I signed up with dyndns.org yesterday. I started firestarter because I'm trying to set up SSH. It appears I'm being scanned Several times per minute. Most of them are scanning on port 135 and firestarter reports that as "ms-rpc". My question is: Is this our famous worm? :D

I haven't had this many hits since... ever! LOL

P.S.
This comp is on 14k dial-up. :p

I figure it probably is.

I remember a while back I had a temporary webserver running on my cable modem connection so a friend could pull some files down (he was behind a firewall that blocked ftp). I got requests for services on port 80 nearly 400 times in one hour while that server was up. I don't think that my friend was using 100 different IP addresses to pull one file from me...

Turned out, it was the NIMDA virus. That must've been how it exploited whatever flaw it worked on. Apparently, my local cable company's loop is infested with machines running NIMDA.

Originally posted by Sepero
Most of them are scanning on port 135 and firestarter reports that as "ms-rpc". My question is: Is this our famous worm? :D


I heard yesterday at work from a couple of friends that got hit with the MS/Blast virus on their home pc's that it does in fact use port 135.

Of course I boasted that I only run Linux at home. :)

The worm MSBlast does use TCP/UDP 135, otherwise known as "DCOM" or "RPC" or just plain "Microshaft" on some newsgroups. DCOM is a protocol microsoft used to call ole and is based on the open software foundation's rpc spec.

All DCOM communications start with port 135 and can be redirected to different ports as the MS endpoint manager deems fit.

As for scanning, good and bad scanning is going on with port 135. SARC and other companies use a number of DCOM vulnerability scanning tools to try and determine the number of infected machines and the rate of spreading. Many of these result in false positives so the numbers are adjusted.

Originally posted by mdwatts
Of course I boasted that I only run Linux at home. :) Heheh, that's always fun. One of my brother's asked me if I was worried about it and I told him the same thing. I probably should have offered him a knoppix cd after that. :D

The cures for the MSBlast worm:

1. Run a firewall
2. Get the latest patch from Microsoft
3. Run "shutdown -a" whenever it tries to shut down your computer
4. Use Linux:D

One nice little ani-virus trick that works with my friends computer is:
format c:

Wipes out that microsoft virus everytime! :D

Here's a nice little script that will determine your vulnerablities, windows only for DCOM, but the port scanner is useful.

http://secur1ty.r1hosting.net/

And yeah, 135 is rpc, people are getting scanned on 137+9, 445 as well. Funny the fix was out for over a month but I guess that's how it usually happens.