08-13-2003, 11:12 PM
The port to block is port 135 which is Microsoft's RPC Endpoint Mapper port. It is used for Microsoft for RPC locator service.
Here is a quote I found on it:
This is a common port that someone who has a broadband connection and Windows wide open to the internet. When port scanned, the scanner will see 135 as an open port and know that this is a Windows shitbox. He can then pull out his Window's hax and try his best to visit you with chaos.
Here are some of the things Microsoft says to do:
Here is a quote I found on it:
Quote:Windows Remote Procedure Call (RPC) and Distributed COM (DCOM)
In some cases, Microsoft uses port 135 as an RPC Endpoint Mapper. Runs as RPCSS on (some versions of?) Windows. This is a sort of "RPC directory" service which can be used to lookup what ports other services are running on. For some additional information, see Windows 2000 Network Architecture: Remote Procedure Call and NT Gatekeeper: RPC and Firewall Configuration.
MS-RPC on port 135 is required for some Exchange Server and Active Directory communications. See e.g. TCP Ports and Microsoft Exchange: In-depth Discussion and Restricting Active Directory Replication Traffic to a Specific Port.
However this port also poses a security risk, as indicated in the NET SEND section of my broadband security page.
This is a common port that someone who has a broadband connection and Windows wide open to the internet. When port scanned, the scanner will see 135 as an open port and know that this is a Windows shitbox. He can then pull out his Window's hax and try his best to visit you with chaos.
Quote:Sites are encouraged to block network access to the RPC service at network borders. This can minimize the potential of denial-of-service attacks originating from outside the perimeter." However, be aware that the indicated TCP/IP ports also have legitimate uses in Microsoft Windows, such as connecting to Exchange email servers and for file and printer sharing
Here are some of the things Microsoft says to do:
Quote:Make sure you have a firewall installed and activated to help protect your computer against infection, before you take other steps. If your computer has been infected, activating firewall software will help limit the effects of the worm on your computer.
Quote:Download and install the security update addressed in Security Bulletin MS03-026 for the version of Windows that you are using from the Microsoft Download Center.
Quote:Make sure you install and use antivirus software.
If you have antivirus software installed, get the latest virus definitions from your antivirus vendor's Web site.
Quote:If you think your computer has been infected, use the worm removal tool available at your antivirus vendor's Web site.