I'm using Windows98, and I was wondering on if I can 1: Block port 135/136, and 2: how to do it on Sygate free firewall?

Also, should I just block UDP?

Delete Unprotected Shares


In Windows terminology, a share is a mechanism that allows a user to connect to file systems and printers on other systems. An unprotected share is one that allows anyone to connect to it. Many Windows desktop users have unprotected shares, even though they do not really need sharing at all. The result is a far greater likelihood that their systems will be successfully attacked by hackers, worms, etc. Unprotected shares are currently one of the major causes of security-related incidents .





Checklist for Securing Windows 95 and 98 Systems


Virus Protection for Windows Systems: Managing File Sharing

On a Windows 95/98 system, system-wide file sharing is managed by selecting "My Computer/Control Panel/Networks/Access Control/, and then clicking on the Share Level Access Control button. For folder-by-folder controls, you can use Windows Explorer (Start/Programs/Windows Explorer). Shared folders are indicated by an open-folder icon, held by a little hand. Right click on the folder, select Properties, click on Sharing, then click on Not Shared.

Turn Off File Sharing: Windows 95/98/Me

Windows Users Do You Really Need to Have Shares?

The most frequent cause of security incidents in Windows systems is shares (i.e., shared folders) that are improperly set up. When you share a folder, it is potentially available to any Internet user, or, worse yet, viruses and worms that look for share access that does not require passwords. If possible, avoid sharing altogether. In Windows 95/98/ Me systems, you can turn off sharing by following the following simple steps:

Go from Start to the Control Panel.
In the Control Panel double click on Network.
Once the Network dialog box comes up, double click on the File and Print Sharing Box In the Properties dialog box that comes up click on "Not Shared"
Click on Apply, then OK


http://www.lbl.gov/ICSD/Security/systems/win-checklist.html#shares


***************************

Turn off file and print sharing if you do not need it and make sure you have a good software firewall.

Windows 98 is not affected by the Blaster virus. TCP port 135 use is normal. In Windows NT, 2000, 2003 and XP there is a bug in the RPC code that can be exploited (the Blaster worm does this) . The bug is fixed by the MS03-026 patch.This bug does not exist in Windows 98.




Ports 135 through 139 are used constantly by any computer running MS OS....any computer. It's perfectly normal to have these ports open and have traffic on them inside a private LAN. It's desirable to block these ports from view on any public interface for precisely this reason....these are core ports in how MS OS operates.

In the case of Blaster, what it's looking for is two mistakes to have been made by someone connected to the web: they are showing these ports to the web without blocking them by a firewall, and these ports are being listened to by a DCOM interface that doesn't have the patches applied to it but is among the OS versions susceptible to the RPC/DCOM vulnerability.

As such, seeing traffic on these ports doesn't mean a problem it means that you may have perfectly normal Netbios traffic using the ports for their intended purposes. Stated differently, if you blocked these ports on every machine in your LAN, you would discover you have no MS Network anymore. These ports are required for quite a substantial amount of traffic that MS networks need for management processes.

If you have a computer connected to the web, you should NEVER show these ports ....period....never show them on the public side. If you do, you are exposing your MS Networking system to inspection from outside the LAN.

The vulnerability to RPC on these ports is just an escalation of the risk of doing this dumb thing in the first place. Instead of someone listening or sending packets to be handled by these services, the RPC vulnerability introduces the potential that a hacker can push code through the port that returns elevated privileges never intended to be offered on these ports or services in this way. That's the bug in the situation.

All that was already done on my computer (Mostly),also, what is Spooler.exe (It says its from Microsoft, its in C:\Windows\System, it says "spooler sub system" I blocked it completly, along with kernel32, but, whats up with it?

Hi Comp01

If you are concerned about outbound netbios with Sygate, make a rule in the advanced rules that will block outbound tcp/udp to remote service/ports 135-139.

Double check you application rules and make sure none allow inbound connections (server rights) - unless they actually need it.

The firewall should then be blocking any unsolicited inbound connection attempts.

Spooler.exe should not need access to the Internet (it is associated with printing).

What kind of access was kernel32 wanting?

Regards,

CrazyM

Sygate firewall alerted me this:
***
09/11/2003 22:11:53***Port Scan***Minor***Incoming***TCP***63.107.123.66***2***09/11/2003 22:11:46***09/11/2003 22:11:46


09/11/2003 22:11:32***Port Scan***Minor***Incoming***TCP***63.107.123.66***3***09/11/2003 22:11:34***09/11/2003 22:11:34
***
09/11/2003 22:11:26***Port Scan***Minor***Incoming***TCP***63.107.123.66***4***09/11/2003 22:11:25***09/11/2003 22:11:28

My computer being scanned, uhh, it blocked it I guess? doesnt mean much though right now, right?***

Hi Comp01

Your firewall blocked it so nothing to worry about.

As to what it means, without additional details who knows. Do your logs provide anymore details such as source port and destination ports?

Regards,

CrazyM

No, it doesnt :-\ also, I wanted to know, is Kernel32.dll windows file safe? and just a nuisance with internet connections? what does it do? (I have it blocked, all ports, etc for it, but it always goes around :-\ gah)

Hi Comp01

Sygate should have a log viewer which will provide a little more detail than that.

As for Kernel32.dll, is that prompt coming from the firewall or the DLL Authentication option available? Sygate has options for Enable DLL Authentication, Automatically Allow Known DLL's (a learning mode) and Driver Level Protection.

You might want to check out what each of those options involves.

Some links that might help:
Sygate Product Forums (http://forums.sygatetech.com/vb/)
King's Sygate Help Site (http://home.bellsouth.net/p/s/community.dll?ep=16&groupid=60610&ck=&userid=1&userpw=.&uh=1,0,)
Whitehat Security - Sygate Personal Firewall (http://www.whitehat-security.com/SPF.htm)

Regards,

CrazyM

From the Firewall, not DLL authentication... the dll checks out, its real, I run a ton of security software, heh, AVG antivirus, SpyBot:S&D, AdAware6.0, Sygate firewall, SpywareBlaster, etc, its the actual Windows98 kernel32.dll file... :-\
*Edit, didnt notice what you said about the log viwer*
Thats the only log I could find, by going to logs, and security, its even what Sygate brings up when the Security issue comes up..

If it is the firewall prompting, what kind of access is it wanting (remote service/port)?

As you have done, it is always best to block until you are sure.

Regards,

CrazyM

UDP 138
UDP 137
TCP 139
Are the ports, it is a Windows service, because I've checked my computer already, and actually, I just reformatted it like 2 days ago, after I messed up (heh, stupid me, and learning computers, programming etc, but anyways) and installed Windows98 2nd edtion, 4.10.2222 exact version, from my disk, I have no viruses, spyware, adware, or trojan horses installed on my computer.

If that was for outbound, you did the right thing in blocking it.

What you might want to do is in Advanced rules, create a rule that blocks outbound TCP/UDP to remote ports 135-139. You could also create a similar rule to block inbound to local ports 135-139.

I believe in Sygate the Advanced rules take priority, and this may stop the prompts.

Regards,

CrazyM

Problem is, everytime I block it, it still goes through, according to the firewall, blocked, or with them ports completly blocked off!
kernel32.dll protocol: UDP Status: LISTEN - Local Port: 138 and 137 Remote Port: 0
kernel32.dll protocol: TCP Status: LISTEN - Local Port: 139 Remote Port: 0
^Thats some of the info I got from it...

Also it says something, if I hover over the connection (They are all either UDP or TCP connections, with LISTEN :-\ ) says something like "NetBIOS-NS Browsing requests of NetBIOS over TCP/IP" and "NETBIOS-SSN - NETBIOS session service"

Also, I caught a ICMP Microsoft DirectX helper trying to connect, I blocked it, dammit, this Microsoft and Windows crap is pissing me off, a few more things and I'm switching to Linux :-\

I forgot all about my other post, sorry all, truly am, I hate forums and keeping track of them, and I'm a newbie at security crap, sorry, I'll lock this topic, because MOST of this as explained in my older topic. (That is if I can lock this myself)

Well, you can't actually lock it... I see nothing wrong with this as a separate thread, but you also have this one:

Sucessfully Block port 135, and 136 on WIndows98? (http://www.wilderssecurity.com/showthread.php?t=13476)

Is that the one you were referring to? I could merge them together if you like.

That'd be nice, actually... (For you to merge it, if you like)...
also, by back-racing the IP # that kernel32.dll is connecting to, I found this:
OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US

NetRange: 169.254.0.0 - 169.254.255.255
CIDR: 169.254.0.0/16
NetName: LINKLOCAL
NetHandle: NET-169-254-0-0-1
Parent: NET-169-0-0-0-0
NetType: IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment: Please see RFC 3330 for additional information.
RegDate: 1998-01-27
Updated: 2002-10-14

OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: Internet Corporation for Assigned Names and Number
OrgAbusePhone: +1-310-301-5820
OrgAbuseEmail: abuse@iana.org

OrgTechHandle: IANA-IP-ARIN
OrgTechName: Internet Corporation for Assigned Names and Number
OrgTechPhone: +1-310-301-5820
OrgTechEmail: abuse@iana.org

-{ Quote: " quoting: Comp01 link=board=23;threadid=13476;start=15#msg87369 date=1063414695]That'd be nice, actually... (For you to merge it, if you like)...

also, by back-racing the IP # that kernel32.dll is connecting to, I found this:
OrgName: Internet Assigned Numbers Authority
OrgID: IANA
.
.
NetRange: 169.254.0.0 - 169.254.255.255
CIDR: 169.254.0.0/16
.
.
NetType: IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment: Please see RFC 3330 for additional information." }-

Okay, merged. Now all your related posts are in one thread.

As for the addresses in the range 169.254.*.*, those are a special case. If your network configuration is set to get it's IP address by DHCP and if it can't resolve DHCP for some reason (network not connect, DHCP down or slow, etc.) then Windows will automatically assign an address out of this range. It's called: Automatic Private IP Addressing (APIPA)

I don't understand why you should have an address in that range under normal operation when properly connected to your ISP. And services listening on your system should be using either 127.0.0.1 (for localhost), 0.0.0.0 (for your local network connection), or your real public IP address, as assigned by your ISP.

Well, uhh, Not to sound stupid, but me being kinda new to internet security stuff (sorry, I'm probably a big nuisance around here, lol) and only made out a bit of what you were saying, lol, this is all new to me, I mean, I originally only ran AntVirus, and adaware, but thinking of the problems I had with a virus before, I started running a firewall, about 2 weeks ago, I dont understand why exactly no matter what I really do (I made a custom rule to block the ports off, but it still only blocks about 45% of outgoing :-\ ) and quite honestly, this kinda has me scared, heh, but before I ran the firewall, I was pretty much careless :-\
*edit to add a few more comments*
I have no Idea what my network config is, and my ISP has been kinda screwy lately (mostly on about half the dialup numbers have frequent disconnects, etc)
so.... uhh, yeah keep in mind you're dealing with a firewall/general ports, etc, noobie.. heh..

Hmm, let's take a small step back for a moment Comp01, because I'm thinking maybe there isn't a problem after all.

In an earlier post you said this...

-{ Quote: " quoting: Comp01 link=board=23;threadid=13476;start=0#msg87274 date=1063391485]Problem is, everytime I block it, it still goes through, according to the firewall, blocked, or with them ports completly blocked off!
kernel32.dll protocol: UDP Status: LISTEN - Local Port: 138 and 137 Remote Port: 0
kernel32.dll protocol: TCP Status: LISTEN - Local Port: 139 Remote Port: 0 " }-

And, just above this post you said...

-{ Quote: "I dont understand why exactly no matter what I really do (I made a custom rule to block the ports off, but it still only blocks about 45% of outgoing :-\ ) " }-

Why do you think that your firewall isn't blocking these things?

You see, the two entries in the first quote are only listening locally on your system, but that doesn't mean they are actually able to get out of your system. A firewall can and will block things that are listening. They will still be shown as listening on your system, but they are being blocked from receiving any communications from the outside world.

Is there some other reason you think they are actually getting out?

Well, Because Sygate firewall has a "Incoming Blocked" "Incoming Allowed" "Outgoing Blocked" and "Outgoing allowed" the allowed rate is far greater then the blocked, except for incoming.. if I click "Hide Windows Services" it doesnt even show up, but is still semi-blocked out (I guess)

-{ Quote: " quoting: Comp01 link=board=23;threadid=13476;start=15#msg87398 date=1063426461]Well, Because Sygate firewall has a "Incoming Blocked" "Incoming Allowed" "Outgoing Blocked" and "Outgoing allowed" the allowed rate is far greater then the blocked, except for incoming.. if I click "Hide Windows Services" it doesnt even show up, but is still semi-blocked out (I guess)" }-

I'm afraid I don't understand... ("allowed rate is far greater then the blocked, except for incoming")... I guess we really need another Sygate user to explain exactly what those fields / statistics mean. :-\

The filed for Sygate is like this:
Incoming Allowed Incoming Blocked Outgoing Allowed Outgoing blocked

and of course it has applications name, version etc before all that, but, basically it tells you how many bits (or bytes, or whatever) of data has been sent, or recieved? and the sent rate for outgoing on it is ALOT more then what it blocked for outgoing (If any of this makes sense :-\ )

i wish they would get rid of those graphs. they just confuse people. the graphs do not tell you what application they are showing traffic for. so it could be something else that you are seeing. here is a link that explains the graphs a little.

http://smb.sygate.com/support/documents/spf/traffic_history_graphs.htm

and like you have already been told, if a application is listening, it doesnt mean that it is transmitting out. you have the application blocked so it wont ever do any more than listen.

you should disable netbios if you dont need it.
http://comp.bio.uci.edu/security/netbios.htm

I wasnt talking about graphs, if in Sygate click view application details, thats what I am talking about, also
theOrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US
What is that? I mean why is kernel32.dll connecting there? also could it be because A part of my ISP's software was blocked? (Just found it) and I cant disable netBIOS, I tried, its checked, and grayed out :-\

Also, on IP address its suppose to/and or sending to, comes up like this:
169.254.4.206->0.0.0.0

Actually, I tried to explain the 169.254.*.* addresses above (reply #19).

-{ Quote: "As for the addresses in the range 169.254.*.*, those are a special case. If your network configuration is set to get it's IP address by DHCP and if it can't resolve DHCP for some reason (network not connect, DHCP down or slow, etc.) then Windows will automatically assign an address out of this range. It's called: Automatic Private IP Addressing (APIPA)

I don't understand why you should have an address in that range under normal operation when properly connected to your ISP. And services listening on your system should be using either 127.0.0.1 (for localhost), 0.0.0.0 (for your local network connection), or your real public IP address, as assigned by your ISP." }-

Your system is not connecting "there". IANA is the Internet naming authority that is responsible for the designation of the use of the IP address range you're talking about. That's all. It isn't a remote network or a location that anyone's systems connect to.

So, don't worry about that back trace, it doesn't apply on a 169.254 based address.

I'm still not clear on what you are seeing. Perhaps you can make a screen image or two to show us exactly what Sygate screen you are looking at, highlighting the significant portions.

You can add one image per post here on the forum. This FAQ will explain how if you've never done it: FAQ: Screen Shots and Image Posting (http://www.wilderssecurity.com/showthread.php?t=5513).

ok ok i see where you are talking about now. this page kind of explains it. http://smb.sygate.com/support/documents/spf/running_applications_list.htm

not sure what your question is though.. sry

OK, hope this image works :-\

Well, the image attached fine... Now all we need is someone who understands exactly what that particular Sygate screen's purpose and meaning is so they can tell us if this is a concern or not. Let's wait and see.

Yep :-\ that could take a while though, but really right now (At the moment atleast) is I want to know am I safe on the internet? :-\ will this "connection" or whatever spy on me? or just give me my DNS/IP#? hmm :-\ maybe my ISP uses this to specifically obtain IP#'s? (Sorry, as I said, I'm a noobie at security)

Well, at this point my belief is that you are safe, and that most likely the screen is showing something quite normal, that once it's explained we'll all slap our foreheads and say - "Oh, yeah! That's what that is."

Yeah, I guess, I'm still waiting though :-\

Hi Comp01,

i also have a Win98se computer and use Sygate (free) along with a router on cable connection.

i am probably repeating what other's have already posted, but thought i would add to your post since we have about the same setup.

The kernel32.dll will show as listening on ports 137, 138, and 139 in Sygate's application listing (that first panel you see with the graph with black background and green lines) even if you have blocked it with Sygate. But no connection from the net will happen since you do have it blocked.

However, if you no longer want to see the file kernel32.dll "listening" on those three ports, then you will have to disable NetBIOS.

i also had used Sygate to just block the kernel32.dll (which is identified in Sygate's Application List as the file name: Win32 Kernel core component) until i felt comfortable enough to disable NetBIOS. Then the three instances of Kernel32.dll disappeared from Sygate's list, as it was no longer "listening" on ports 137, 138, and 139. :)

If you do not have several computers networked together and sharing files between them in your home, (that is called a private LAN) then you do not need to have NetBIOS enabled.

The link SpaceCowboy gave you for disabling NetBIOS is a good one and explains it very well. (i will repost it again here in case you are not sure of which link i mean)

How To Disable NetBIOS over TCP/IP
http://comp.bio.uci.edu/security/netbios.htm

If you decide that you just want to leave it for Sygate to block kernel32.dll, that is ok too and you are safe. But if you want to have those ports closed, then follow the two steps there in that link above, for Windows 95, 98, or WinME.

Hope that helps and i haven't confused you, it is confusing enough already lol. (i also have an XP-Home with Sygate on it, and have NetBIOS disabled on that computer too...i do not have the two computers networked together...they are standalones edited to add - i owe a "Thank You!" to LWM for that! He helped me with the XP... ;D )

Best regards,

snap

Oh! Forgot something. You had also asked about blocking port 135. i am assuming the file rpcss.exe is showing as "listening" on that port, yes? The rpcss.exe did not come with my Win98se....i never had that file on that computer until i installed my LexmarkZ53 printer. grrrr..grr. i read up on it and from what i read, the rpcss.exe is not needed, BUT it also said if i remove it i "may" have problems with my printer. i don't know...lol..so i decided just to leave it there now and have Sygate block it.

The rpcss.exe has been blocked on my Win98se for about a year with no ill effects and my printer works just fine since it is connected directly to my computer and not through any network.

So you are good to go with just having Sygate block the rpcss.exe (shown in Sygate's Application List as the Distributed COM Services).

snap :)

Thanks for all the help! I dont have any networked PC's, this is my only PC, heh, but, it wont allow me to disable netBIOS, I go to the page, its checked off to allow it, and grayed out :-\

Hi Comp01

Yes..it will be greyed out...mine was too. You have to "unbind" NetBIOS first.

The second part there on that link can be a bit confusing. But i'll try and explain it here.

1. Go to START-->Settings-->ControlPanel, and find the icon called Network....double-click on it and the Network box will pop up.

2. Choose the Configuration tab and look for the TCP/IP line...highlight that.

3. Now click on the button called Properties. The TCP/IP Properties box will pop up.

4. Choose the Bindings tab now.

5. Uncheck the box beside Client for Microsoft Networks.

6. Click "OK" (if you get the message "You have not selected any drivers to bind with. Would you like to select one now?) Just ignore this message and click on "YES". Then click on "OK" to close the TCP/IP Properties box.

7. Now click on the File and Printer Sharing button and make sure those two boxes there are UN-CHECKED.

8. Click OK again to close the Network box

9. You may have to reboot your computer for the settings to take place.

10. And you are done. :) The NetBIOS tab that you mentioned that was greyed out will no longer be greyed out and the check-mark that was in it will also be gone. You can check that if you like by following the first steps above, but rather than choosing the Bindings tab, this time choose the NetBIOS tab. If it is still checked (it shouldn't be) but if it is, then just uncheck it and click OK to close the boxes. :)

snap

forgot to add...if you have two instances of TCP/IP there in the Network box, you will have to do the above twice. i did. LOL

Yeah, I do have to TCP/IP's there :-\ I have a ethernet card along with my modem, with 2 different settings...

Please note I haven't read completely through this topic, but to disable netbios on 9x all I do is rename the vnbt.386 file to vnbt386.bak in the X:\windows\system directory, then reboot. This will kill all netbios so if you ever have a network you will have to rename the file, reboot, then use your firewall to allow those permissions correctly.

I already done it the way they said to do it, also, My windows login screen disappeared (or netowrk login screen, or user or whatever) is that normal?

Also, when I click up "Network neighborhood" it says "Network not complete, continue" with Yes/No buttons, is that normal also?

-{ Quote: " quoting: Comp01 link=board=23;threadid=13476;start=30#msg87825 date=1063608667]
Also, when I click up "Network neighborhood" it says "Network not complete, continue" with Yes/No buttons, is that normal also?
" }-

Hi Comp01 - for that message, just say "No" since you do not want to complete a network. That is what you just got away from. When i click on the desktop icon called Network Neighbourhood, i get the "Unable to browse network. The network is not accesible". A "Network neighborhood" is just that, a neighborhood of computers on a network. We don't want that. LOL.

-{ Quote: "I already done it the way they said to do it, also, My windows login screen disappeared (or netowrk login screen, or user or whatever) is that normal?
" }-

As for the Windows Login Screen...are you referring to the screen that comes up after the Windows 98 screen disappears? If that is what you mean, then that may not be such a bad thing as many people usually want to get rid of that. i still have my login screen but that might be because i still have my Client for Microsoft Networks bound to NetBEUI. But since you are not wanting a network, you really don't need to "log into a network". If i am wrong in this regard, please someone jump in and correct me. :)

Also, if you have the MS DOS icon on your desktop, double-click on it to open up the black DOS box, and at the DOS prompt type in: nestate -an (note, there is a space before the minus sign) and hit Enter.

You will see a listing of all the addresses and ports listening or connected. You should see ports 137, 138 and 139 no longer listed there. When you are done with the DOS window, just type in the word exit, then hit enter, and this will close that black box.

Or if you would rather use a small program which will give you the same results as the above, but with just a click of the mouse instead. A good 'free' program called TCPView, will show you detailed listings of all TCP and UDP connections and what ports are being used. TCPView is free and works on Windows 98 too, and can be found here:

http://www.sysinternals.com/ntw2k/source/tcpview.shtml

Another excellent program is Port Explorer. Port Explorer is not free though, but it does have a 30-day free trial period. You can also find the support forum here at wilders. Jason has posted the information on the new released version 1.800 here:

http://www.wilderssecurity.com/showthread.php?t=13621

Hope that helps,

snap :)

Try active ports

Yeah, kernel32.dll still come up in Sygate as "Listening on remote port 68, IP address 0.0.0.0->0.0.0.0" but, 0.0.0.0 is your own computer thoug, isnt it? :-\ so, uhh, I'm listening to myself? lol

Hi Comp01

It is not unusual to have certain system functions listening on your computer, as long as your rules control what is allowed to enter and leave your system.

Regards,

CrazyM

Also, when I click "Connection Details" now, kernel32.dll doesnt even show up as connecting anywhere, but yet it says its sending data? :-\ still confusing, but feel safer now that NetBIOS is disabled..