Sucessfully Block port 135, and 136 on WIndows98?

I'm using Windows98, and I was wondering on if I can 1: Block port 135/136, and 2: how to do it on Sygate free firewall?

 

Also, should I just block UDP?

 

Delete Unprotected Shares


In Windows terminology, a share is a mechanism that allows a user to connect to file systems and printers on other systems. An unprotected share is one that allows anyone to connect to it. Many Windows desktop users have unprotected shares, even though they do not really need sharing at all. The result is a far greater likelihood that their systems will be successfully attacked by hackers, worms, etc. Unprotected shares are currently one of the major causes of security-related incidents .





Checklist for Securing Windows 95 and 98 Systems


Virus Protection for Windows Systems: Managing File Sharing

On a Windows 95/98 system, system-wide file sharing is managed by selecting "My Computer/Control Panel/Networks/Access Control/, and then clicking on the Share Level Access Control button. For folder-by-folder controls, you can use Windows Explorer (Start/Programs/Windows Explorer). Shared folders are indicated by an open-folder icon, held by a little hand. Right click on the folder, select Properties, click on Sharing, then click on Not Shared.

Turn Off File Sharing: Windows 95/98/Me

Windows Users Do You Really Need to Have Shares?

The most frequent cause of security incidents in Windows systems is shares (i.e., shared folders) that are improperly set up. When you share a folder, it is potentially available to any Internet user, or, worse yet, viruses and worms that look for share access that does not require passwords. If possible, avoid sharing altogether. In Windows 95/98/ Me systems, you can turn off sharing by following the following simple steps:

Go from Start to the Control Panel.
In the Control Panel double click on Network.
Once the Network dialog box comes up, double click on the File and Print Sharing Box In the Properties dialog box that comes up click on "Not Shared"
Click on Apply, then OK


http://www.lbl.gov/ICSD/Security/systems/win-checklist.html#shares


***************************

Turn off file and print sharing if you do not need it and make sure you have a good software firewall.

Windows 98 is not affected by the Blaster virus. TCP port 135 use is normal. In Windows NT, 2000, 2003 and XP there is a bug in the RPC code that can be exploited (the Blaster worm does this) . The bug is fixed by the MS03-026 patch.This bug does not exist in Windows 98.




Ports 135 through 139 are used constantly by any computer running MS OS....any computer. It's perfectly normal to have these ports open and have traffic on them inside a private LAN. It's desirable to block these ports from view on any public interface for precisely this reason....these are core ports in how MS OS operates.

In the case of Blaster, what it's looking for is two mistakes to have been made by someone connected to the web: they are showing these ports to the web without blocking them by a firewall, and these ports are being listened to by a DCOM interface that doesn't have the patches applied to it but is among the OS versions susceptible to the RPC/DCOM vulnerability.

As such, seeing traffic on these ports doesn't mean a problem it means that you may have perfectly normal Netbios traffic using the ports for their intended purposes. Stated differently, if you blocked these ports on every machine in your LAN, you would discover you have no MS Network anymore. These ports are required for quite a substantial amount of traffic that MS networks need for management processes.

If you have a computer connected to the web, you should NEVER show these ports ....period....never show them on the public side. If you do, you are exposing your MS Networking system to inspection from outside the LAN.

The vulnerability to RPC on these ports is just an escalation of the risk of doing this dumb thing in the first place. Instead of someone listening or sending packets to be handled by these services, the RPC vulnerability introduces the potential that a hacker can push code through the port that returns elevated privileges never intended to be offered on these ports or services in this way. That's the bug in the situation.

 

All that was already done on my computer (Mostly),also, what is Spooler.exe (It says its from Microsoft, its in C:\Windows\System, it says "spooler sub system" I blocked it completly, along with kernel32, but, whats up with it?

 

Hi Comp01

If you are concerned about outbound netbios with Sygate, make a rule in the advanced rules that will block outbound tcp/udp to remote service/ports 135-139.

Double check you application rules and make sure none allow inbound connections (server rights) - unless they actually need it.

The firewall should then be blocking any unsolicited inbound connection attempts.

Spooler.exe should not need access to the Internet (it is associated with printing).

What kind of access was kernel32 wanting?

Regards,

CrazyM

 

Security issue?

Sygate firewall alerted me this:
   
09/11/2003 22:11:53   Port Scan   Minor   Incoming   TCP   63.107.123.66   2   09/11/2003 22:11:46   09/11/2003 22:11:46


09/11/2003 22:11:32   Port Scan   Minor   Incoming   TCP   63.107.123.66   3   09/11/2003 22:11:34   09/11/2003 22:11:34
   
09/11/2003 22:11:26   Port Scan   Minor   Incoming   TCP   63.107.123.66   4   09/11/2003 22:11:25   09/11/2003 22:11:28

My computer being scanned, uhh, it blocked it I guess? doesnt mean much though right now, right?   

 

Re:Security issue?

Hi Comp01

Your firewall blocked it so nothing to worry about.

As to what it means, without additional details who knows. Do your logs provide anymore details such as source port and destination ports?

Regards,

CrazyM

 

Re:Security issue?

No, it doesnt also, I wanted to know, is Kernel32.dll windows file safe? and just a nuisance with internet connections? what does it do? (I have it blocked, all ports, etc for it, but it always goes around gah)

 

Re:Security issue?

Hi Comp01

Sygate should have a log viewer which will provide a little more detail than that.

As for Kernel32.dll, is that prompt coming from the firewall or the DLL Authentication option available? Sygate has options for Enable DLL Authentication, Automatically Allow Known DLL's (a learning mode) and Driver Level Protection.

You might want to check out what each of those options involves.

Some links that might help:
Sygate Product Forums
King's Sygate Help Site
Whitehat Security - Sygate Personal Firewall

Regards,

CrazyM

 

Re:Security issue?

From the Firewall, not DLL authentication... the dll checks out, its real, I run a ton of security software, heh, AVG antivirus, SpyBot:S&D, AdAware6.0, Sygate firewall, SpywareBlaster, etc, its the actual Windows98 kernel32.dll file...
*Edit, didnt notice what you said about the log viwer*
Thats the only log I could find, by going to logs, and security, its even what Sygate brings up when the Security issue comes up..

 

Re:Security issue?

If it is the firewall prompting, what kind of access is it wanting (remote service/port)?

As you have done, it is always best to block until you are sure.

Regards,

CrazyM

 

Re:Security issue?

UDP 138
UDP 137
TCP 139
Are the ports, it is a Windows service, because I've checked my computer already, and actually, I just reformatted it like 2 days ago, after I messed up (heh, stupid me, and learning computers, programming etc, but anyways) and installed Windows98 2nd edtion, 4.10.2222 exact version, from my disk, I have no viruses, spyware, adware, or trojan horses installed on my computer.

 

Re:Security issue?

If that was for outbound, you did the right thing in blocking it.

What you might want to do is in Advanced rules, create a rule that blocks outbound TCP/UDP to remote ports 135-139. You could also create a similar rule to block inbound to local ports 135-139.

I believe in Sygate the Advanced rules take priority, and this may stop the prompts.

Regards,

CrazyM

 

Re:Security issue?

Problem is, everytime I block it, it still goes through, according to the firewall, blocked, or with them ports completly blocked off!
kernel32.dll protocol: UDP Status: LISTEN - Local Port: 138 and 137 Remote Port: 0
kernel32.dll protocol: TCP Status: LISTEN - Local Port: 139 Remote Port: 0
^Thats some of the info I got from it...

 

Re:Security issue?

Also it says something, if I hover over the connection (They are all either UDP or TCP connections, with LISTEN ) says something like "NetBIOS-NS Browsing requests of NetBIOS over TCP/IP" and "NETBIOS-SSN - NETBIOS session service"

 

Re:Security issue?

Also, I caught a ICMP Microsoft DirectX helper trying to connect, I blocked it, dammit, this Microsoft and Windows crap is pissing me off, a few more things and I'm switching to Linux

 

Re:Security issue?

I forgot all about my other post, sorry all, truly am, I hate forums and keeping track of them, and I'm a newbie at security crap, sorry, I'll lock this topic, because MOST of this as explained in my older topic. (That is if I can lock this myself)

 

Re:Security issue?

That'd be nice, actually... (For you to merge it, if you like)...
also, by back-racing the IP # that kernel32.dll is connecting to, I found this:
OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US

NetRange: 169.254.0.0 - 169.254.255.255
CIDR: 169.254.0.0/16
NetName: LINKLOCAL
NetHandle: NET-169-254-0-0-1
Parent: NET-169-0-0-0-0
NetType: IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment: Please see RFC 3330 for additional information.
RegDate: 1998-01-27
Updated: 2002-10-14

OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: Internet Corporation for Assigned Names and Number
OrgAbusePhone: +1-310-301-5820
OrgAbuseEmail: abuse@iana.org

OrgTechHandle: IANA-IP-ARIN
OrgTechName: Internet Corporation for Assigned Names and Number
OrgTechPhone: +1-310-301-5820
OrgTechEmail: abuse@iana.org

 

Well, uhh, Not to sound stupid, but me being kinda new to internet security stuff (sorry, I'm probably a big nuisance around here, lol) and only made out a bit of what you were saying, lol, this is all new to me, I mean, I originally only ran AntVirus, and adaware, but thinking of the problems I had with a virus before, I started running a firewall, about 2 weeks ago, I dont understand why exactly no matter what I really do (I made a custom rule to block the ports off, but it still only blocks about 45% of outgoing ) and quite honestly, this kinda has me scared, heh, but before I ran the firewall, I was pretty much careless
*edit to add a few more comments*
I have no Idea what my network config is, and my ISP has been kinda screwy lately (mostly on about half the dialup numbers have frequent disconnects, etc)
so.... uhh, yeah keep in mind you're dealing with a firewall/general ports, etc, noobie.. heh..

 

Well, Because Sygate firewall has a "Incoming Blocked" "Incoming Allowed" "Outgoing Blocked" and "Outgoing allowed" the allowed rate is far greater then the blocked, except for incoming.. if I click "Hide Windows Services" it doesnt even show up, but is still semi-blocked out (I guess)

 

The filed for Sygate is like this:
Incoming Allowed Incoming Blocked Outgoing Allowed Outgoing blocked

and of course it has applications name, version etc before all that, but, basically it tells you how many bits (or bytes, or whatever) of data has been sent, or recieved? and the sent rate for outgoing on it is ALOT more then what it blocked for outgoing (If any of this makes sense )