP and enter the 135:TCP:LocalSubNet: Disabled Please note I had to space the LocalSubNet: and the Disabled to stop the smileys from popping in place.


    An alternative solution, as you are already aware of, is to use a router between the modem and the PC. This would defeat any port probes or unwanted connections from the internet.


    Additionally, the Port Reporter from microsoft maybe useful. It does log all and what was accessing the internet.

    http://www.microsoft.com/downloads/d...%3d%3d

    Please see the following Knowledge Base article for information on Port Reporter:

    http://support.microsoft.com/?id=837243


    A network analyizer would see all that is passing in the traffic. It would not miss anything. Try thing one...

    http://www.ethereal.com/introduction.html

    Both software are freeware and seem to work well.

    Interesting enough, when I hook the PC directly to the cable modem and have no software firewall enabled and try a port scan, the ports 135, 137, 138, 139 and 445 always show as stealthed. The reason is the provider actually closes those ports at their servers and hence they cannot be seen. I have no idea why your provider does not do the same.

    Oldsod

    Message Edited by Oldsod on 03-18-2007 03:05 AM
    Best regards.
    oldsod

  3. #3
    billmart Guest

    Default Re: Heavy Volume of Alerts to Port 135

    Hello Oldsod,

    Thanks for your reply to my distress call, and the very excellent links
    supplied therein. I've already started using them and discovered how
    open my computer is. But lo and behold, after a further extensive search
    of the archives which led me to check some settings on my firewall , I
    discovered that the trusted zone was devoid of an essential entry - my own
    IP address. So it was the router, and there was no valid threat at all.

    I made the entry offline and went back on to see the results. No alerts,
    no nothing - Great! I couldn't' believe it. While on-line I checked the
    trusted zone again. This time ( and this is weird ) there was an additional
    mysterious entry:
    Name WAN (PPP/SLIP)
    Zone Internet
    Entry Type Adapter Subnet
    IP Address / Site 205.237...

    How this one got there, I haven't a clue. Now here's something else.
    When I go offline the entry disappears. I go back on-line there it is
    again. Help from above? I'am just wondering if the ISP is having
    a hand in this. Anyway no more alerts! And is that a relief - no more
    bloated logs. Thanks again for your help and support in all this.

    Best Regards,

    Bill Martins

  4. #4
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Heavy Volume of Alerts to Port 135

    Hi

    I have no idea why the PC's actual IP was added to the Zones. Not needed.

    The DNS server (s) addresses should be added as Trusted in the Zones of the Firewall os the ZA. Niot just the router address.

    The new entry seems to be an adapter? That could have been added by the ZA after a reboot or restart. What is the actual IP listed? In any event it can be removed if distrusted. It can always be replaced if needed.

    Also why does the first post show the PC having an internet IP yet there is a router in front of the PC? Has not the router assumed the internet IP and has assigned a private network IP to the PC? Also why is the router allowing the connections to be allowed- it should be dropping unwanted connections?

    Oldsod

    Message Edited by Oldsod on 03-19-2007 01:15 AM
    Best regards.
    oldsod

  5. #5
    billmart Guest

    Default Re: Heavy Volume of Alerts to Port 135

    Thanks again for your reply. It appears there has been a massive screw-up on my part regarding all this. When I mentioned in my reply to your first post that I had searched the archives and came across a thread which led me to check settings on my firewall, I thought this discussion was applicable to me because the original post identified the very same problem I 'am having.

    Please see:
    ZoneAlarm User Forum : Helpful Hints & Links - Thread - Computer hacking - 17 Posts.

    I didn't' t realize the posts might be talking about a personal router only and not one my ISP might have.

    So I hastily jumped the gun and followed the advice given and placed my IP address into the Trusted Zone. As things turned out, there was a complete lack of activity after this move and therefore thought the problem solved. Wrong! The problem resumed after the lull. I think this is what you are referring to in your inquiry.

    At any rate, the problem still exists with some extra frosting. The new development of having an additional mysterious entry appear in the Trusted Zone at logons to the Internet remains. On line the entry appears, offline the entry disappears. Also when I remove the IP address I mistakenly added, it returns as well. I 'am starting to think that my computer has been hijacked. But repeated scans with McAfee VirusScan reveal nothing

    Frankly, I' am in a deep, black hole with this problem. I 'am not that knowledgeable with the workings of the Internet - or ZoneAlarm for that matter. Not quite sure what you mean by

    "Also why does the first post show the PC having an Internet IP yet there is a router in front of the PC?"

    Do you happen to know what the WAN (PPP/SLIP) stands for in the entry title?

    Name WAN (PPP/SLIP) Interface
    Zone Internet
    Entry Type Adapter Subnet
    IP Address / Site 205.237.202.73/255.255.255.255

    My IP Address is REMOVED BY OLDSOD TO PRESERVE YOUR SECUITY> THE INTERNET IP PUBLICALLY ADVERTISED IS NOT ADVISEABLE.

    That's all I can give you at the moment. I truly appreciate your time and effort with this.

    Best,
    Bill Martins

    Message Edited by Oldsod on 03-19-2007 10:01 PM

  6. #6
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Heavy Volume of Alerts to Port 135

    Hi BillMart

    WAN

    http://en.wikipedia.org/wiki/Wide_area_network


    SLIP

    http://en.wikipedia.org/wiki/SLIP

    PPP

    http://en.wikipedia.org/wiki/Point-to-Point_Protocol


    Differences Between SLIP and PPP

    http://www.ccsi.com/survival-kit/slip-vs-ppp.html

    Okay you have dialup. Any printer on the LAN or perhaps the address is belonging to the provider or the modems.
    Have you contacted your provider to see what they could add to this?

    Oldsod

    Message Edited by Oldsod on 03-19-2007 10:04 PM
    Best regards.
    oldsod

  7. #7
    billmart Guest

    Default Re: Heavy Volume of Alerts to Port 135

    No, no printer installed. Can't say about the modems. I 'am reluctant to contact the provider since as previously mentioned they seem uncommunicative. Thought I would go ahead and see if this could be solved through forums.

    One thing I 'am looking at, though, is the only other entry in the Trusted Zone, the Loopback adapter. This I believe is a default setting with ZA initial installation. What 's the purpose for this setting and is it necessary? What happens if it is removed?

    Best
    BillMart

  8. #8
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Heavy Volume of Alerts to Port 135

    The 127.0.0.1 is the internal address of the PC. It is not an external address and must be listed.

    AS I mentioned before the DNS and the DHCP and the possible gateway address must be listed in the Zones of the Firewall.

    1. Go to Run type in command, hit OK, and type ipconfig /all then press enter. In the returned data list will be a line DNS and DHCP Servers with the IP address(s) listed out to the side
    2. In ZA on your machine on the Firewall>Zones tab click Add and then select IP Address. Make sure the Zone is set to Trusted
    3. Click OK and then Apply for each one.
    4. The localhost or loopback must be listed as Trusted. It has the address of 127.0.0.1
    5 The Generic Host Process or the svchost.exe listed in the Program list must have both Trusted and Internet access and it must have server rights for the Trusted Zone, but not the Internet Zone.

    http://zonealarm.donhoover.net/dnsdhcp.html

    http://www.microsoft.com/resources/d....mspx?mfr=true

    Also keep in mind that some providers like to keep in contact with their clients (customers) by the DCOM or BIOS ports. Strange but true.

    Oldsod
    Best regards.
    oldsod

  9. #9
    billmart Guest

    Default Re: Heavy Volume of Alerts to Port 135

    Hi Oldsod,

    This is what ipconfig returned when I put it through:

    Microsoft Windows 2000 [Version 5.00.2195]
    (C) Copyright 1985-2000 Microsoft Corp.

    C:\>ipconfig /all

    Windows 2000 IP Configuration

    Host Name . . . . . . . . . . . . : u7g2c7
    Primary DNS Suffix . . . . . . . :
    Node Type . . . . . . . . . . . . : Broadcast
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No

    PPP adapter BRCS:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
    Physical Address. . . . . . . . . : 00-53-45-00-00-00
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 205.237.xxx.xxx REMOVED FOR SAFETY REASONS
    Subnet Mask . . . . . . . . . . . : 255.255.255.255
    Default Gateway . . . . . . . . . : 205.237.202.72 ----------> Placed in trusted zone.
    DNS Servers . . . . . . . . . . . : 205.237.202.68 ----------> Placed in trusted zone
    205.237.195.17---------------------> Placed in trusted zone

    NetBIOS over Tcpip. . . . . . . . : Disabled

    Also in the Program Section for the entry Gen eric Host Process ( svchost.exe ) I have
    allowed program permissions for both Trusted & Internet in the Access, allowing server rights
    for the trusted only - as per your instructions. Funny thing is I was on the net last night
    without a murmur. Same thing for today. Hope the new additions to ZA will put the good
    housekeeping seal on things. Will keep you advised of any developments. Thanks for all.

    BillMart

    Message Edited by Oldsod on 03-22-2007 04:38 AM

  10. #10
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Heavy Volume of Alerts to Port 135

    Hi BillMart

    Everything looks good!

    Your ZA now has the correct settings!

    There should be less conflicts and less alerts and issues.
    The ZA is a great software firewall and will do a great job of protecting the PC. It is one of the best there is for stopping inbound intrusions, being built to withstand malware attacks and prividing excellent outbound control.

    Just it takes some small adjustments to fine tune the ZA. Those arrangements for the settings is always needed and just keep it mind for any future times.

    Oldsod
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •