Threat Level: green Handler on Duty: Russ McRee

SANS ISC Port Details:


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Graph

[show ascii data]
Graph Criteria
  • Start Date:
  • End Date:
  • Port:
  • Left Y Axis:
  • Right Y Axis:

Port Information

Protocol Service Name
tcp epmap DCE endpoint resolution
tcp loc-srv NCS local location broker
udp epmap DCE endpoint resolution
udp loc-srv Location Service
[get complete service list]

User Comment

Submitted By Date
Comment
jyothis 2011-09-24 00:18:16
An Exchange Client computer on a LAN or WAN link uses remote procedure call (RPC) to communicate with an Exchange Server computer. The Exchange Server computer, an RPC- based application, uses TCP port 135, also referred to as the location service that helps RPC applications to query for the port number of a service. The Exchange Server computer monitors port 135 for client connections to the RPC endpoint mapper service. After a client connects to a socket, the Exchange Server computer allocates the client two random ports to use to communicate with the directory and the information store. The client does not communicate with other components of the Exchange Server computer. Please note that these information were found from the Microsoft Knowledge Base
Richard Akerman 2009-10-04 18:45:22
It appears this port is being used as the starting point of Windows "NET SEND" spam messages that use the Messenger service. A connection is made to port 135 to determine what high-numbered port the Messenger service is running on.
xentheon 2009-10-04 18:45:22
Looks like msblast is on it's way... If you manage to sniff any of the packets you will see one of these messages: "billy gates why do you make this possible?" "Stop making money and fix your software!!" Mblast can be found in c:\windows\system32\ as well as: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ And the 'patch' from windows at: http://microsoft.com/downloads/details.aspx?FamilyId=2354406C-C5B6-44AC-9532-3DE40F69C074&displaylang=en
a1fa 2009-10-04 18:45:22
Hi, Today (9-17-2003), I have noticed several computers scanning external IP addresses on UDP:135. The computers are doing ascending IP scan, similar to Blaster. This is the payload : "CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!" More on this can be found at : http://www.securityfocus.com/news/6975 Does anybody else have similar problems? Do you know what worm is this? join #inSecurity @ FreeNode a1fa
VIPER X 2005-06-12 05:22:59
Some well known Root kits also use this port to transmit data back to home base and download more malware. I also suspect may be an entry point for some root kit /malware for un patched systems or systems that did not patch correctly.
Phil Brammer 2003-12-17 17:41:44
Please see http://www.nipc.gov/warnings/advisories/2003/Potential7302003.htm for the latest on an RPC exploit against Microsoft operating systems. Also, from the vendor: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp Please ensure that all unnecessary TCP/UDP ports are blocked and particularly TCP 135, TCP 139, TCP 445, or any other specifically configured RPC port. Unapproved CVE #: CAN-2003-0352 (As of July 31st, 2003)
Marcus H. Sachs, SANS Institute 2003-10-09 22:32:52
SANS Top-20 Entry: W5 Windows Remote Access Services http://www.sans.org/top20/index1.php#w5 Remote Procedure Calls Many versions of Microsoft operating systems (Windows NT 4.0, 2000, XP, and 2003) provide an inter-process communication mechanism that allows programs running on one host to execute code on remote hosts. Three vulnerabilities have been published that would allow an attacker to run arbitrary code on susceptible hosts with Local System privileges. One of these vulnerabilities was exploited by Blaster/MSblast/LovSAN and Nachi/Welchia worms. There are also other vulnerabilities that would allow attackers to mount Denial of Service attacks against RPC components.
Jolly 2003-10-09 22:32:20
Port of entry for RPC bug exploiting Worms like lovSan, msblaster on unfixed Windows 32bit systems. Potentialy very dangerous.
2003-10-09 22:32:06
port used by Blaster32 worm for propogation
oog 2003-08-26 23:35:00
Port 135 is essential to the functionality of Active Directory and Microsoft Exchange mail servers, among other things.
Faiz Ahmad Shuja 2003-08-13 20:00:45
http://www.cert.org/advisories/CA-2003-20.html W32/Blaster worm The W32/Blaster worm exploits a vulnerability in Microsoft's DCOM RPC interface as described in VU#568148 and CA-2003-16. Upon successful execution, the worm attempts to retrieve a copy of the file msblast.exe from the compromising host. Once this file is retrieved, the compromised system then runs it and begins scanning for other vulnerable systems to compromise in the same manner. In the course of propagation, a TCP session to port 135 is used to execute the attack. However, access to TCP ports 139 and 445 may also provide attack vectors and should be considered when applying mitigation strategies. Microsoft has published information about this vulnerability in Microsoft Security Bulletin MS03-026. http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
Brian Porter 2003-08-10 00:30:30
CVE: CAN-2003-0352 Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352
Johannes Ullrich 2003-01-24 18:42:15
This port is used for Windows RPC. Windows RPC allows for the display of popup messages.
Add a comment

CVE Links

CVE # Description
CVE-2003-352 "Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0
CVE-2003-528 "Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed RPC request with a long filename parameter
CVE-2003-533 "Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a
CVE-2003-717 "The Messenger Service for Windows NT through Server 2003 does not properly verify the length of the message
CVE-2003-813 "A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request