Have a question or want to start a discussion? Post it! No Registration Necessary.
Now with pictures!
May 12, 2006, 3:57 am

hi all,
some question about the port 135 and 445.
I connect to internel through ADSL, i have been reported alot of
different computers are trying to connect to my system via the port 135
and 445 by my personal firewall and all the these connection have been
blocked. I did some reseach and knowing that the port 135 is used for
MS remote procedure call service and port 445 is used for resource
sharing on windows.
Is that mean all these computers are trying to hack into my system??
I run the netstat command, and have following output (my computer name
is hr)
Proto Local Address Foreign Address State
TCP hr:epmap hr:0 Listening
TCP hr:microsoft-ds hr:0 Listening
TCP hr:1025 hr:0
Listening
TCP hr:netbio-ssn hr:0 Listening
Is that cousing the problem?
Thanks for your time
Wing
some question about the port 135 and 445.
I connect to internel through ADSL, i have been reported alot of
different computers are trying to connect to my system via the port 135
and 445 by my personal firewall and all the these connection have been
blocked. I did some reseach and knowing that the port 135 is used for
MS remote procedure call service and port 445 is used for resource
sharing on windows.
Is that mean all these computers are trying to hack into my system??
I run the netstat command, and have following output (my computer name
is hr)
Proto Local Address Foreign Address State
TCP hr:epmap hr:0 Listening
TCP hr:microsoft-ds hr:0 Listening
TCP hr:1025 hr:0
Listening
TCP hr:netbio-ssn hr:0 Listening
Is that cousing the problem?
Thanks for your time
Wing

Re: Question about port 135 and 445.

No, it doesn't mean that someone is trying to hack into your computer.
Port 135 is the DCOM port and is used by the MS O/S to communicate with
other machines on a network including the Internet that's giant network
too. However DCOM is used in a closed environment using Component Object
Model communication between machines. Yes, if you leave that port open,
then something can compromise the machine and the machine can be
controlled or COM objects can be controlled via that port using RPC(s).
Yes, 445 is the MS NT based O/S's port for sharing resources between
machines in a closed and protected environment.
You have a personal FW/host based packet filter on the machine that's
protecting the ports on unsolicited inbound traffic on all ports, which
is the traffic the PFW is blocking -- normal everyday traffic out there
on the Internet that could lead to the machine being compromised if the
machine was not being protected.
If this is a single machine directly connected to the modem, then you
should disable/uninstall MS File and Print Sharing and Client for MS
Networks off the NIC (Network Interface Card) and it will close the
Windows Networking ports 137-139 UDP and 445 TCP and no communication
can happen on the ports period. You have no need to be networking.
Port 135 as far as doing anything with the NT O/S to close that port,
you should just leave it alone and let the PFW protect it.
Here are some other things you can do to better secure or harden the NT
based O/S to attack.
http://labmice.techtarget.com/articles/winxpsecuritychecklist.htm
You should try to practice safehex.
http://www.claymania.com/safe-hex.html
Duane :)

Re: Question about port 135 and 445.

That all depends on the applications running on the machine are doing.
Some applications may need DCOM active on the machine in order to work.
If I am going to do something along the line of shutting down DCOM on a
NT based machine, then I am going to the MS site.
I won't have anything to do with Gibson. ;-)
But in general, one should just leave something like DCOM alone and let
a FW or packet filter protect the port.
Duane :)

Re: Question about port 135 and 445.
Duane Arnold > wrote:

However they don't need any binding of network services for DCOM.

They say that a utility "dcomcnfg" exists. Or that adding the relevant
registry entries is trivial as well:
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole]
"EnableDCOM"="N"
"EnableDCOMHTTP"="N"
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc]
"DCOM Protocols"=hex(7):00,00

http://www.grcsucks.com for a coverage of his biggest errors. Wanna choke...

Eh... no? Once the packet filter is down and makes a mistake, you're
busted. Disable DCOM network binding and you're safe until someone
changes the configuration, which under a restricted account is usually
only the case when installing a new Windows patch (and you can easily
check if it changes your configuration).

However they don't need any binding of network services for DCOM.

They say that a utility "dcomcnfg" exists. Or that adding the relevant
registry entries is trivial as well:
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole]
"EnableDCOM"="N"
"EnableDCOMHTTP"="N"
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc]
"DCOM Protocols"=hex(7):00,00

http://www.grcsucks.com for a coverage of his biggest errors. Wanna choke...

Eh... no? Once the packet filter is down and makes a mistake, you're
busted. Disable DCOM network binding and you're safe until someone
changes the configuration, which under a restricted account is usually
only the case when installing a new Windows patch (and you can easily
check if it changes your configuration).

Re: Question about port 135 and 445.
Ansgar -59cobalt- Wiechers wrote:

DCOM uses port 135 and that's how COM and COM+ objects communicate in
remote situations on the network using the MS platform.
With .NET solutions, MS uses .NET Remoting where as the developer can
chose any port above 1024 as the port to do remote communications
between objects. However, .NET objects can be converted to interface
with existing COM objects and it's going to do it on port 135 the DCOM
port.
You can call that port anything you want but it's the DCOM port to me
and nothing else and DCOM uses that port on the MS platform.
Duane :)

DCOM uses port 135 and that's how COM and COM+ objects communicate in
remote situations on the network using the MS platform.
With .NET solutions, MS uses .NET Remoting where as the developer can
chose any port above 1024 as the port to do remote communications
between objects. However, .NET objects can be converted to interface
with existing COM objects and it's going to do it on port 135 the DCOM
port.
You can call that port anything you want but it's the DCOM port to me
and nothing else and DCOM uses that port on the MS platform.
Duane :)

Re: Question about port 135 and 445.
Duane Arnold wrote:

Nope. DCOM uses RPC which uses port 135. RPC is not limited to DCOM and
there's a lot more than DCOM that uses RPC on a Windows host.
cu
59cobalt
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

Nope. DCOM uses RPC which uses port 135. RPC is not limited to DCOM and
there's a lot more than DCOM that uses RPC on a Windows host.
cu
59cobalt
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

Re: Question about port 135 and 445.

As fas as that's concerned, RPC is used by SVCHOST too and a whole host
of other things that run not limited to DCOM so there you go I agree
with you.
But to me as a programmer, it's the DCOM port.
We can sit here and go back and forth about it all day long. I got my
view of it and you got your view of it and I am going to leave it at that.
Duane :)
Site Timeline
- » Defense against nmap tcp synchronise scans
- — Next thread in » Networking Firewalls
-
- » Restricting source port across sites
- — Previous thread in » Networking Firewalls
-
- » NYC local event: Unigroup's 17-Oct-2019 Meeting: SDN/SDP - So...
- — Newest thread in » Networking Firewalls
-
- » Don't Let Your Business Get Whacked Like Jimmy Hoffa In The Irishman [telecom]...
- — The site's Newest Thread. Posted in » General Telecommunications Forum
-
- » Re: [telecom] History trans-Atlantic cable
- — The site's Last Updated Thread. Posted in » General Telecommunications Forum
-