[Dshield] Port 135

Josh Tolley josh at raintreeinc.com
Thu Oct 17 16:19:03 GMT 2002

I tried something similar when Code Red was running wild. A pretty
quick, dirty little program would listen for scans, log timestamp,
packet payload and source IP to a database, and send one of those
messages to the source IP. Lots of the messages didn’t go through for
whatever reason (firewall, NAT router, etc) but many did, and without
much apparent effect. The list of regular offenders and number of scans
from them was pretty much the same after I added the pop-up message
feature to the program as before. 
	Remember that most of the computers you'll be attacked from are
behind firewalls, and they're only getting infected by any of these
various worms because the firewall forwards the necessary ports to that
machine. The firewall almost certainly won't forward port 135 traffic to
that same machine, or to any other machine. 

Josh Tolley, GSEC

Jon R. Kibler wrote: 
>You know, a public domain version of this tool, used to send text-only
messages, could be quite useful! 
>Q: What is the biggest problem we have dealing with infected systems? 
>A: Contacting the actual admin of the system. 
>Thus, my idea: 
>Almost any system insecure enough to be infected by Nimda, SQLSnake,
etc. is probably insecure enough to have Port 135 open. Therefore, we
could take a public domain version of the spam tool described in this
article, integrate it into our IDSes, and when we get hit by an infected
system, blast back to the system console a Pop-Up Message along the
lines of "Hey dummy, your system is infected by [insert parasite name].
How about doing a better job of securing your systems?". At least would
would then know that someone knows about the infected system!
>Just a thought... a little perverse thought maybe, but a thought just
the same. 
>Jon Kibler 
>A.S.E.T., Inc. 
>Charleston, SC  USA 
>Roger wrote: 
>>Getting  suspicious hits on port 135?  This may explain it.  A new
>>of spam slam. 
>Dshield mailing list 
>Dshield at dshield.org 
>To change your subscription options (or unsubscribe), see:

More information about the list mailing list