Port 135 closed may be vulnerable

Phil.Rodrigues at uconn.edu Phil.Rodrigues at uconn.edu
Fri Aug 22 20:43:49 GMT 2003


Hi all,

Every scanner for RPC-DCOM that we have used needs TCP port 135 open in 
order to return a correct response.  Which makes sense: the scanner probes 
TCP 135 and looks at the response it gets.  If TCP 135 is closed they do 
not get a response, and the scanner assumes the host is not vulnerable to 
attack.

We have seen a large number of Windows hosts on our network have TCP port 
135 closed, most likely because the RPC service crashed after an 
unsuccessful worm infection.  When the host is scanned the scanner reports 
it is not vulnerable.  HOWEVER, after the computer is rebooted, TCP port 
135 re-opens and the host becomes vulnerable to attack.

In our experience, if TCP ports 139 and 445 are open , we expect to see 
135 open as well.  So we have begun to nmap scan for hosts that have TCP 
ports 139 and 445 open, but not TCP 135 open.  None scanned as vulnerable 
by normal scanners.  We put our hands on a few of hosts, and all of them 
had TCP 135 "wake-up" after they rebooted, and then scanned as vulnerable.

We are recommending that other large networks look into this and see what 
their results are.  On our Class B we have 336 hosts that currently scan 
as vulnerable, and another 139 that have TCP 135 closed but TCP 139 and 
445 open.  We expect that all 139 of those are vulnerable to attack after 
they reboot.

No-one wants to be surprised by vulnerable hosts suddenly appearing in the 
middle of their network, especially after their range scans returned 100% 
of the hosts as "PATCHED".  We recommend you use nmap to find hosts in 
this potentially vulnerable state, reboot a few and scan them again, then 
consider whether or not to include this logic in your regular scans:

nmap -P0 -oG - -p 135,139,445 $IP | grep 445 | grep 139 | grep -v 135 | 
awk '{ print $2 }'

I am very interested in hearing other people's thoughts on this.

Phil

=======================================
Philip A. Rodrigues
Network Analyst, UITS
University of Connecticut

email: phil.rodrigues at uconn.edu
phone: 860.486.3743
fax: 860.486.6580
web: http://www.security.uconn.edu
=======================================



More information about the unisog mailing list