Question about port 135 and 445.

hi all,

some question about the port 135 and 445.

I connect to internel through ADSL, i have been reported alot of different computers are trying to connect to my system via the port 135 and 445 by my personal firewall and all the these connection have been blocked. I did some reseach and knowing that the port 135 is used for MS remote procedure call service and port 445 is used for resource sharing on windows.

Is that mean all these computers are trying to hack into my system??

I run the netstat command, and have following output (my computer name is hr)

Proto Local Address Foreign Address State TCP hr:epmap hr:0 Listening TCP hr:microsoft-ds hr:0 Listening TCP hr:1025 hr:0 Listening TCP hr:netbio-ssn hr:0 Listening

Is that cousing the problem?

Thanks for your time

Wing

Reply to
Wing
Loading thread data ...

No, it doesn't mean that someone is trying to hack into your computer.

Port 135 is the DCOM port and is used by the MS O/S to communicate with other machines on a network including the Internet that's giant network too. However DCOM is used in a closed environment using Component Object Model communication between machines. Yes, if you leave that port open, then something can compromise the machine and the machine can be controlled or COM objects can be controlled via that port using RPC(s).

Yes, 445 is the MS NT based O/S's port for sharing resources between machines in a closed and protected environment.

You have a personal FW/host based packet filter on the machine that's protecting the ports on unsolicited inbound traffic on all ports, which is the traffic the PFW is blocking -- normal everyday traffic out there on the Internet that could lead to the machine being compromised if the machine was not being protected.

If this is a single machine directly connected to the modem, then you should disable/uninstall MS File and Print Sharing and Client for MS Networks off the NIC (Network Interface Card) and it will close the Windows Networking ports 137-139 UDP and 445 TCP and no communication can happen on the ports period. You have no need to be networking.

Port 135 as far as doing anything with the NT O/S to close that port, you should just leave it alone and let the PFW protect it.

Here are some other things you can do to better secure or harden the NT based O/S to attack.

formatting link
You should try to practice safehex.

formatting link
Duane :)

Reply to
Duane Arnold

Not necessarily:

formatting link

Reply to
optikl

That all depends on the applications running on the machine are doing. Some applications may need DCOM active on the machine in order to work.

If I am going to do something along the line of shutting down DCOM on a NT based machine, then I am going to the MS site.

I won't have anything to do with Gibson. ;-)

But in general, one should just leave something like DCOM alone and let a FW or packet filter protect the port.

Duane :)

Reply to
Duane Arnold

However they don't need any binding of network services for DCOM.

They say that a utility "dcomcnfg" exists. Or that adding the relevant registry entries is trivial as well:

[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole] "EnableDCOM"="N" "EnableDCOMHTTP"="N" [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc] "DCOM Protocols"=hex(7):00,00

formatting link
for a coverage of his biggest errors. Wanna choke...

Eh... no? Once the packet filter is down and makes a mistake, you're busted. Disable DCOM network binding and you're safe until someone changes the configuration, which under a restricted account is usually only the case when installing a new Windows patch (and you can easily check if it changes your configuration).

Reply to
Sebastian Gottschalk

Good information, however, for me I can't do it I need DCOM running on my machines. ;-)

Duane :)

Reply to
Duane Arnold

Can't your read? This entry doesn't disable DCOM at all (which would make your system pretty unusable), it only disables offering DCOM as network service for remote invokation. Almost noone needs that.

Reply to
Sebastian Gottschalk

I didn't really bother to read it. But again, thanks for the info.

Duane :)

Reply to
Duane Arnold

There is no such thing like a "DCOM port". It's the RPC portmapper (RpcSs) that is bound to 135/tcp.

cu

59cobalt
Reply to
Ansgar -59cobalt- Wiechers

DCOM uses port 135 and that's how COM and COM+ objects communicate in remote situations on the network using the MS platform.

With .NET solutions, MS uses .NET Remoting where as the developer can chose any port above 1024 as the port to do remote communications between objects. However, .NET objects can be converted to interface with existing COM objects and it's going to do it on port 135 the DCOM port.

You can call that port anything you want but it's the DCOM port to me and nothing else and DCOM uses that port on the MS platform.

Duane :)

Reply to
Duane Arnold

Nope. DCOM uses RPC which uses port 135. RPC is not limited to DCOM and there's a lot more than DCOM that uses RPC on a Windows host.

cu

59cobalt
Reply to
Ansgar -59cobalt- Wiechers

As fas as that's concerned, RPC is used by SVCHOST too and a whole host of other things that run not limited to DCOM so there you go I agree with you.

But to me as a programmer, it's the DCOM port.

We can sit here and go back and forth about it all day long. I got my view of it and you got your view of it and I am going to leave it at that.

Duane :)

Reply to
Duane Arnold

Duane Arnold remote situations on the network using the MS platform.

135 is DCE-RPC. This is one possibility, how DCOM and COM+ may be implemented.

Yours, VB.

Reply to
Volker Birk

Thanks for your information.

Wing

Reply to
Wing

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.