Problem with flodaing IP-Fireweall-Connections

Dufol · January 23, 2006, 4:54pm

HI, I got a problem with floadin connections on my network with 60 pc’s
in MT IP-Fireweall-Connections I can see 1000 or more connections like this
Src addres Dst Addres
192.168.1.64:135 192.168.1.59:2701 tcp
192.168.1.64:135 192.168.1.59:2917
192.168.1.64:135 192.168.1.59:2868
…
192.168.1.57:4554 192.168.1.59:135
192.168.1.57:3535 192.168.1.59:135
…
192.168.1.57:4304 192.168.1.62:135
192.168.1.57:3318 192.168.1.62:135
…
192.168.1.58:4930 192.168.1.59:135
… and etc
in the moment 400 connections will be close and open again
My pc with MT --Cpu Load is going like that 3-4% and sudenly 12-20%
when 200-300 connetions will be closed or open
I turn off this pc’s with IP 192.168.1.57,59,62 but again same problem
what for is port:135
Why destination IP is pc on same network?
I scan this pc’s but no treats I can find!!?

Thx

andrewluck · January 23, 2006, 8:51pm

Port 135 is MS RPC service.

Google search shows Nachi or MSBlast to be most likely culprits.

http://www.linklogger.com/TCP135.htm

I suggest that you block all outbound traffic from your network to dst-port 135 now while you get this sorted.

Regards

Andrew

Dufol · January 24, 2006, 4:03pm

Thx Andrew
I download
• Download the Malicious Software Removal Tool
from microsoft but it seems my pc’s are clean
So I did a lot of reading about DCOM I disabled it
Also in MT, Firewall I put Filter Rule
Action–drop DstAddres 0.0.0.0/0:135-139
so I can see that now my MT is in beter shape

Thx for help

andrewluck · January 25, 2006, 6:41pm

I wouldn’t just rely on the MS tool. Some of the AV vendors offer online scanning (e.g. Trend). I would scan some of your PCs using those services.

Also, and this is very important, ensure that all MS patches have been applied to your PCs.

Port 445 is also abused in this manner so it’s definately worth blocking that as well.

Regards

Andrew