[unisog] I may have spoken too soon (Windows message)

Rich Graves rcgraves at brandeis.edu
Thu Oct 10 21:32:35 GMT 2002


On Thu, 10 Oct 2002, Clarke Morledge wrote:

> We've been getting both of these "diploma" and "poetry" messages, and like
> Martin, we block ports 137-139 at the firewall.
> 
> Two questions:
> 
> (1) Does anybody know how we are getting hit by this?

Yes, they probe port 135, the Windows RPC portmapper, and get in on
another of the mysterious ports that the Windows kernel opens up by
default.

Block UDP and TCP 135 too.

Here you see the probes coming in on udp 135, saying hello, trying and
failing to talk to us on UDP 137 (destination interface 0 means a drop),
and reaching undocumented high ports.

Us: 10.64.144.222 on router interface 1. Them: 192.127.74.158 on router
interface 2.

Start             End               Sif   SrcIPaddress    SrcP  DIf   DstIPaddress    DstP    P Fl Pkts       Octets

1010.03:43:39.901 1010.03:43:39.901 1     192.127.74.158  4115  0     10.64.144.222   135   17  0  1          29
1010.03:43:39.913 1010.03:43:39.913 2     10.64.144.222   135   1     192.127.74.158  4115  17  0  1          112
1010.03:44:04.397 1010.03:44:04.397 1     192.127.74.158  3592  2     10.64.144.222   135   17  0  1          763
1010.03:44:04.421 1010.03:44:04.473 2     10.64.144.222   3538  1     192.127.74.158  3592  17  0  2          236
1010.03:44:04.473 1010.03:44:04.473 1     192.127.74.158  3592  2     10.64.144.222   3538  17  0  1          132
1010.03:44:04.493 1010.03:44:04.493 2     10.64.144.222   1051  1     192.127.74.158  3592  17  0  1          112
1010.03:43:46.193 1010.03:44:02.865 1     192.127.74.158  137   0     10.64.144.222   137   17  0  12         936
1010.03:44:06.541 1010.03:44:06.541 1     192.127.74.158  3592  2     10.64.144.222   1051  17  0  1          108
-- 
Rich Graves <rcgraves at brandeis.edu>
UNet Systems Administrator



More information about the unisog mailing list