Guest zerodamage August 12, 2003 Share Guest zerodamage Guests August 12, 2003 My firewall has recorded 5 pages of blocks in less than one minute. Port 135 is being hammered by this new worm. Anyone else seeing this on their router? I will post logs shortly, maybe you other geeks out there can do the same and we can see which major websites did NOT patch their system. Be fun. (BTW, this is the same port used to get Windows Messing service spam, so if you are getting this.. you may already be infected) http://www.foxnews.com/story/0,2933,94439,00.html http://news.com.com/2100-1002-5062364.html?tag=nl http://news.com.com/2100-1002-5062477.html?tag=nl Link to comment Share on other sites More sharing options...
dwEEziL August 12, 2003 Share dwEEziL Member August 12, 2003 This is the KB article regarding the vulnerability this worm uses to infect a system. I advise installing it immediately. Yale University stated that 1000-1500 systems were detected to have been compromised on Monday by another virus/worm that uses the same vulnerability. Microsoft Security Bulletin MS03-026 Buffer Overrun In RPC Interface Could Allow Code Execution (823980) http://www.microsoft.com/technet/treeview/...in/MS03-026.asp Link to comment Share on other sites More sharing options...
Guest zerodamage August 12, 2003 Share Guest zerodamage Guests August 12, 2003 (edited) Here are the logs I have so far. Notice how most of them are 24.48.x.y to 24.50.x.y This is the subnet for Adelphia cable. Time------------------------Message-----------------Source----------------------Destination-----------Note Aug/12/2003 01:29:13 Drop TCP packet from WAN 24.49.105.4:4926 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 01:29:10 Drop TCP packet from WAN 24.49.105.4:4926 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 01:28:38 Drop TCP packet from WAN 24.48.202.184:2124 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 01:28:14 Drop TCP packet from WAN 24.49.206.245:3748 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 01:28:11 Drop TCP packet from WAN 24.49.206.245:3748 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 01:27:45 Drop TCP packet from WAN 24.50.43.133:2539 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 01:26:47 Drop TCP packet from WAN 24.49.159.128:1685 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 01:26:44 Drop TCP packet from WAN 24.49.159.128:1685 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 01:23:54 Drop TCP packet from WAN 24.50.39.6:4172 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 01:23:51 Drop TCP packet from WAN 24.50.39.6:4172 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 01:23:50 Drop TCP packet from WAN 24.48.157.144:3791 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 01:23:47 Drop TCP packet from WAN 24.48.157.144:3791 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 01:23:39 Drop TCP packet from WAN 24.49.225.134:1630 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 01:23:39 Drop TCP packet from WAN 24.50.35.160:1454 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 01:23:37 Drop TCP packet from WAN 24.49.225.134:1630 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 01:23:33 Drop TCP packet from WAN 24.50.35.160:1454 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 01:23:30 Drop TCP packet from WAN 24.50.35.160:1454 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 01:22:21 Drop TCP packet from WAN 24.48.248.170:3048 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 01:10:55 Drop TCP packet from WAN 66.14.161.74:4407 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 01:10:49 Drop TCP packet from WAN 66.14.161.74:4407 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 01:10:46 Drop TCP packet from WAN 66.14.161.74:4407 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 01:07:55 Drop TCP packet from WAN 24.50.43.133:2821 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 01:07:50 Drop TCP packet from WAN 24.50.43.133:2821 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 01:07:47 Drop TCP packet from WAN 24.50.43.133:2821 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 01:04:58 Drop TCP packet from WAN 24.49.97.157:4985 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 01:04:56 Drop TCP packet from WAN 24.49.97.157:4985 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 01:01:22 Drop TCP packet from WAN 24.49.186.210:4722 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 01:01:20 Drop TCP packet from WAN 24.49.66.166:4044 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 01:01:19 Drop TCP packet from WAN 24.49.186.210:4722 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 01:01:17 Drop TCP packet from WAN 24.49.66.166:4044 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 01:01:12 Drop TCP packet from WAN 24.48.252.65:4011 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 01:01:08 Drop TCP packet from WAN 24.49.96.113:2614 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 01:01:00 Drop TCP packet from WAN 24.48.218.75:4279 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 00:58:36 Drop TCP packet from WAN 24.50.39.6:3596 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 00:58:33 Drop TCP packet from WAN 24.50.39.6:3596 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 00:55:31 Drop TCP packet from WAN 24.49.158.131:4318 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 00:55:28 Drop TCP packet from WAN 24.49.158.131:4318 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 00:55:08 Drop TCP packet from WAN 24.50.35.160:4623 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 00:55:06 Drop TCP packet from WAN 24.50.35.160:4623 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 00:54:05 Drop TCP packet from WAN 81.50.193.222:2476 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 00:51:20 Drop UDP packet from WAN 218.15.192.64:30099 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 00:48:55 Drop TCP packet from WAN 24.50.49.62:3685 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 00:42:46 Drop TCP packet from WAN 24.50.40.239:3075 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 00:42:44 Drop TCP packet from WAN 24.50.40.239:3075 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 00:35:06 Drop TCP packet from WAN 65.219.150.61:3972 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 00:35:06 Drop TCP packet from WAN 65.219.150.61:3972 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 00:31:44 Drop TCP packet from WAN 24.48.224.166:1477 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 00:31:41 Drop TCP packet from WAN 24.48.224.166:1477 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 00:28:24 Drop TCP packet from WAN 24.50.40.163:3054 192.168.1.103:135 Rule: Default deny Aug/12/2003 00:42:44 Drop TCP packet from WAN 24.50.40.239:3075 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 00:35:06 Drop TCP packet from WAN 65.219.150.61:3972 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 00:35:06 Drop TCP packet from WAN 65.219.150.61:3972 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 00:31:44 Drop TCP packet from WAN 24.48.224.166:1477 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 00:31:41 Drop TCP packet from WAN 24.48.224.166:1477 192.168.1.103:135 Rule: Block 135 deny Aug/12/2003 00:28:24 Drop TCP packet from WAN 24.50.40.163:3054 192.168.1.103:135 Rule: Default deny Aug/12/2003 00:28:21 Drop TCP packet from WAN 24.50.40.163:3054 192.168.1.103:135 Rule: Default deny Aug/12/2003 00:24:11 Drop TCP packet from WAN 24.49.174.27:1386 192.168.1.103:135 Rule: Default deny Aug/12/2003 00:24:08 Drop TCP packet from WAN 24.49.174.27:1386 192.168.1.103:135 Rule: Default deny Aug/12/2003 00:24:01 Drop TCP packet from WAN 24.49.28.9:4488 192.168.1.103:135 Rule: Default deny Aug/12/2003 00:24:01 Drop TCP packet from WAN 24.49.28.9:4488 192.168.1.103:135 Rule: Default deny Aug/12/2003 00:23:58 Drop TCP packet from WAN 24.49.28.9:4488 192.168.1.103:135 Rule: Default deny Aug/12/2003 00:23:56 Drop TCP packet from WAN 204.1.226.228:60181 192.168.1.103:135 Rule: Default deny Aug/12/2003 00:23:56 Drop TCP packet from WAN 204.1.226.228:60181 192.168.1.103:135 Rule: Default deny Aug/12/2003 00:23:55 Drop TCP packet from WAN 204.1.226.228:60181 192.168.1.103:135 Rule: Default deny Aug/12/2003 00:23:55 Drop TCP packet from WAN 204.1.226.228:60181 192.168.1.103:135 Rule: Default deny Aug/12/2003 00:23:55 Drop TCP packet from WAN 204.1.226.228:60181 192.168.1.103:135 Rule: Default deny Aug/12/2003 00:23:54 Drop TCP packet from WAN 204.1.226.228:60181 192.168.1.103:135 Rule: Default deny Aug/12/2003 00:23:54 Drop TCP packet from WAN 204.1.226.228:60181 192.168.1.103:135 Rule: Default deny Aug/12/2003 00:23:53 Drop TCP packet from WAN 204.1.226.228:60181 192.168.1.103:135 Rule: Default deny Aug/12/2003 00:23:53 Drop TCP packet from WAN 204.1.226.228:60181 192.168.1.103:135 Rule: Default deny Aug/12/2003 00:23:52 Drop TCP packet from WAN 204.1.226.228:60181 192.168.1.103:135 Rule: Default deny Aug/12/2003 00:14:53 Drop TCP packet from WAN 24.50.43.133:3639 192.168.1.103:135 Rule: Default deny Aug/12/2003 00:14:50 Drop TCP packet from WAN 24.50.43.133:3639 192.168.1.103:135 Rule: Default deny Edited August 12, 2003 by zerodamage Link to comment Share on other sites More sharing options...
redeyez August 12, 2003 Share redeyez Member August 12, 2003 (edited) I just installed a new a few days and was too lazy to install a firewall (im on 56k, like i needed it) Connected to the net after work and in 3 MINS! my system crashed... It would run fine, but when I went on the net it would crash again, after 2 hours of this crap, and after a failed attempt to restore winxp, i decided to snoop around. Found 1 program created at 12:40am (sametime eventlog stats error) called msblast.exe... deleted it...rebooted....it came back. So I ended the process via C-A-D. and my inet seemed fine...then it crashed agin in about 10 mins. So I installed ZoneAlarmPro4...deleted all programs created from 12:30am - 12:45 (amazing how crap there was). Edited my start up to stop loading this mysterious msblast.exe. Rebooted, connected...perfect...then I get about a 20 attacks to TCP135....guess i was lucky and caught it in time. My advice this exploit sucks bad...get the ms update posted above, and get a good firewall. EDIT: maybe you should stick this thread. Edited August 12, 2003 by redeyez Link to comment Share on other sites More sharing options...
Guest zerodamage August 12, 2003 Share Guest zerodamage Guests August 12, 2003 Notice what Red said.... HE IS ON DIALUP. No one is safe from this. Get a freakin firewall. Link to comment Share on other sites More sharing options...
Guest zerodamage August 12, 2003 Share Guest zerodamage Guests August 12, 2003 (edited) This is the Worm Removal Tool courtesy of Symantec. http://securityresponse.symantec.com/avcen...moval.tool.html Good tech article on it.... Quite detailed. https://tms.symantec.com/members/AnalystRep...rt-DCOMworm.pdf Edited August 12, 2003 by zerodamage Link to comment Share on other sites More sharing options...
Guest zerodamage August 12, 2003 Share Guest zerodamage Guests August 12, 2003 BTW, 200 more port 135 hits in the past 1-1/2 hours. Link to comment Share on other sites More sharing options...
[Mmmm]Homer August 12, 2003 Share [Mmmm]Homer Member August 12, 2003 Wow, M$ is slow today, they are hammered! Link to comment Share on other sites More sharing options...
Guest zerodamage August 12, 2003 Share Guest zerodamage Guests August 12, 2003 Over 3000 probes to 135 in 8 hours. I just woke up. Link to comment Share on other sites More sharing options...
ConGregation August 13, 2003 Share ConGregation Member August 13, 2003 This one got me. I dont run a firewall (moronic, I know). Computer would restart every minute. I fixed it by dl the patch. Read today how to clear it off the system and did it. Link to comment Share on other sites More sharing options...
Guest zerodamage August 13, 2003 Share Guest zerodamage Guests August 13, 2003 Now rev.... go get a firewall. I am using D-Link's 40 dollar deal at Best Buy. Works great. Link to comment Share on other sites More sharing options...
NOFX August 13, 2003 Share NOFX Member August 13, 2003 I use D-links $40 janx, but Im not at my comp now, Im on dial up at home....So Zdamage, the IP address's that is trying to come in on port 135 is from who? Aldephia cable's machines? or is this worm on all the users from aldephia and their machines are the ones attacking yours? Im confused here, Im a comp sci major,(networking concentration). How could so many different IP's be attacking your machine?(unless the whole network you get your internet from is infected, then i could see) Im curious about this worm and how it really works. That would be cool if the program spammed you from the same machine, but the program just changed the source IP in the packet header to an arbitary one everytime. This is kind of interesting, because Im on dial up here at my dads, and just a few days ago, his machine that connects to the net kept getting remote commands that would stop a critical program and make his machine shut down. I turn on the firewall in XP and problem solved.. Link to comment Share on other sites More sharing options...
Asphyxiator August 13, 2003 Share Asphyxiator Member August 13, 2003 My isp blocked the ports that are causing the problems until the dust settles. Link to comment Share on other sites More sharing options...
dwEEziL August 13, 2003 Share dwEEziL Member August 13, 2003 That would be cool if the program spammed you from the same machine, but the program just changed the source IP in the packet header to an arbitary one everytime. Actually, it is better if there were many machines spamming one computer. Then the work would be more distributed, the impact would be more severe and less noticeable on the zombie machines (the attackers), and it would be more difficult to trace back to the hacker. Link to comment Share on other sites More sharing options...
Guest zerodamage August 13, 2003 Share Guest zerodamage Guests August 13, 2003 (edited) nofx, typically worms and what not like this usually probe those in the immediate subnet first. You know.... my ip starts with 24.50 so those in that area will be the first probed. As for you having that problem the other day.... if you did not clean your system of the virus... it is still there. I would run that cleaning tool. OH and yes, many on my Cable network have the virus. That is why the IP's are all similar. They are all Adelphia users. Edited August 13, 2003 by zerodamage Link to comment Share on other sites More sharing options...
redeyez August 13, 2003 Share redeyez Member August 13, 2003 5000+ probes to 135 in aorund 9hrs....stop the maddness Link to comment Share on other sites More sharing options...
Slaphappy August 13, 2003 Share Slaphappy Member August 13, 2003 speaking of D-Link routers....I'm trying to make sure the firewall is working on mine...but i'm a noob when it comes to actualy tinkering with this stuff. As you can see in the pic here I've clicked enable but it won't let me do it...not really sure what i'm suppose to enter in those IP thingys Link to comment Share on other sites More sharing options...
Guest zerodamage August 13, 2003 Share Guest zerodamage Guests August 13, 2003 Just use that link i provided in one of the threads (test your firewall) and you can see if it is blocking those ports. I think many IP's are now blocking port 135 on their end. This dial up here is. Slap, I think port135 on yours is blocked by default, your setup is exactly the same as mine, so do this: On the first option, put on Enable Put in the name like: 'Block 135" Put on Deny on the next one. Under source, put WAN and put a * in the first bock on that line Then on Destination put on LAN and then your IP address. I noticed putting in your Assigned IP address by the firewall works best. Then put in 135 on the first Port block. Do not put it on TCP on only, put on BOTH. Then last put on ALWAYS and hit apply. Then watch the denies on your log. You are probably already getting denies anyway. It is under the Status tab on top. Link to comment Share on other sites More sharing options...
THX1138 August 13, 2003 Share THX1138 Member August 13, 2003 i have Adelphia cable and no problems here. Link to comment Share on other sites More sharing options...
THX1138 August 13, 2003 Share THX1138 Member August 13, 2003 oops Incoming Log Table Source IP Destination Port Number 64.156.39.12 1026 68.170.200.205 135 68.170.219.68 135 68.168.249.94 135 68.169.87.130 135 68.169.114.31 135 68.169.95.164 135 68.169.86.65 135 68.170.221.164 135 68.169.86.65 135 68.170.221.164 135 68.169.91.17 135 68.169.76.164 135 68.170.221.128 135 68.170.221.128 135 68.169.89.167 135 68.170.219.111 135 68.169.87.73 135 68.170.217.115 135 68.170.204.138 135 68.169.95.166 135 68.169.86.44 135 68.169.92.127 135 68.168.253.99 135 200.76.135.118 1434 68.170.219.153 135 68.170.219.107 135 68.170.204.104 135 218.156.158.8 3410 203.239.171.182 3410 68.170.199.134 135 68.169.97.49 135 68.170.220.4 135 68.170.219.173 135 68.170.202.52 135 68.170.220.87 135 218.145.222.217 3410 68.169.107.181 135 68.170.222.136 135 219.240.20.82 3410 220.83.198.27 3410 211.104.85.17 3410 68.170.219.153 135 66.28.236.117 1434 68.170.219.136 135 68.169.94.76 135 68.170.193.156 135 68.169.94.76 135 68.170.193.229 135 68.170.201.10 135 68.170.193.229 135 68.170.193.156 135 68.170.201.10 135 68.169.100.99 135 68.169.80.173 135 68.170.210.157 135 68.170.219.173 135 12.222.68.97 27374 202.108.249.21 1434 68.170.199.175 135 68.169.97.33 135 68.170.210.20 135 64.27.19.26 1080 64.156.39.12 1026 68.169.80.11 135 68.169.86.65 135 68.169.110.109 135 68.169.86.65 135 68.169.85.156 135 68.170.192.182 135 how come zone alarm is not stopping these requests? my machine is not having any problems its been on and off all day long. Link to comment Share on other sites More sharing options...
Guest zerodamage August 13, 2003 Share Guest zerodamage Guests August 13, 2003 I am figuring those requests were blocked, but to make sure, go into your config and set zonealarm to block all requests for port 135 (this also stops windows messenging spam) Link to comment Share on other sites More sharing options...
Gond August 13, 2003 Share Gond Member August 13, 2003 Your router should block EVERY port attempting to access your network by default. You should not have to do anything. With my router the only thing I can do is open ports and block requests from inside out. Link to comment Share on other sites More sharing options...
Guest zerodamage August 13, 2003 Share Guest zerodamage Guests August 13, 2003 Your router should block EVERY port attempting to access your network by default. You should not have to do anything. With my router the only thing I can do is open ports and block requests from inside out. Typically that is the case, yes. Doesn't hurt to make the rule anyway. what kind of router you got Gond? Link to comment Share on other sites More sharing options...
THX1138 August 13, 2003 Share THX1138 Member August 13, 2003 i have the Linksys BEFSR41 Link to comment Share on other sites More sharing options...
Gond August 13, 2003 Share Gond Member August 13, 2003 Sure...I tell you and you post the exploit for it all over the web Netgear RO318. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now