|
|||||||
 |
|
|
LinkBack | Thread Tools | Search this Thread | Rate Thread | Display Modes |
08-15-2003, 12:11 AM
|
#1 |
|
Member (7 bit)
Join Date: Nov 2002
Location: Long Beach, California
Posts: 127
|
port 135
Hi guys,
I think that I'm one of the lucky ones who have not been had by blaster. I have downloaded the current patch from M$, but how do I know if it is indeed installed. I have also activated the Windows XP firewall, by ticking the activate firewall box. That was a feature I was not aware of untill today. Is there anything special I should do when setting up the firewall? Also, how do I block port 135? I know that this question is like beating a dead horse, but any direction by the experts here at the Mechanic would be greatly appriciated. Thanks in advance. |
|
|
|
08-15-2003, 12:33 AM
|
#2 |
|
The Gavel
Join Date: Dec 1999
Location: Upland, CA
Posts: 6,311
|
Go to this site: www.grc.com and run "shields up". It will tell you if (and how) your port 135 is wide open or blocked. There are also tests to check all your other ports too. It's a very informative site if you're interested in learning how to secure your system.
__________________
"To speak ill of others is a dishonest way of praising ourselves" |
|
|
|
|
08-15-2003, 12:41 AM
|
#3 |
|
Member (7 bit)
Join Date: Nov 2002
Location: Long Beach, California
Posts: 127
|
Thanks LawyerRon, I'm on my way now. I'll post back with the details.......
|
|
|
|
|
08-15-2003, 01:15 AM
|
#4 |
|
Member (7 bit)
Join Date: Nov 2002
Location: Long Beach, California
Posts: 127
|
LawyerRon,
As you suggested I ran the shields up program, and all of the vulnerable ports were wide open. Thanks to your tip all is now secure. Very cool program. Thanks again. Oh yea, one more thing, will this cause my machine to run slower? |
|
|
|
|
08-15-2003, 09:10 AM
|
#5 |
|
The Gavel
Join Date: Dec 1999
Location: Upland, CA
Posts: 6,311
|
As far as I know, Shields Up will not make your machine run slower.
|
|
|
|
|
08-15-2003, 10:26 AM
|
#6 |
|
Staff
Premium Member
Join Date: Jul 1999
Location: Arlington, TN
Posts: 5,538
|
It doesn't install anything on your computer so there is no way it can make it run slower.
|
|
|
|
|
08-15-2003, 10:35 AM
|
#7 |
|
Banned
Join Date: Jul 2000
Location: Bakersfield,CA
Posts: 7,761
|
Port 135 is used by one of the XP services. The thing about the Blaster worm is that it is so poorly written that when it enters the system it causes the RPC buffer to shout the machine down. You can cause this also by terminating the service on Port 135. I have a program called Active Ports that allows you to see the ports in use and what is using them.
I do not have the blaster worm or any of it's derivitives, and I do have the patch installed. BUt I was able to get the reboot by terminating the port. |
|
|
|
|
08-15-2003, 03:14 PM
|
#8 |
|
Member (7 bit)
Join Date: Nov 2002
Location: Long Beach, California
Posts: 127
|
I'm sorry, I wasn't very specific in the last post. I was asking if having a firewall installed will cause my machine to run any slower?
|
|
|
|
|
08-15-2003, 09:18 PM
|
#9 |
|
Member (6 bit)
Join Date: Jan 2002
Location: ontario canada
Posts: 40
 |
no but disable xp firewall and get zonealarm www.zonelabs.com it is free and also stops outgoing progs
|
|
|
|
|
08-15-2003, 10:20 PM
|
#10 |
|
Computing Professor
Staff
Premium Member
Join Date: Jun 2001
Posts: 11,718
|
You can tell if the patch is installed by checking for it in Add/Remove programs in Control Panel.
It will read Windows XP Hotfix KB823980.
__________________
Asus M4A77D, 64 X2 6000+, 4 GB Corsair DDR2 800 ram, Radeon 5770. |
|
|
|
|
08-15-2003, 10:48 PM
|
#11 |
|
Member (7 bit)
Join Date: Nov 2002
Location: Long Beach, California
Posts: 127
|
Hi pam123, I checked add/remove programs, and it is listed, along with 19 other hotfixes. What exactly does KB823980 do, and is there a way to consolidate all of the hotfixes into one folder or something, or am I stuck with all of the listings?
|
|
|
|
|
08-15-2003, 11:29 PM
|
#12 |
|
Computing Professor
Staff
Premium Member
Join Date: Jun 2001
Posts: 11,718
|
The KB823980 is the patch that protects your computer from Blaster.
If it's in Add/Remove it's properly installed and doing it's job. 20 hotfixes ? I'm assuming that these are other security patches you installed not something that just appeared all at once. Right ? |
|
|
|
|
08-16-2003, 09:21 AM
|
#13 |
|
Member (7 bit)
Join Date: Nov 2002
Location: Long Beach, California
Posts: 127
|
Yes, those are all security patches that I have installed through M$. Does that seem like alot?
|
|
|
|
|
08-16-2003, 11:24 AM
|
#14 |
|
Computing Professor
Staff
Premium Member
Join Date: Jun 2001
Posts: 11,718
|
They're fine where they are do not move them.
I was just worried that by some glitch you might have gotten 20 repeats of 1 patch. |
|
|
|
|
08-16-2003, 10:12 PM
|
#15 |
|
Banned
Join Date: Feb 2002
Location: in harms way
Posts: 2,768
|
Since the XP firewall is native, and I think it runs in the kernel, it will be faster, more stable, and more efficient than any 3rd party app. It is also statefull inspection, wich is offered by no other software firewall that I know of. It's a one-way affair though, blocking incoming packets only.
|
|
|
|
|
08-20-2003, 05:37 PM
|
#16 |
|
Member (10 bit)
Join Date: Sep 1999
Posts: 883
|
morriswindgate:
would the same thing happen if you blocked port 135? I wrote a rule blocking port 135 both directions. Thats not the same as terminating the srvice is it? thanks |
|
|
|
|
08-20-2003, 06:31 PM
|
#17 |
|
Computing Professor
Staff
Premium Member
Join Date: Jun 2001
Posts: 11,718
|
Let's get this plain.
Either ZoneAlarm or Sygate would have avoided this, and an updated AV. M$ patches can help but windows isn't big on security, no matter what they said last year. Spare yourself grief. A good AV and a good firewall can be had for free. Got a home network? Do the research, the responsibility is yours. No default settings ! |
|
|
|
|
08-20-2003, 08:54 PM
|
#18 |
|
Member (7 bit)
Join Date: Mar 2003
Location: Altamonte Springs, FL
Posts: 108
|
Pam is absolutley right; plus keep the AV and firewall updated - especially the AV.
__________________
Carl S |
|
|
|
|
08-22-2003, 08:34 PM
|
#19 |
|
Member (10 bit)
Join Date: Sep 1999
Posts: 883
|
I dont think so
ZA or Sygate when loaded will not block port 135 and that is wherethis worm came ridding in at. I think if you only relied on a firewall that you havent written any rules for you'd be out of luck.
Think about it. How many companies, big companies got the worm ? They have firewalls. If you did not have that port blocked, I believe it would have come right on in. 2 people at my job got it and they both run firewalls. morriswindgate in an earlier post says that you can't terminate the service of 135, and I don't know exactly what the difference is, butI have 135 blocked. aND my PC is fine. I may be wrong but thats my take on it. |
|
|
|
|
08-22-2003, 09:25 PM
|
#20 |
|
Computing Professor
Staff
Premium Member
Join Date: Jun 2001
Posts: 11,718
|
I don't know about your co-workers but I checked this out with Zone Alarm and it does block port 135.
But firewalls must be configured and that's where the problem usually starts. Also, they must be updated. If you want to check your firewall a trip to shield's up is a good start. |
|
|
|
|
08-23-2003, 08:13 AM
|
#21 |
|
Member (10 bit)
Join Date: Sep 1999
Posts: 883
|
I stand corrected.
But I am lost as to why so many people got the worm if thats all it took to block it? Are there that many companies not running a firewall? Thanks for the info |
|
|
|
|
08-23-2003, 10:23 AM
|
#22 |
|
Computing Professor
Staff
Premium Member
Join Date: Jun 2001
Posts: 11,718
|
Let's see not only are they not running firewalls, not doing any patching and not updating their AV ( what's the big deal the program can do so automatically ) they're doing even stranger things.
Read this article about the large company that, for whatever reason, kept one of it's larger servers outside the company firewall. Guess what it ? It got hacked.http://techrepublic.com.com/5100-6329-5055990.html |
|
|
|
|
08-23-2003, 10:48 AM
|
#23 |
|
Member (10 bit)
Join Date: Sep 1999
Posts: 883
|
I went and read that article, and its hard to believe that people are that, what, I dont even know what to call it. I'm not a PC geru, but some of it seems just to be common sense.
Now not to beat a dead horse I read this in an earlier post here: (and to prove I'm a PC illiterate. Quote: A lot of people have been getting error messages about RPC shutting down unexpectedly, leading to a reboot of Windows. This is affected Windows XP, Windows 2000, and Windowx NT. All you need to know about this problem, as well as what you should do, can be found here: http://securityresponse.symantec.co...ntent/8205.html To summarize: Block port 135 on your firewall if you have one Download all critical updates for Windows using Windows Update Theres that "block" port 135. I believe what you told me, because I got told the same thing over at Wilder security, which I also trust. But it makes it hard to be sure. I wrote a rule anyways. Better safe then sorry. thanks again |
|
|
|
|
08-23-2003, 10:58 AM
|
#24 |
|
Member (10 bit)
Join Date: Sep 1999
Posts: 883
|
I think I found part of the problem:
DCOM and Port 135 DCOM uses Port 135 for transmissions so users who check their ports will find this one open if DCOM is enabled. GRC newsgroup users should direct questions about DCOM and Port 135 to the ShieldsUp Newsgroup. From "Phil Y" Jun 28-00: "I use ZoneAlarm and, although I never gave DCOM Internet access privileges, it kept port 135 open. Specifically denying Internet access to DCOM did not work. Only after disabling DCOM in the registry did ZoneAlarm stealth port 135." Disabling DCOM alone may not close Port 135 as there are other apps that can force it open. Try the "Ports Finder" feature of AWSPS www.atelierweb.com/pscan/ to determine the cause (15 day fully functional free trial) or use a similar program. See Buzz Walradt's GRC FAQ Links website for other programs: web2.airmail.net/buzz/faqlinks.htm. http://accs-net.com/smallfish/dcom.htm yea, I know, pretty anal. I cant help it sometimes :-) been fun chatting, I'll get out of your hair now. |
|
|
|
|
08-23-2003, 09:02 PM
|
#25 |
|
Computing Professor
Staff
Premium Member
Join Date: Jun 2001
Posts: 11,718
|
Hi Briab Guy,
I'm the nit-picky type myself so I totally understand. The PCMech info on what ZA does is here : http://www.pcmech.com/show/os/354/ Depending on what you'd done/or not done to the firewall I'd bet you could get hit but, as you can see, the ports are blocked by default. That's no consolation if you get infected, nothing would be, but left to itself ZA was a flawless protector this time 'round. |
|
|
|
|
08-24-2003, 09:17 AM
|
#26 |
|
Member (10 bit)
Join Date: Sep 1999
Posts: 883
|
and it goes on and on...
Pam,
I really did believe you. BUT. of course, I had to try. I unblocked 135 and went and did the tests at GRC and Sygate http://scan.sygate.com/, and if u want a personal port scaner http://www.atelierweb.com/pscan/download.htm. But anyway, without the port being blocked the firewall "did" stealth it. So I would not have had to had it blocked just like you said. I havnt checked my services to see if I have DCOM disabled or not though. I am pretty satisfied that most of the time a normal firewall will give enough protection. god, i need to get a life! :-) |
|
|
|
|
| Bookmarks |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
Linear Mode
