[Dshield] Massive port 135 upswing?

Slade Edmonds slade at cryptoflow.net
Tue Jun 15 09:00:38 GMT 2004


Frank Knobbe wrote:

>On Mon, 2004-06-14 at 14:24, Robinson, Dennis A wrote:
>  
>
>>Sounds like Welchia to me...The DCOM RPC vulnerability (first described in
>>Microsoft Security Bulletin MS03-026) using TCP port 135.
>>    
>>
>
>Uhm... how can you possibly say such a thing? It also could be one of a
>bunch of other viruses and worms, or perhaps just harmless Popup Spam.
>  
>
Yes, I would not try and pin any TCP port 135 hit to any single 
vulnerability.

>Without analysis of the payload (perhaps by comparing hashes of the data
>section of the packet) one can not make conclusive statements about the
>packet itself.
>  
>
Snort sigs are not too bad at this.  If you are like most folks out 
there doing packet analysis on TCP 135 you will probably roll your eyes 
and curse MS under your breath before you commence.

>
>Slade was saying that he just drops this stuff at the router. Fine and
>dandy, but this list is about communicating trends in port scans to make
>subscribers aware of possible surges of old or new worms and other
>nasties. Nels didn't ask what this could be, but he asked if others are
>seeing the same trend.
>  
>
Let me re-phrase.  I used to be concerned / curious about TCP port 135 
traffic patterns.   I was seeing so-called 'surges' on a weekly or even 
daily basis.  As a result, at this time I do not care to track it.  
Also, in my short stay thus far on this list I would say that there is 
certainly a reasonable share of discussion here not related to trends in 
port scans.  Nels, I do apologize for not giving you a better answer.  I 
hope that I did not come across the wrong way.  I was just suggesting an 
alternative.  If that traffic is giving you grief, and it sounds like it 
is, consider dropping it before it has a chance to get at your 
firewall.  Works for me and plenty others.  Given the nature of this 
list, I think there is no harm in offering some advice.

>This is about trending, not about identification of malware. That can
>only be done by analyzing packet content.
>
>Regards,
>Frank
>  
>
Slade



More information about the list mailing list