Tom's Hardware > Forum > Old Man/Woman's Club > Other > Port 135 and 137
Ask the community Add a reply
Word :    Username :           
 
SoDNighthawk   04-27-2004 at 01:52:04 PM

Type Time Direction Protocol Source IP Address Source Port Destination IP Address Destination Port Description

Exception List Rule 7:37:31 OUT UDP 192.168.1.100 137 192.168.1.255 137 PortBlock 135&137
Exception List Rule 7:37:30 OUT UDP 192.168.1.100 137 192.168.1.255 137 PortBlock 135&137
Exception List Rule 7:37:29 OUT UDP 192.168.1.100 137 192.168.1.255 137 PortBlock 135&137
Exception List Rule 7:37:28 OUT UDP 192.168.1.100 137 192.168.1.255 137 PortBlock 135&137
Exception List Rule 7:37:27 OUT UDP 192.168.1.100 137 192.168.1.255 137 PortBlock 135&137
Exception List Rule 7:37:26 OUT UDP 192.168.1.100 137 192.168.1.255 137 PortBlock 135&137
Exception List Rule 7:37:25 OUT UDP 192.168.1.100 137 192.168.1.255 137 PortBlock 135&137
Exception List Rule 7:37:24 OUT UDP 192.168.1.100 137 192.168.1.255 137 PortBlock 135&137
Exception List Rule 7:37:23 OUT UDP 192.168.1.100 137 192.168.1.255 137 PortBlock 135&137
Exception List Rule 7:37:22 OUT UDP 192.168.1.100 137 192.168.1.255 137 PortBlock 135&137

These 2 ports along with port 80 are currently pounding the F* out of the internet.

If you guys can make rules in your fire walls to block ports 135 and 137 as well as Ban any IP number not part of your network showing up on port 80 <--- Major Trojan Spam port please due so.

I am seeing hundreds of the Port 135 and 137 hits an hour as well as port 80 attempts throughout the logs. I have my Software fire wall and hardware set-up to log these intrusion as well as backtrace them to the source IP.

ISP providers as well as APACHE administrators have put out a bulletin that this increase in traffic on these three ports could indicate that the hackers are gearing the net up to introduce a new Virus, Email or TCP or UDP or all in the next few days to a week.

Please update all current anti virus and Fire wall soft ware.

Barton 3200+ 400MHz
A7N8X Deluxe
Liquid 12 Celsius
2x512 Crucial DDR 400 PC3200
GeForce FX5900
Two Maxtor 40Gig 8MB cach 7200rpm
SONY RW 52x/24x/52x
SONY DVD 16x/40x

Add a reply
Sponsored Links
Register or log in to remove.
phial   04-28-2004 at 08:05:46 AM
- 0 +

i had an RPC crash today, then there was an unknown process present after that which used up 99% of my CPU. deleted it and its startup registry key in safe mode, and enabled my firewall which solved the problem


funny thing is, my computer is acting unstable now, and im having wierd DNS errors, like linkning to wrong sites when doing searches, and im not able to open ANY major anti-virus websites, like symantec.com, mcafee.com, avg.com, trendmicro.com, and a few others. but all other sites i can open. VERY strange eh?



-------
<A HREF="http://www.albinoblacksheep.com/flash/you.html" target="_new">please dont click here! </A>
<A HREF="http://www.subhi.com/keyboard.jpg" target="_new">This is you, interweb junky</A>

Reply to phial
Tom_Smart   04-28-2004 at 01:15:37 PM
- 0 +

Both the IP's in the log you have posted are in a private namespace. They are behind your router. You say they are "currently pounding the F* out of the internet". Are they going to any outside sources? is 192.168.1.100 a comp on your network, is 192.168.1.255 the address of your router? What about other processes? have you tried correlating the running processes and services with the output of process-to-port mapping tool such as openports.exe Have you tried scanning the systems using nmap, then correlating that output to the process-to-port mapping tool, and netstat?

My point is that the traffic could be legit, probably just one machine doing a name lookup for another. I am assuming you are running decent AV software and have ran one of the many tools available for scanning for spy/adware. More information on the type of etwork and the services/servers that may be running would be helpful. The both IP's are on your network so I am would be interested in the results of the backtrace you say you have done. Back tracing is not really a good idea in most cases as it reveals your internet presence to a scanning machine, total stealth and no response are a better idea unless you can do the trace Anonymously via another box.

Well, it's hardly my fault that everyone chose that morning to throw themselves off buildings! Made the papers, you know. "Lemming Sunday," they called it.

Reply to Tom_Smart
SoDNighthawk   04-28-2004 at 03:33:35 PM
- 0 +

Hey I want you to go look for this guy in your computer TROJ_EASYWWW.A

The manual registry removal is the best way to simply turn this biotch off. From your brief description this is the type of virus/Trojan you could have been infected with.
If you do a Ctrl+Alt+Del you might actually see a program running in XP that has an IE Explorer Icon the big blue E!!

Read the text below to remove it correctly if you have one the same or like it. If you fail to delete the registry keys associated with the Trojan then it will continue to restart with the computer every time you reboot.

Description:

This Trojan is a downloader program that connects to the URL www.easy<BLOCKED>.info and downloads a file, which is a copy of itself.

This malware runs on Windows 95, 98, ME, NT, 2000 and XP.

Solution:



Identifying the Malware Program

Before proceeding to remove this malware, first identify the malware program.

Scan your system with Trend Micro antivirus and NOTE all files detected as TROJ_EASYWWW.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.

Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs*, locate the malware file or files detected earlier.
Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
*NOTE: On systems running Windows 95/98/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry or entries:
easywww="<path of the malware>"
In the left panel, locate and delete the following:
HKEY_LOCAL_MACHINE>System>CurrentControlSet>Enum>
Root>LEGACY_NPF>
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
Additional Windows ME/XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as TROJ_EASYWWW.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro’s free online virus scanner.

Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business or home PC.


Barton 3200+ 400MHz
A7N8X Deluxe
Liquid 12 Celsius
2x512 Crucial DDR 400 PC3200
GeForce FX5900
Two Maxtor 40Gig 8MB cach 7200rpm
SONY RW 52x/24x/52x
SONY DVD 16x/40x

Reply to SoDNighthawk
SoDNighthawk   04-28-2004 at 03:51:38 PM
- 0 +

Hello tomsmart yes you are correct in what you say however I am purposely redirecting behind my router to prevent hostile activity this in it's self is very annoying even if it works because it blocks me at my own desktop from identifying the source of the attacking IP numbers.

I am masking so heavily at this point with software and hardware that my Scan software is not able to log or read some of the attacking IP numbers. I am using software like COMMVIEW and Solar Winds to back trace IP numbers I find that I want more info on as of course the simple but less then accurate WHOIS data base.

I am dealing with around 4 IP numbers right night that seem to be causing shiit. One is from Limelight Industry's another is out of Washington DC the third is out of Anchorage Alaska and he fourth is out of Amsterdam the last one is the one that initial reads as a hidden name space.

As we all understand IP Internet hackers use IP spoofer software to generate false IP numbers from their own Machine or they bounce the outgoing signals they send all around the planet before they finally link up to your computer as an IGMP ping or traceroute or something worse.

I believe they do not yet have a Trojan in my computer yet they can hook to gain access and cause damage or mischief but it is real hard to be positive.

In any case those 4 IP numbers over the last month have been consistent on back traces and I have firmed-up those 4 as the most probable threats.

You must also understand that they are attacking in most cases through UDP ports and not TCP so I have banned the range on all 4 IP numbers and blocked all ports on those 4 IP's in both the TCP and UDP ranges.

Effectively cutting them off directly from my computer. This being done they are now trying port ranges up and down from port 20 up to 5000 trying to find a way in as my fore wall software logs are indicating.

They still cant gain access but the constant attempts are slowing my connection down at my end as the computer recourses has to deal with the hardware and software blocks I have set-up defending against the connection attempts.

I have a friend down in Texas that is also logging massive amounts of unknown and port 135 and 137 traffic flow to his computer and he is on Dial-up with no hardware in front of him such as a router. These logs he has mailed to me and have much more detail in attack information as everything gets right to his computer as raw data before his Software fire wall blocks the attacks and creates more accurate logs and descriptions of the IP and the type of attack. I am working with him to try and figure out what in hell is going on exactly he collects the raw data on the exposed computer and I stealth around on my more protected system trying to back trace the attackers IP numbers.

At this point the 4 IP's we been looking at are in for some real trouble if we determine they do in fact have hostile intent.

Barton 3200+ 400MHz
A7N8X Deluxe
Liquid 12 Celsius
2x512 Crucial DDR 400 PC3200
GeForce FX5900
Two Maxtor 40Gig 8MB cach 7200rpm
SONY RW 52x/24x/52x
SONY DVD 16x/40x

Reply to SoDNighthawk
Ask the community Add a reply
Tom's Hardware > Forum > Old Man/Woman's Club > Other > Port 135 and 137
Go to:

There are 656 identified and unidentified users. To see the list of identified users, Click here.

Forum map
Bestofmedia Forum ©
2000-2009 Bestofmedia Group
Page generated in 0.317 seconds
Please mind

You are about to answer a thread that has been inactive for more than 6 months.
If you still wish to proceed, please ensure that your posting is original and does not duplicate or overlap any prior responses to this thread.

Add a reply Cancel
Sponsored links
  • Ask the community now
  • Publish
Ad
They won a badge
Join us in greeting them
How do I win badges?