Ports 137, 138, 139

Discussion in 'other firewalls' started by Shunned, Mar 17, 2004.

Thread Status:
Not open for further replies.
  1. Shunned

    Shunned Guest

    Lori and LWM

    You guys might find this very interesting....earlier I mentioned having the Internet Assighted Numbers Authority Sitting on ports 137 138 139...for the past several days.......well guess what...They are GONE!!
    Plus, gone at the same time as last night.
    Note: my connection is static so this can't be targeting me in particular........also, six other people with different isp's had the IANA sitting on those very same ports
    Boys and girls I have not been on the internet in a couple of years....do keep up with the news...but, this......hmmmmmm
    It looks like a very deliberate attempt to enter a person's computer by NetBios....an it was much to obvious for the isp not to have known...an ignorred
    I am not an alarmist by any definition of the word.....now you guys can hash this over an come up with your own opinion......after four days of that foolishness..my opinion is made.
    Every isp keeps a record of every website a person visits...so if "they" wanted that information it was there to easily obtain.......without coming in by NetBios....
     
  2. Shunned

    Shunned Guest

    Re:ZoneLog

    Turned the computer on a few moments ago mostly out of curiousity.......THERE ARE BACK!!!
    Well, not really very much can be said.
     
  3. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Re:ZoneLog

    Hi Shunned

    Could you clarify what you are seeing?
    Is your system listening on 137, 138, 139 or are you just seeing scans to these local services? IANA or your ISP will not be listening on these ports.

    Regards,

    CrazyM
     
  4. shunned

    shunned Guest

    Re:ZoneLog

    CM....appreciate your interest.....

    on this connection the isp has always listened on those ports....the same with others I know using the same isp

    Now comes the interesting part: as best that I can digest the info.

    rpcss.(exe) = DCOM....is the bandit

    rpcess udp 137
    rpcess udp 138
    rpcss tcp 139

    rpcess tcp local host 1025
    rpcess tcp all: 135

    remote url <169.254.245.234>

    research reveals it could be exploited (have blocked any exploiting) nothing going to getin/out of those ports.
    M$ is awear of the possible exploit......offers no answer to prevent it........some work arounds but real touchy....could distroy an NT os......BUT WHY THE LISTENING TO IANA?? An why Here once..gone next....my OS hasn't changed overnight> my last M$ update did install a newer DCOM.........hmmmm
    I am on a Unisys.....the exploit first discovered on Unix.....my os win98se....very tweaked...which has never caused any problems......an never before experience this sort of behavior.........
     
  5. Shunned

    Shunned Guest

    Re:ZoneLog

    Research reveal that ALL flavors of Windows has this....95---XP will try to locate the M$ explanation....not tonight...exhusted...

    Have also tryed 3 set of firewall rule sets....its not a firewall issue....but only the firewall is preventing the exploit.......so-say that many others using ZA has notice the issue...DCOM....but not the URL...I don't use ZA to verify if it does or not.

    BUT WHATS WITH THIS IANAo_O??.....since this was first noticed I have looked at 14 other computers....an ALL experiencing the same.
     
  6. Shunned

    Shunned Guest

    Re:ZoneLog

    CM to your question:

    "Is your system listening on 137, 138, 139 or are you just seeing scans to these local services? IANA or your ISP will not be listening on these ports""


    LISTENING= continuous......for six days...

    P.S.> absolutely nothing done on this computer that could remotely be considered improper......computer has not been used in years until a few days ago....about the time I came to this forum. This machine is clean.
     
  7. shunned

    shunned Guest

    Re:ZoneLog

    Clip from M$ support:

    Rpcss.exe Consumes 100% CPU Due to RPC Spoofing Attack
    View products that this article applies to.
    This article was previously published under Q193233
    SYMPTOMSSystem and network performance could degrade and the Rpcss.exe process could consume 100 percent of CPU time. Analyzing the network with a protocol analyzer shows multiple RPC REJECT packets (addressed to UDP port 135) between two or more systems because of an RPC spoofing attack.
    CAUSE >>>>>CLIPPED>>>wont post exploit info


    The above post was just a quick one that relates to the NT os....but other OS'S have this also.

    *** DID'NT M$ say they patched this?? Well the patch sure as hell does not work!!!!
     
  8. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Re:ZoneLog

    Well it is quite normal for systems to be listening on these ports/services, especially if you have filesharing/netbios over TCP enabled. It will be your system listening on these ports/services, not sure how you figure this is your ISP (Internet Service Provider). This can be controlled quite easily with a firewall and/or system configuration.

    This IP falls in a range that is reservered for what is referred to as Autoconfiguration IP Addresses (169.254.0.0 - 169.254.255.255).

    "Addresses in the range 169.254.0.0 to 169.254.255.255 are used automatically by some PCs and Macs when they are configured to use IP, do not have a static IP Address assigned, and are unable to obtain an IP address using DHCP.

    This traffic is intended to be confined to the local network, so the administrator of the local network should look for misconfigured hosts. Some ISPs inadvertently also permit this traffic, so you may also want to contact your ISP. This is documented in RFC 3330." - iana


    Perhaps this is where you are getting your reference to iana. If you do a who is look up on an address in this range it will come back to them.

    Regards,

    CrazyM
     
  9. Shunned

    Shunned Guest

    Re:ZoneLog

    CM

    ok...I see your point.......

    No file sharing.......firewall installed.....ISP listening (normal behavior) (verified)
    The IANA is something new...but I DO UNDERSTAND YOUR POINT......hmmmmm, its not the rule set...this only recently began...never happened before using the same rule set...........okay, I'll switch rules and see the results......
    Thanks CM...will get back on this....loading websites extremely slow right now with 58% memory free...78% resources free....should be ziping down the pike.....but not.
     
  10. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Re:ZoneLog

    If it is something you are seeing in your logs that you are concerned about, posting the full log entries might help determine what you are seeing. (just xxx out your public IP)

    Regards,

    CrazyM
     
  11. Shunned

    Shunned Guest

    CM

    Just spoke with my ISP.....afters I changed rule sets.....now the issue is gone!....hopefully its totally resolved........
    Looks like I did this to myself with to strict firewall rules....actually I hope it was my own doing...that can be corrected....
    Still have rpcss listening on TCP all:135
    and localhost:1026.....which as I understand is normal. But I have to say that it wasn't like this prior to the M$ update...never had any such problems....when it appeared is when I changed rules.. but its resolved.
    Would not have realized the answered had not you posted....appreciate your time CM

    THANK YOU
     
  12. Shunned

    Shunned Guest

    After my last post..I rebooted an all was well.........shut-down and rebooted AN THE PROBLEM WAS BACK AGAIN.......rebooted Again..an the problem is back again.
    Was not online any of the times....its an OS issue..........ENOUGH!.....time for a complete RE-FORMAT.....wont put up with this .

    Its most doubtful that I will return to this forum in the near future.....was enjoyable....but I really don't spend much time on the internet....the past few days were the exception..........now this Bug thingy....well, its just worth the time and energy......
     
  13. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Shunned

    A little drastic, but your system and your choice. Clarifying what services were listening, alternatives could have been provided in regards to system/OS configuration and firewall rules.

    Well hopefully when you are online you will continue to visit here.

    Regards,

    CrazyM
     
  14. shunned

    shunned Guest

    CM

    Very nice of you to drop in this way....have not re-formated that machine as yet but planned for tommorow.
    Did connect the machine a few times an the situation totally baffles me...sometimes that thingy is listening other times its not.....supposedly its part of the os....but never ever seen this happen on any os....an I've tryed a few.
    Twice I dropped into safe mode and wiped the un-used space on C drive....after that the thingy disappears...only to return after a couple of boots. Even checked for keyloggers.
    I have the means of preventing the thingy from starting up..it starts at start....but watching it for now. Also, even when not contacted to the internet "something" is trying to send-out...... I know what rpcss exe is and what it does...but never had it mis-behave this way. Its not getting out.....an if by chance it did the submask is blocked.
    so...all in all....I still have no answers. A re-format is drastic but can have it all complete in a couple of hours...updates included...much less time than I've spent monitoring this thingy. The computer is rather mixed-flavored...alittle win95..win98..win2000.winMe an a dash of odds and ends... it all works super nice...no complaints until the thingy presented itself.....
    OT: my friend thank you for your kind efforts and extended invitation.....I consider it an honor to have shared with you....unfortunately, the internet is not the enjoyment it once was....an my interest has faded. I don't experience the mis-haps I notice others do but its a matter of luck only.
    Persons like yourself..LWM.. Pieter,. PW,. have a much firmer grip on the situation than I ever could....my internet connection was only for a couple of weeks......am my arrival here was by way of a friend......super forum.
    An very best to you CM
     
Loading...
Thread Status:
Not open for further replies.