[unisog] Port 135 closed may be vulnerable

Matt Crawford crawdad at fnal.gov
Tue Sep 2 22:15:17 GMT 2003

> In our experience, if TCP ports 139 and 445 are open , we expect to see
> 135 open as well.  So we have begun to nmap scan for hosts that have 
> ports 139 and 445 open, but not TCP 135 open.  None scanned as 
> vulnerable
> by normal scanners.  We put our hands on a few of hosts, and all of 
> them
> had TCP 135 "wake-up" after they rebooted, and then scanned as 
> vulnerable.

Thanks, Phil.  I found a few dozen "latent vulnerable systems" this 
way.  There were also some false positives: A Mac with Windows file 
sharing enabled, a Samba server with ipchains hiding port 135, and 
several 2000/XP systems with ipsec rules that blocked port 135 but not 
139 & 445.

More information about the unisog mailing list