Question about port 135 and 445.

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
hi all,

some question about the port 135 and 445.

I connect to internel through ADSL, i have been reported alot of
different computers are trying to connect to my system via the port 135
and 445 by my personal firewall and all the these connection have been
blocked. I did some reseach and knowing that the port 135 is used for
MS remote procedure call service and port 445 is used for resource
sharing on windows.

Is that mean all these computers are trying to hack into my system??

I run the netstat command, and have following output (my computer name
is hr)

Proto  Local Address       Foreign Address           State
TCP    hr:epmap              hr:0                             Listening
TCP    hr:microsoft-ds      hr:0                             Listening
TCP    hr:1025                 hr:0
Listening
TCP    hr:netbio-ssn         hr:0                             Listening

Is that cousing the problem?

Thanks for your time

Wing


Re: Question about port 135 and 445.
Wing wrote:
Quoted text here. Click to load it

No, it doesn't mean that someone is trying to hack into your computer.

Port 135 is the DCOM port and is used by the MS O/S to communicate with
other machines on a network including the Internet that's giant network
too. However DCOM is used in a closed environment using Component Object
Model communication between machines. Yes, if you leave that port open,
then something can compromise the machine and the machine can be
controlled or COM objects can be controlled via that port using RPC(s).

Yes, 445 is the MS NT based O/S's port for sharing resources between
machines in a closed and protected environment.

You have a personal FW/host based packet filter on the machine that's
protecting the ports on unsolicited inbound traffic on all ports, which
is the traffic the PFW is blocking -- normal everyday traffic out there
on the Internet that could lead to the machine being compromised if the
machine was not being protected.

If this is a single machine directly connected to the modem, then you
should disable/uninstall MS File and Print Sharing and Client for MS
Networks off the NIC (Network Interface Card) and it will close the
Windows Networking ports 137-139 UDP and 445 TCP and no communication
can happen on the ports period. You have no need to be networking.

Port 135 as far as doing anything with the NT O/S to close that port,
you should just leave it alone and let the PFW protect it.

Here are some other things you can do to better secure or harden the NT
based O/S to attack.

http://labmice.techtarget.com/articles/winxpsecuritychecklist.htm

You should try to practice safehex.

http://www.claymania.com/safe-hex.html

Duane :)



Re: Question about port 135 and 445.
Duane Arnold > wrote:

Quoted text here. Click to load it

Not necessarily:
http://www.grc.com/dcom /

Re: Question about port 135 and 445.
optikl wrote:
Quoted text here. Click to load it

That all depends on the applications running on the machine are doing.
Some applications may need DCOM active on the machine in order to work.

If I am going to do something along the line of shutting down DCOM on a
NT based machine, then I am going to the MS site.

I won't have anything to do with Gibson. ;-)

But in general, one should just leave something like DCOM alone and let
a FW or packet filter protect the port.

Duane :)


Re: Question about port 135 and 445.
Duane Arnold > wrote:
Quoted text here. Click to load it

However they don't need any binding of network services for DCOM.

Quoted text here. Click to load it

They say that a utility "dcomcnfg" exists. Or that adding the relevant
registry entries is trivial as well:

[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole]
"EnableDCOM"="N"
"EnableDCOMHTTP"="N"

[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc]
"DCOM Protocols"=hex(7):00,00

Quoted text here. Click to load it

http://www.grcsucks.com for a coverage of his biggest errors. Wanna choke...

Quoted text here. Click to load it

Eh... no? Once the packet filter is down and makes a mistake, you're
busted. Disable DCOM network binding and you're safe until someone
changes the configuration, which under a restricted account is usually
only the case when installing a new Windows patch (and you can easily
check if it changes your configuration).

Re: Question about port 135 and 445.
Sebastian Gottschalk wrote:
Quoted text here. Click to load it

Good information, however, for me I can't do it I need DCOM running on
my machines. ;-)

Duane :)

Re: Question about port 135 and 445.
Duane Arnold > wrote:

Quoted text here. Click to load it

Can't your read? This entry doesn't disable DCOM at all (which would
make your system pretty unusable), it only disables offering DCOM as
network service for remote invokation. Almost noone needs that.

Re: Question about port 135 and 445.
Sebastian Gottschalk wrote:
Quoted text here. Click to load it

I didn't really bother to read it. But again, thanks for the info.

Duane :)

Re: Question about port 135 and 445.
Duane Arnold wrote:
Quoted text here. Click to load it

There is no such thing like a "DCOM port". It's the RPC portmapper
(RpcSs) that is bound to 135/tcp.

cu
59cobalt
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

Re: Question about port 135 and 445.
Ansgar -59cobalt- Wiechers wrote:
Quoted text here. Click to load it

DCOM uses port 135 and that's how COM and COM+ objects communicate in
remote situations on the network using the MS platform.

With .NET solutions, MS uses .NET Remoting where as the developer can
chose any port above 1024 as the port to do remote communications
between  objects. However, .NET objects can be converted to interface
with existing COM objects and it's going to do it on port 135 the DCOM
port.

You can call that port anything you want but it's the DCOM port to me
and nothing else and DCOM uses that port on the MS platform.

Duane :)


Re: Question about port 135 and 445.
Duane Arnold wrote:
Quoted text here. Click to load it

Nope. DCOM uses RPC which uses port 135. RPC is not limited to DCOM and
there's a lot more than DCOM that uses RPC on a Windows host.

cu
59cobalt
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

Re: Question about port 135 and 445.
Ansgar -59cobalt- Wiechers wrote:
Quoted text here. Click to load it

As fas as that's concerned, RPC is used by SVCHOST too  and a whole host
of other things that run not limited to DCOM so there you go I agree
with you.

But to me as a programmer, it's the DCOM port.

We can sit here and go back and forth about it all day long. I got my
view of it and you got your view of it and I am going to leave it at that.

Duane :)

Re: Question about port 135 and 445.
Quoted text here. Click to load it

135 is DCE-RPC. This is one possibility, how DCOM and COM+ may be
implemented.

Yours,
VB.
--
At first there was the word. And the word was Content-type: text/plain

Re: Question about port 135 and 445.
Thanks for your information.

Wing


Site Timeline