According to 'ntl' (Ashley Grossman) here (http://www.nthellworld.com/article/?action=show&id=362), NTL are going to block port 135.

And about time too.

According to 'ntl' (Ashley Grossman) here (http://www.nthellworld.com/article/?action=show&id=362), NTL are going to block port 135.

And about time too.

Why will it take them until the 24th October to complete that?

Yes such action should have been considered a long time ago, by many ISPs not just ntl when the blaster type virus became so rampant. Lets see whether this gives us a speed increas by getting rid of all that useless traffic.

But for those users who do have a legitimate use of port 135, will they have any ability to get ntl not to cut it off for them only?

Why will it take them until the 24th October to complete that?

Yes such action should have been considered a long time ago, by many ISPs not just ntl when the blaster type virus became so rampant. Lets see whether this gives us a speed increas by getting rid of all that useless traffic.

But for those users who do have a legitimate use of port 135, will they have any ability to get ntl not to cut it off for them only?

Hmm ...

I was using a program, which I think has been affected by you blocking Port 135!!
This is unlikely. Blocking Port 135 will have absolutely no effect on any offline programs (eg word, windows, printers etc) and will only affect the spread of viruses across the Internet. If, however, the you feel sure a problem is due to the blocking of Port 135, please call ntl: home technical support who will be able to confirm whether or not this is the case.

So...

Customer: errr, hi, I can't access my Exchange server and I think your blocking of port 135 is to blame.
tech: Yes sir, I can confirm that that is the case.
Customer: So, um, what can you do about it?
tech: I can confirm that's the case but that's about it....

Or are any techs about that can say they have been advised otherwise? Because Ashg's FAQs sound extremely unco-operative.

Towny, after reading about Ash G tonight I cant believe he wrote that FAQ at all I'd be surprised if he could write his own name!

Hmm ...



So...

Customer: errr, hi, I can't access my Exchange server and I think your blocking of port 135 is to blame.
tech: Yes sir, I can confirm that that is the case.
Customer: So, um, what can you do about it?
tech: I can confirm that's the case but that's about it....

Or are any techs about that can say they have been advised otherwise? Because Ashg's FAQs sound extremely unco-operative.

Looks like you will have to use remote desktop client and/or outlook web access.

Have you tired UltraVNC yet ?

I know there are rafts joining the mailing list, I wondered what all the fuss was about with all these new subscribers now I realise its because of ISPs closing down 135.

What do you mean by †œPort 135ââ‚Âà ‚¬Ãƒâ€šÃ‚ÂÂ�?
If you think of your Internet connection as a television set. You can watch channel 1 to browse the web, channel 3 to receive email, and channel 4 to chat to friends in chat rooms. Imagine when using channel 6, 99% of the time, all you see is white noise (static). This white noise also causes interference with the rest of your television viewing. By disabling channel 6, and moving the corresponding program to channel 8 the detrimental effect it has on the other channels is reduced.

Using this example, †œPort 135ââ‚Âà ‚¬Ãƒâ€šÃ‚ÂÂ� would be the equivalent of Channel 6 and the effects of the current †œWelchia and Blasterââ‚à ‚¬Ã‚ÂÂÂ� viruses, are the white-noise, or interference.


As spoken like true a professional


I like my explanation better seen as nearly everyone including NTL have copied my original advice as I wrote is years ago

hmm port 135 has been blocked by plusnet since the outbreak of blaster (within like hours they e-mailed us saying it had been done)
The only thing that uses 135 is rpc which has been patched twice now and still hasnt been fixed.

If we wanted to have the port back open we could ask them and they can do it on a per customer basis as they have firewalls there end.

nice to see nthell are nice and speedy on this one :rollseyes:

K

I think that news item was only posted so AshG could assert his new "dominance" of .com.

If we wanted to have the port back open we could ask them and they can do it on a per customer basis as they have firewalls there end.

Don't count on it. I know how it's being done and it isn't firewalls and it won't be switchable per person, unfortunately. Find another port if you really have to, but take it that 135 will be blocked *permanently*. With insecure software so widespread something has to be done to protect the majority from exploits.

Don't count on it. I know how it's being done and it isn't firewalls and it won't be switchable per person, unfortunately. Find another port if you really have to, but take it that 135 will be blocked *permanently*. With insecure software so widespread something has to be done to protect the majority from exploits.

For the uninitiated like me, what's the significance of blocking port 135?

Which programs use that port?

And if it is being used as a way of blocking viruses surely the virus makers wil merely re-direct their programs to find open ports which you are using that are unblocked.

Surely, if users have properly configured firewalls, anti- virus software and exercise common sense and caution the viruses will be kicked into touch.

For the uninitiated like me, what's the significance of blocking port 135?

Which programs use that port?M$ Exchange uses it, but Exchange is normally only found running within corporate networks so the blocking should have a minimal impact. Exchange is the example given in ntl's FAQs ... don't know what other apps might use it but the impression being given is 'not many at all'.

And if it is being used as a way of blocking viruses surely the virus makers wil merely re-direct their programs to find open ports which you are using that are unblocked.For sure they will, for such is the way of virus writers ... and such is the way of M$, that it prolly won't take long to find the next exploit. :rolleyes:

Surely, if users have properly configured firewalls, anti- virus software and exercise common sense and caution the viruses will be kicked into touch.You hit the nail on the head. This is why viruses spread so easily. One of the biggest reasons why certain viruses and hacks work so well is that people don't apply patches for known problems or update their anti-virus software.

<snip> For sure they will, for such is the way of virus writers ... and such is the way of M$, that it prolly won't take long to find the next exploit.


coming soon ....

http://news.bbc.co.uk/1/hi/technology/3196494.stm

M$ Exchange uses it, but Exchange is normally only found running within corporate networks so the blocking should have a minimal impact. Exchange is the example given in ntl's FAQs ... don't know what other apps might use it but the impression being given is 'not many at all'.

For sure they will, for such is the way of virus writers ... and such is the way of M$, that it prolly won't take long to find the next exploit. :rolleyes:

You hit the nail on the head. This is why viruses spread so easily. One of the biggest reasons why certain viruses and hacks work so well is that people don't apply patches for known problems or update their anti-virus software.

So all those home wokers connecting to their works Exhange server for their email are buggered.

So all those home wokers connecting to their works Exhange server for their email are buggered.
Yep, thats about it.

Here's a much better solution:

How about microsoft don't have the port open by default???

So all those home wokers connecting to their works Exhange server for their email are buggered.
sounds like it. ntl strikes again.

So all those home wokers connecting to their works Exhange server for their email are buggered.
Can the Exchange servers be configured to use another port ?

I presume the effect on exchange would not apply if you connect over a vpn tunnel??

For sure they will, for such is the way of virus writers ... and such is the way of M$, that it prolly won't take long to find the next exploit. :rolleyes:

Check out the 4 hotfixes in windows update yesterday :rolleyes:

I presume the effect on exchange would not apply if you connect over a vpn tunnel??

AS long as the VPN is set up to use TCP/IP and remember that
VPN isnt "allowed" on residential NTL Services.

Read their AUP.


Also Windows 2K servers on which Exchange server sits needs RPC (Port 135) to function properly so although it can be protected it can t be actually "Closed".

http://www.microsoft.com/technet/security/bulletin/MS00-066.asp

"Would it be possible to prevent the attack by disabling the RPC service?

It is not practical to disable the RPC service on a Windows 2000 server. RPC is an integral part of the Operating System and many services will not function with RPC disabled."

I presume the effect on exchange would not apply if you connect over a vpn tunnel??

Shouldn't think so, because your running the software there and not on your machine ;)

Check out the 4 hotfixes in windows update yesterday :rolleyes:
Well, don't you know it ... I'm a prophet as well ... ;)

Can the Exchange servers be configured to use another port ?


yes Outlook Web Access (OWA ) on port 80


http://servername/exchange/mailboxname.


but its dodgy.....

(Port 80 connections into your server via a home user)

I would recommend any look at Exchange on W2K seriously consider these

http://www.securityfocus.com/infocus/1572

http://www.securityfocus.com/infocus/1578

Shouldn't think so, because your running the software there and now on your machine ;)

?

Check out the 4 hotfixes in windows update yesterday :rolleyes:


*cough* post #12 *cough* :D

*cough* post #12 *cough* :D


Sorry Gaz :o

Tiptoes, I've edited my post so it makes sense now :blush:


I'll get my coat! :dmonk:

Sorry Gaz :o

<snip>

np - it's these laminate floors, they make everything echo;):)

It'll be interesting to have a look at my router log when I get home to see how much difference this port blocking has made.

Bugga all so far!

Thu, 16 Oct 2003 13:57:50 GMT+0100 Unrecognized access from 81.97.150.191:4035 to TCP port 135
Thu, 16 Oct 2003 13:57:56 GMT+0100 Unrecognized access from 81.97.217.203:3622 to TCP port 135
Thu, 16 Oct 2003 13:58:02 GMT+0100 Unrecognized access from 81.100.109.208:3958 to TCP port 135
Thu, 16 Oct 2003 13:58:04 GMT+0100 Unrecognized access from 81.99.224.104:1681 to TCP port 135
Thu, 16 Oct 2003 13:58:05 GMT+0100 Unrecognized access from 81.100.109.208:3958 to TCP port 135
Thu, 16 Oct 2003 13:58:28 GMT+0100 Unrecognized access from 80.131.136.230:1025 to UDP port 137
Thu, 16 Oct 2003 14:00:19 GMT+0100 Unrecognized access from 81.96.103.92:3651 to TCP port 135
Thu, 16 Oct 2003 14:00:53 GMT+0100 Unrecognized access from 81.98.39.240:3118 to TCP port 135
Thu, 16 Oct 2003 14:00:56 GMT+0100 Unrecognized access from 81.98.39.240:3118 to TCP port 135
Thu, 16 Oct 2003 14:01:02 GMT+0100 Unrecognized access from 81.98.39.240:3118 to TCP port 135
Thu, 16 Oct 2003 14:01:12 GMT+0100 Unrecognized access from 81.97.83.164:3412 to TCP port 445
Thu, 16 Oct 2003 14:01:15 GMT+0100 Unrecognized access from 81.97.83.164:3412 to TCP port 445
Thu, 16 Oct 2003 14:01:39 GMT+0100 Unrecognized access from 81.97.107.242:3600 to TCP port 135
Thu, 16 Oct 2003 14:02:09 GMT+0100 Unrecognized access from 81.97.14.176:3735 to TCP port 135
Thu, 16 Oct 2003 14:02:12 GMT+0100 Unrecognized access from 81.97.14.176:3735 to TCP port 135
Thu, 16 Oct 2003 14:02:17 GMT+0100 Unrecognized access from 81.97.14.176:3735 to TCP port 135
Thu, 16 Oct 2003 14:03:09 GMT+0100 Unrecognized access from 200.154.72.12:1025 to UDP port 137
Thu, 16 Oct 2003 14:03:52 GMT+0100 Unrecognized access from 81.97.166.133:4032 to TCP port 135
Thu, 16 Oct 2003 14:03:54 GMT+0100 Unrecognized access from 81.97.166.133:4032 to TCP port 135
Thu, 16 Oct 2003 14:03:55 GMT+0100 Unrecognized access from 81.99.222.41:3736 to TCP port 135
Thu, 16 Oct 2003 14:03:58 GMT+0100 Unrecognized access from 81.99.222.41:3736 to TCP port 135
Thu, 16 Oct 2003 14:04:00 GMT+0100 Unrecognized access from 81.97.166.133:4032 to TCP port 135
Thu, 16 Oct 2003 14:04:04 GMT+0100 Unrecognized access from 81.99.222.41:3736 to TCP port 135
Thu, 16 Oct 2003 14:04:43 GMT+0100 Unrecognized access from 200.182.64.181:1033 to UDP port 137
Thu, 16 Oct 2003 14:05:03 GMT+0100 Unrecognized access from 81.97.127.244:4056 to TCP port 135
Thu, 16 Oct 2003 14:05:06 GMT+0100 Unrecognized access from 81.97.127.244:4056 to TCP port 135
Thu, 16 Oct 2003 14:05:12 GMT+0100 Unrecognized access from 81.97.127.244:4056 to TCP port 135
Thu, 16 Oct 2003 14:05:38 GMT+0100 Unrecognized access from 81.97.62.18:3779 to TCP port 135
Thu, 16 Oct 2003 14:05:41 GMT+0100 Unrecognized access from 81.97.62.18:3779 to TCP port 135
Thu, 16 Oct 2003 14:05:46 GMT+0100 Unrecognized access from 81.97.62.18:3779 to TCP port 135
Thu, 16 Oct 2003 14:06:39 GMT+0100 Unrecognized access from 81.99.24.179:3121 to TCP port 135
Thu, 16 Oct 2003 14:06:42 GMT+0100 Unrecognized access from 81.99.24.179:3121 to TCP port 135
Thu, 16 Oct 2003 14:06:48 GMT+0100 Unrecognized access from 81.99.24.179:3121 to TCP port 135
Thu, 16 Oct 2003 14:07:06 GMT+0100 Unrecognized access from 81.99.5.121:1265 to TCP port 135
Thu, 16 Oct 2003 14:07:09 GMT+0100 Unrecognized access from 81.99.5.121:1265 to TCP port 135
Thu, 16 Oct 2003 14:07:15 GMT+0100 Unrecognized access from 81.99.5.121:1265 to TCP port 135
Thu, 16 Oct 2003 14:07:53 GMT+0100 Unrecognized access from 81.97.103.221:3415 to TCP port 135
Thu, 16 Oct 2003 14:07:55 GMT+0100 Unrecognized access from 81.97.103.221:3415 to TCP port 135
Thu, 16 Oct 2003 14:08:01 GMT+0100 Unrecognized access from 81.97.103.221:3415 to TCP port 135
Thu, 16 Oct 2003 14:08:50 GMT+0100 Unrecognized access from 81.100.153.1:20051 to TCP port 135
Thu, 16 Oct 2003 14:08:54 GMT+0100 Unrecognized access from 81.100.153.1:20051 to TCP port 135
Thu, 16 Oct 2003 14:09:00 GMT+0100 Unrecognized access from 81.100.153.1:20051 to TCP port 135
Thu, 16 Oct 2003 14:10:05 GMT+0100 Unrecognized access from 81.97.189.91:4123 to TCP port 135
Thu, 16 Oct 2003 14:10:08 GMT+0100 Unrecognized access from 81.97.189.91:4123 to TCP port 135
Thu, 16 Oct 2003 14:10:14 GMT+0100 Unrecognized access from 81.97.189.91:4123 to TCP port 135
Thu, 16 Oct 2003 14:12:13 GMT+0100 Unrecognized access from 81.98.100.108:4905 to TCP port 135

AS long as the VPN is set up to use TCP/IP and remember that
VPN isnt "allowed" on residential NTL Services.

Read their AUP.


Also Windows 2K servers on which Exchange server sits needs RPC (Port 135) to function properly so although it can be protected it can t be actually "Closed".

http://www.microsoft.com/technet/security/bulletin/MS00-066.asp

"Would it be possible to prevent the attack by disabling the RPC service?

It is not practical to disable the RPC service on a Windows 2000 server. RPC is an integral part of the Operating System and many services will not function with RPC disabled."

THE AUP does allow VPN, they just do not support it!

I can't access my pipex dialup mailbox no more...

But it turns out that pipex's mailservers are borked, so it's not due to NTL blocking 135. I didn't think it would be, but it gave me a bad moment.

For the uninitiated like me, what's the significance of blocking port 135?

Which programs use that port?

Exchange is a very small part of what 135 is used for - the significance for ntl (and other ISPs, and all internet users) is that it:

1) is left open by default on MS Windows installs
2) connects to parts of Windows that are prone to very serious bugs that can lead to machines being taken over.

This has led to it being used as a method of infecting Windows machines with viruses which cause degradation to service on the internet, which naturally ntl isn't too happy with (as it puts up the call rate and makes the customers very unhappy, and, contrary to public opinion, we like happy customers). So blocking it off *should*:

1) reduce the number of new infections, as your nice shiny new Windows install won't instantly get infected
2) reduce the number of hits on people's firewalls
3) give us some breathing space to get round to disinfecting everyone who's infected.

Exchange is a very small part of what 135 is used for - the significance for ntl (and other ISPs, and all internet users) is that it:

1) is left open by default on MS Windows installs
2) connects to parts of Windows that are prone to very serious bugs that can lead to machines being taken over.

This has led to it being used as a method of infecting Windows machines with viruses which cause degradation to service on the internet, which naturally ntl isn't too happy with (as it puts up the call rate and makes the customers very unhappy, and, contrary to public opinion, we like happy customers). So blocking it off *should*:

1) reduce the number of new infections, as your nice shiny new Windows install won't instantly get infected
2) reduce the number of hits on people's firewalls
3) give us some breathing space to get round to disinfecting everyone who's infected.

So when I suggested it and was shot down with people saying that it was a really stupid idea, I was in fact right.

If this is so why on earth was it not implemented earlier???

ummmmm take your pick of possible reasons, corporate stupidity, tightfistedness, shear incompetance are some that may just possibly make my top 10 list, especially as the vulnerability was known about and a patch available way back in june.

So when I suggested it and was shot down with people saying that it was a really stupid idea, I was in fact right.

If this is so why on earth was it not implemented earlier???
It is not a great idea because it will cut of some of microsoft's services (uncommonm though they maybe).

Mircosoft should never have left the port open in the first pace, they should have included the option of opening it only when necessary.

Although now I admit the best thing to do is probably Ntl block it.

It is not a great idea because it will cut of some of microsoft's services (uncommonm though they maybe).

Mircosoft should never have left the port open in the first pace, they should have included the option of opening it only when necessary.

Although now I admit the best thing to do is probably Ntl block it.


Yay ,,, no more of those windows pop up messeages.


PS thanks Gaz for looking that up I just didnt have the time yesterday.....

I was going off what an earlier post said....

Has anyone here used or tried Outlook Web Access on Exchange Server to collect their mail?

Yay ,,, no more of those windows pop up messeages.


PS thanks Gaz for looking that up I just didnt have the time yesterday.....

I was going off what an earlier post said....

Has anyone here used or tried Outlook Web Access on Exchange Server to collect their mail?

yes, it works really well - no different really to using Outlook

corporate stupidity, tightfistedness, shear incompetance

I have to take issue with this. One of the main reasons it wasn't implemented earlier is that ntl wanted to continue to offer an unblocked service where all ports were available, however sadly it seems that however much one would like to offer this, the reality is that the service would be better for the majority if this port were blocked, as no matter how much education you do there are people out there who don't know how to (or can't) patch their machines before putting them on the network. Stopping them being infected is the main reason for this, with several thousand installs a week it should cut the infection rate a lot and we can get the CSRs back to dealing with day to day issues, not the consequences of Microsoft's built-in insecurity.

I have to take issue with this. One of the main reasons it wasn't implemented earlier is that ntl wanted to continue to offer an unblocked service where all ports were available, however sadly it seems that however much one would like to offer this, the reality is that the service would be better for the majority if this port were blocked, as no matter how much education you do there are people out there who don't know how to (or can't) patch their machines before putting them on the network. Stopping them being infected is the main reason for this, with several thousand installs a week it should cut the infection rate a lot and we can get the CSRs back to dealing with day to day issues, not the consequences of Microsoft's built-in insecurity.

With all the practice they have had on writing operating systems you would think that Microsoft would actually get one right without the need for numerous patches.

One has to question whether such a product is of merchantable quality and asking if customers, retailers and wholesalers should be sending the products back to Microsoft with instructions to get them fixed.

It's ironic that the latest viruses have actually done more damage to Windows 2000 and Windows XP and that older products such as the Windowe 98SE which I have are more resistent. Is this an example of retrograde progression where as we move forward the products actually get worse?

If they actually got it right, we wouldnt need to upgrade, have firewalls, antivirus products etc and whole sections of industry would go into rapid decline. It seems sometimes that our society is actually based on being first to ship a shoddy product to the masses and then build whole support industries around it. A cynic's view I know, does seem to correlate with observation.

If they actually got it right, we wouldnt need to upgrade, have firewalls, antivirus products etc and whole sections of industry would go into rapid decline. It seems sometimes that our society is actually based on being first to ship a shoddy product to the masses and then build whole support industries around it. A cynic's view I know, does seem to correlate with observation.

imo the pressure to produce the product to a deadline causes the mistakes. I bet there is some guy in a back room shouting "it is not ready" - and being ignored because the launch date has been "agreed" - classic triumph of marketing over common sense, I think:)

imo the pressure to produce the product to a deadline causes the mistakes. I bet there is some guy in a back room shouting "it is not ready" - and being ignored because the launch date has been "agreed" - classic triumph of marketing over common sense, I think:)

I think that you are right. I just wish they would complete the product correctly and give it good field trials and testing before launching it on the public. We are buying their products in the millions now and they are flawed. We'd probably buy a lot more if they worked properly.

They don't help themselves much though, I remember the Windows 2003 Server launch where the MS top brass trumpeted that it was written from the ground up with security in mind - can you say hostage to fortune? Needless to say, the first security hole followed shortly. Egg on the face all round.

2003 Server is a big improvement, though, in that practically anything interesting is turned off by default, which is a step forward. However, you won't see this on your own desktop for a bit, so XP SP2 is the next big upgrade, lets see what's in that from a security perspective.

Win2k/XP are being targetted now as they're getting more and more common (XP's been out nearly two years, so most modern PCs will be running it). Certainly anyone buying a new P4 PC (you need a P4 to make the internet work right, of course*) to connect to their new BB connection will have XP on it, and probably get infected straight off.

ntluser - the sad thing is that we'll fill the pockets of these guys whether or not they get it right, that's what they bank on. Going Open Source will really worry them though.

* this is irony

Well it seems to be working - no attacks on port 135 logged since 3 am this morning - up till then it was one every couple of minutes or so. :)

They don't help themselves much though, I remember the Windows 2003 Server launch where the MS top brass trumpeted that it was written from the ground up with security in mind - can you say hostage to fortune? Needless to say, the first security hole followed shortly. Egg on the face all round.

2003 Server is a big improvement, though, in that practically anything interesting is turned off by default, which is a step forward. However, you won't see this on your own desktop for a bit, so XP SP2 is the next big upgrade, lets see what's in that from a security perspective.

Win2k/XP are being targetted now as they're getting more and more common (XP's been out nearly two years, so most modern PCs will be running it). Certainly anyone buying a new P4 PC (you need a P4 to make the internet work right, of course*) to connect to their new BB connection will have XP on it, and probably get infected straight off.

ntluser - the sad thing is that we'll fill the pockets of these guys whether or not they get it right, that's what they bank on. Going Open Source will really worry them though.

* this is irony

Am I right in thinking that even with appropriate firewalls and anti-virus software, users with Windows 2000 & XP will still get infected?

It's just that I'm hoping to get a new PC early next year and before I connect I'd be installing my present firewall set-up. I'd be a bit narked if having set up my defences ( which work brilliantly on my current dated Windows 98 PC) the virus walks right through them because of a security vulnerability in the proposed operating system (XP professional).

It will be interesting to see what the effect of going open source is but given the number of vulnerabilities one does wonder just how good the code is.

But you are right we have paid and will no doubt continue to pay for below par programs. Shame that you can't pay in a currency which diminishes in value every time a patch is issued. ;)

They'd probably end up paying us money!!

Well I have McAffee SecurityCenter - and no problems so far - and running Windoze XP Home too!

(Fingers crossed it stays that way......;) )

With all the practice they have had on writing operating systems you would think that Microsoft would actually get one right without the need for numerous patches.

One has to question whether such a product is of merchantable quality and asking if customers, retailers and wholesalers should be sending the products back to Microsoft with instructions to get them fixed.

It's ironic that the latest viruses have actually done more damage to Windows 2000 and Windows XP and that older products such as the Windowe 98SE which I have are more resistent. Is this an example of retrograde progression where as we move forward the products actually get worse?


MS OSes are like those net shopping bags your gran used get her veg in fromt the Fruit and Veg Shop.

The bags arent any different they are just bigger bags where the holes are porportional to the weight of twine used.

MS OSes are like those net shopping bags your gran used get her veg in fromt the Fruit and Veg Shop.

The bags arent any different they are just bigger bags where the holes are porportional to the weight of twine used.

Using the same analogy i.e. that the products are full of holes it's a pity that we cannot return the favour and pay for them with metal washers!! ;)

Seems to be working here too - but watch out port 445, you're next!Thu, 23 Oct 2003 04:53:44 GMT+0100 Unrecognized access from 200.68.76.177:1025 to UDP port 137
Thu, 23 Oct 2003 04:58:48 GMT+0100 Unrecognized access from 81.97.107.26:1092 to TCP port 445
Thu, 23 Oct 2003 04:58:51 GMT+0100 Unrecognized access from 81.97.107.26:1092 to TCP port 445
Thu, 23 Oct 2003 05:07:25 GMT+0100 Unrecognized access from 200.60.238.60:1032 to UDP port 137
Thu, 23 Oct 2003 05:07:31 GMT+0100 Unrecognized access from 81.97.156.106:4540 to TCP port 445
Thu, 23 Oct 2003 05:07:34 GMT+0100 Unrecognized access from 81.97.156.106:4540 to TCP port 445
Thu, 23 Oct 2003 05:15:59 GMT+0100 Unrecognized access from 81.97.107.26:1264 to TCP port 445
Thu, 23 Oct 2003 05:16:02 GMT+0100 Unrecognized access from 81.97.107.26:1264 to TCP port 445
Thu, 23 Oct 2003 06:31:19 GMT+0100 Unrecognized access from 193.220.44.181:4088 to TCP port 445
Thu, 23 Oct 2003 06:31:22 GMT+0100 Unrecognized access from 193.220.44.181:4088 to TCP port 445
Thu, 23 Oct 2003 06:44:44 GMT+0100 Unrecognized access from 210.65.54.89:1026 to UDP port 137
Thu, 23 Oct 2003 06:50:57 GMT+0100 Unrecognized access from 80.202.112.9:52590 to UDP port 137
Thu, 23 Oct 2003 06:59:37 GMT+0100 Unrecognized access from 218.165.53.131:61750 to UDP port 137
Thu, 23 Oct 2003 07:02:47 GMT+0100 Unrecognized access from 61.228.49.60:1027 to UDP port 137
Thu, 23 Oct 2003 07:21:42 GMT+0100 Unrecognized access from 81.97.182.63:2165 to TCP port 445
Thu, 23 Oct 2003 07:21:45 GMT+0100 Unrecognized access from 81.97.182.63:2165 to TCP port 445
Thu, 23 Oct 2003 07:26:19 GMT+0100 Unrecognized access from 213.77.140.212:1032 to UDP port 137
Thu, 23 Oct 2003 07:45:03 GMT+0100 Unrecognized access from 218.21.136.129:1028 to UDP port 137
Thu, 23 Oct 2003 07:54:03 GMT+0100 Unrecognized access from 81.97.85.15:1183 to TCP port 445
Thu, 23 Oct 2003 07:54:06 GMT+0100 Unrecognized access from 81.97.85.15:1183 to TCP port 445
Thu, 23 Oct 2003 08:04:18 GMT+0100 Unrecognized access from 81.97.182.63:2986 to TCP port 445
Thu, 23 Oct 2003 08:04:21 GMT+0100 Unrecognized access from 81.97.182.63:2986 to TCP port 445

Seems to be working here too - but watch out port 445, you're next!

Nope. Port 445 is used for https and so it can't be blocked.

137 netbios scan

HTTPS is 443, not 445.

Also, how many people run HTTPS on their PCs?

HTTPS is 443, not 445.

Also, how many people run HTTPS on their PCs?


The Ip addy of one of those listed belongs to
-------------------------------------------------
inetnum: 81.97.0.0 - 81.97.191.255
netname: NTL
descr: NTL Standalone CM - Baguley
country: GB
admin-c: NNMC1-RIPE
tech-c: NNMC1-RIPE
status: ASSIGNED PA
mnt-by: AS5089-MNT
changed: hostmaster@ntli.net 20020731
source: RIPE

route: 81.96.0.0/12
descr: NTL-UK-IP-BLOCK
origin: AS5089
mnt-by: AS5089-MNT
changed: hostmaster@ntli.net 20020614
source: RIPE

role: NTLI Network Management Centre
address: NTL Internet
address: Crawley Court
address: Winchester
address: Hampshire
address: SO21 2QA
trouble: ----------------------------------------------


Can someone confirm this is one of NTLs OWN Servers>?

It appears to be running with the following ports open

25
110
113
139
445
1025 ****

***Basically the Win2K server on the NTL network could be infected with any number of trojans using this port, "always open" to spread itself via the SMB over TCP.

There is only one reason the server would need to use 445 was if it was trying to conect to other PC systems.

Win2K does use 1025 for the Distributed Transaction Coordinator service which is enabled by default on a Windows
2000 server But it opens TCP port 3372, and a single TCP port higher than 1023 (ie likely to be 1025 ).

I scanned all ports up to 6000 (Using another ISP) and 3372 isnt open so it may not be that particular service.

So based on the scan I did my conclusion is it is likely to be infected.

Just checked the RDNS and it seems to be an NTL customer in Runcorn.

That range is rather large for our own servers (which tend to be Solaris/Linux in the main).

It's actually a superset of ranges used for the standalone cable modem service in the North West, so having a customer from Runcorn on it is quite possible. Here's hoping he drops into the Walled Garden soon.

The other 81... ip is from stretford

I checked The IP range and realised they were Linux servers from some weblogs I picked up on.

Well, the 135 scans have died down, now I have a rash of 137 and several 445 hits. It makes a nice change that the large number of 137's are from all over the world, not just Ntl IP's.

The only concern I've got is not NTL blocking a specific port, but once they start with one port, they could start blocking others. I'd rather NTL retained their "no blocking" policy (though I'd also like it if they stopped using transparent web proxies... or at least fix them).

As for port 135, well okay, there are ways around it and if it's only used for Exchange then just use VPN. Any corporate with any sense wouldn't open it to the outside world without tunnelling using VPN or SSH anyway.

VPN is "allowed" on NTL... or at least it's not disallowed. It's just not supported. All the AUP says is that NTL reserve the right to stop you using it if it causes network problems. I'm not aware that VPN could cause them problems (no where near as many as all these worms and P2P software).

Blocking port 135 is a short term solution as the hackers move on to other ports.

I don't think NTL should do anything and just leave it up to the users to get firewalls and Microsoft to patch things up and educate their users. If NTL really want to do something, maybe they should buy firewalls for their customers (Barclays did that for a while).

Unix is not invulnerable either. There's a flaw (one of many) in many linux router kernels open to ICMP attacks. Being routers they're often forgotten about.

The real solution to all this is to prosecute the hackers.

HTTPS is 443, not 445.

Also, how many people run HTTPS on their PCs?

Ah, it must just be my firewall that uses 445 for https. However, if NTL started blocking other ports, it wouldn't just stop connections into your machine - it would also block connections out of your machine.

Sorry to resurect an old thread but...

Is port blocking still implemented?

On which ports?

Where is the block (incomming, outgoing, whatever)?

Yes it is. The ports being blocked (inbound only) are:


137 (UDP)
138 (UDP)
139 (TCP)
445 (UDP & TCP)
593 (TCP)
1433 (TCP)
1434 (UDP)
27374 (TCP)


Data on these ports is blocked by the Cable Modem. HTH!

In the case of TCP it is only incoming SYN requests that are being blocked so you can establish outgoing connections ok (which should allow you to use exchange ok) - oh, and Jimbo has actually missed port 135 (TCP) from the above list ;)

Oops, so I did!

81 is North west.
mine is 81.97... etc

Stockport in manchester

81 is North west.
mine is 81.97... etc

Stockport in manchester

:confused:

NTL have a block of addresses starting with 81 (.96 to .111 IIRC) but it definitely isn't limited to the North-West - we just happened to add a load of new addressing in that area while working through that range.

81.97 is, however, entirely in the NW, from Burnley to Stoke, Birkenhead to Ashton.

Here's a much better solution:

How about microsoft don't have the port open by default???
Wouldnt that destroy SMB?

Wouldnt that destroy SMB?
I don't see why. If you are know how to use SMB you know how to open the port.

Same thing with their messenger service.

Port 135 is not SMB, it is the RPC service which is an integral part of the OS. :cool:

It would be a bit like saying you could stop people hacking into a web server by not opening port 80 on it :D

I don't see why. If you are know how to use SMB you know how to open the port.

Same thing with their messenger service.
Have you ever tried reconfiguring SMB in Windows to use another port? It doesnt work like that. My point is, you cant just go blocking off ports within the operating system, other applications can make use of them too.