Port Details - Port 135

Oct 22 6,294 Oct 24 6,576 Oct 25 6,642 Oct 26 7,116 Oct 27 6,633 Oct 28 6,227 Oct 29 6,697 Oct 30 6,386 Oct 31 6,054 Nov 01 6,366 Nov 02 6,553 Nov 03 7,384 Nov 04 6,625 Nov 05 6,937 Nov 06 6,874 Nov 07 6,744 Nov 08 6,472 Nov 09 6,513 Nov 10 7,039 Nov 11 6,951 Nov 12 6,586 Nov 13 6,829 Nov 14 6,231 Nov 15 6,777 Nov 16 6,955 Nov 17 6,698 Nov 18 6,860 Nov 19 6,587 Nov 20 6,213 Nov 21 938 Oct 22 7,955 Oct 24 72,690 Oct 25 41,303 Oct 26 45,637 Oct 27 73,183 Oct 28 22,732 Oct 29 32,151 Oct 30 7,890 Oct 31 64,196 Nov 01 52,282 Nov 02 72,787 Nov 03 48,255 Nov 04 71,380 Nov 05 72,811 Nov 06 73,185 Nov 07 73,099 Nov 08 71,901 Nov 09 72,376 Nov 10 72,731 Nov 11 72,766 Nov 12 72,591 Nov 13 73,496 Nov 14 71,281 Nov 15 72,905 Nov 16 73,254 Nov 17 72,792 Nov 18 73,289 Nov 19 73,632 Nov 20 72,554 Nov 21 3,896
[show ascii data]
  • Start Date:
  • End Date:
  • Port:
  • Left Graph:
  • Right Graph:
  • Show Range:Yes No

Port Information

ProtocolServiceName
tcpepmapDCE endpoint resolution
tcploc-srvNCS local location broker
udpepmapDCE endpoint resolution
udploc-srvLocation Service
[get complete service list]

User Comment

Submitted ByDate
Comment
Richard Akerman2009-10-04 18:45:22
It appears this port is being used as the starting point of Windows "NET SEND" spam messages that use the Messenger service. A connection is made to port 135 to determine what high-numbered port the Messenger service is running on.
xentheon2009-10-04 18:45:22
Looks like msblast is on it's way... If you manage to sniff any of the packets you will see one of these messages: "billy gates why do you make this possible?" "Stop making money and fix your software!!" Mblast can be found in c:\windows\system32\ as well as: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ And the 'patch' from windows at: http://microsoft.com/downloads/details.aspx?FamilyId=2354406C-C5B6-44AC-9532-3DE40F69C074&displaylang=en
a1fa2009-10-04 18:45:22
Hi, Today (9-17-2003), I have noticed several computers scanning external IP addresses on UDP:135. The computers are doing ascending IP scan, similar to Blaster. This is the payload : "CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!" More on this can be found at : http://www.securityfocus.com/news/6975 Does anybody else have similar problems? Do you know what worm is this? join #inSecurity @ FreeNode a1fa
VIPER X2005-06-12 05:22:59
Some well known Root kits also use this port to transmit data back to home base and download more malware. I also suspect may be an entry point for some root kit /malware for un patched systems or systems that did not patch correctly.
Phil Brammer2003-12-17 17:41:44
Please see http://www.nipc.gov/warnings/advisories/2003/Potential7302003.htm for the latest on an RPC exploit against Microsoft operating systems. Also, from the vendor: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp Please ensure that all unnecessary TCP/UDP ports are blocked and particularly TCP 135, TCP 139, TCP 445, or any other specifically configured RPC port. Unapproved CVE #: CAN-2003-0352 (As of July 31st, 2003)
Marcus H. Sachs, SANS Institute2003-10-09 22:32:52
SANS Top-20 Entry: W5 Windows Remote Access Services http://www.sans.org/top20/index1.php#w5 Remote Procedure Calls Many versions of Microsoft operating systems (Windows NT 4.0, 2000, XP, and 2003) provide an inter-process communication mechanism that allows programs running on one host to execute code on remote hosts. Three vulnerabilities have been published that would allow an attacker to run arbitrary code on susceptible hosts with Local System privileges. One of these vulnerabilities was exploited by Blaster/MSblast/LovSAN and Nachi/Welchia worms. There are also other vulnerabilities that would allow attackers to mount Denial of Service attacks against RPC components.
Jolly2003-10-09 22:32:20
Port of entry for RPC bug exploiting Worms like lovSan, msblaster on unfixed Windows 32bit systems. Potentialy very dangerous.
2003-10-09 22:32:06
port used by Blaster32 worm for propogation
oog2003-08-26 23:35:00
Port 135 is essential to the functionality of Active Directory and Microsoft Exchange mail servers, among other things.
Faiz Ahmad Shuja2003-08-13 20:00:45
http://www.cert.org/advisories/CA-2003-20.html W32/Blaster worm The W32/Blaster worm exploits a vulnerability in Microsoft's DCOM RPC interface as described in VU#568148 and CA-2003-16. Upon successful execution, the worm attempts to retrieve a copy of the file msblast.exe from the compromising host. Once this file is retrieved, the compromised system then runs it and begins scanning for other vulnerable systems to compromise in the same manner. In the course of propagation, a TCP session to port 135 is used to execute the attack. However, access to TCP ports 139 and 445 may also provide attack vectors and should be considered when applying mitigation strategies. Microsoft has published information about this vulnerability in Microsoft Security Bulletin MS03-026. http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
Brian Porter2003-08-10 00:30:30
CVE: CAN-2003-0352 Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352
Johannes Ullrich2003-01-24 18:42:15
This port is used for Windows RPC. Windows RPC allows for the display of popup messages.
Add a comment

CVE Links

CVE #Description
CVE-2003-352 "Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0
CVE-2003-528 "Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed RPC request with a long filename parameter
CVE-2003-533 "Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a
CVE-2003-717 "The Messenger Service for Windows NT through Server 2003 does not properly verify the length of the message
CVE-2003-813 "A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request