Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: TCP/UDP Port Activity - Internet Security | DShield TCP/UDP Port Activity

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
[show ascii data]


Port Information
Protocol Service Name
tcp epmap DCE endpoint resolution
tcp loc-srv NCS local location broker
udp epmap DCE endpoint resolution
udp loc-srv Location Service
[get complete service list]
User Comments
Submitted By Date
jyothis 2011-09-24 00:18:16
An Exchange Client computer on a LAN or WAN link uses remote procedure call (RPC) to communicate with an Exchange Server computer. The Exchange Server computer, an RPC- based application, uses TCP port 135, also referred to as the location service that helps RPC applications to query for the port number of a service. The Exchange Server computer monitors port 135 for client connections to the RPC endpoint mapper service. After a client connects to a socket, the Exchange Server computer allocates the client two random ports to use to communicate with the directory and the information store. The client does not communicate with other components of the Exchange Server computer. Please note that these information were found from the Microsoft Knowledge Base
Richard Akerman 2009-10-04 18:45:22
It appears this port is being used as the starting point of Windows "NET SEND" spam messages that use the Messenger service. A connection is made to port 135 to determine what high-numbered port the Messenger service is running on.
xentheon 2009-10-04 18:45:22
Looks like msblast is on it's way... If you manage to sniff any of the packets you will see one of these messages: "billy gates why do you make this possible?" "Stop making money and fix your software!!" Mblast can be found in c:\windows\system32\ as well as: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ And the 'patch' from windows at:
a1fa 2009-10-04 18:45:22
Hi, Today (9-17-2003), I have noticed several computers scanning external IP addresses on UDP:135. The computers are doing ascending IP scan, similar to Blaster. This is the payload : "CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!" More on this can be found at : Does anybody else have similar problems? Do you know what worm is this? join #inSecurity @ FreeNode a1fa
VIPER X 2005-06-12 05:22:59
Some well known Root kits also use this port to transmit data back to home base and download more malware. I also suspect may be an entry point for some root kit /malware for un patched systems or systems that did not patch correctly.
Phil Brammer 2003-12-17 17:41:44
Please see for the latest on an RPC exploit against Microsoft operating systems. Also, from the vendor: Please ensure that all unnecessary TCP/UDP ports are blocked and particularly TCP 135, TCP 139, TCP 445, or any other specifically configured RPC port. Unapproved CVE #: CAN-2003-0352 (As of July 31st, 2003)
Marcus H. Sachs, SANS Institute 2003-10-09 22:32:52
SANS Top-20 Entry: W5 Windows Remote Access Services Remote Procedure Calls Many versions of Microsoft operating systems (Windows NT 4.0, 2000, XP, and 2003) provide an inter-process communication mechanism that allows programs running on one host to execute code on remote hosts. Three vulnerabilities have been published that would allow an attacker to run arbitrary code on susceptible hosts with Local System privileges. One of these vulnerabilities was exploited by Blaster/MSblast/LovSAN and Nachi/Welchia worms. There are also other vulnerabilities that would allow attackers to mount Denial of Service attacks against RPC components.
Jolly 2003-10-09 22:32:20
Port of entry for RPC bug exploiting Worms like lovSan, msblaster on unfixed Windows 32bit systems. Potentialy very dangerous.
2003-10-09 22:32:06
port used by Blaster32 worm for propogation
oog 2003-08-26 23:35:00
Port 135 is essential to the functionality of Active Directory and Microsoft Exchange mail servers, among other things.
Faiz Ahmad Shuja 2003-08-13 20:00:45 W32/Blaster worm The W32/Blaster worm exploits a vulnerability in Microsoft's DCOM RPC interface as described in VU#568148 and CA-2003-16. Upon successful execution, the worm attempts to retrieve a copy of the file msblast.exe from the compromising host. Once this file is retrieved, the compromised system then runs it and begins scanning for other vulnerable systems to compromise in the same manner. In the course of propagation, a TCP session to port 135 is used to execute the attack. However, access to TCP ports 139 and 445 may also provide attack vectors and should be considered when applying mitigation strategies. Microsoft has published information about this vulnerability in Microsoft Security Bulletin MS03-026.
Brian Porter 2003-08-10 00:30:30
CVE: CAN-2003-0352 Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message.
Johannes Ullrich 2003-01-24 18:42:15
This port is used for Windows RPC. Windows RPC allows for the display of popup messages.
Add a comment
CVE Links
CVE # Description