HPE Community
Operating System - HP-UX
1826451 Members
3934 Online
109692 Solutions
New Discussion

Port 135

 
Sara DeBellis
Occasional Contributor

‎06-15-2004 02:39 AM

‎06-15-2004 02:39 AM

Port 135

Does anyone know how to shutdown port 135? I am seeing tons of traffic on my network. I'm running HP Unix 10.20 (no chance of upgrading). I've gone into inetd.conf and commented out the toolkit line and that didn't seem to have any effect at all. I appreciate any suggestions. The ammount of traffic being generated from the one HP Unix box is having a huge impact on the network.

Thanks!
0 Kudos
Reply
7 REPLIES 7
Alex Glennie
Honored Contributor

‎06-15-2004 03:06 AM

‎06-15-2004 03:06 AM

Re: Port 135

port 135 is rpcd .... there was a security alert out some months back wrt rpcd being impacted by the blaster worm virus ....

so how are you patched wrt DCE/RPC and could you have pc's infected with the virus on your network .... just a thought ....

ps you really don't want to disable rpc or the port it uses since sdux amongst other applications use it.

also worth checking syslog.log , using lsof maybe and taking a peek in /var/opt/dce/svc/*.logs
0 Kudos
Reply
Sara DeBellis
Occasional Contributor

‎06-15-2004 03:11 AM

‎06-15-2004 03:11 AM

Re: Port 135

I don't believe a patch has been used at all. The network does not connect to the Internet (or other external device for that matter), so a virus threat wasn't a huge concern.

Any ideas how to reduce the amount of rpcd messages traversing the network if I shouldn't shutdown the port?

Thanks!
0 Kudos
Reply
harry d brown jr
Honored Contributor

‎06-15-2004 03:14 AM

‎06-15-2004 03:14 AM

Re: Port 135


Shutdown DCE or have your network admins block port 135.

Also, if a virus is broadcasting on port 135 then your 10.20 box will rebroadcast that broadcast causing a broadcast storm. The solution is to block it via a network router/switch, upgrade to 11.X and set the tcp broadcast to off (10.20 does not have this ability) or get a version of ipfilter for 10.20.

live free or die
harry
Live Free or Die
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎06-15-2004 03:15 AM

‎06-15-2004 03:15 AM

Re: Port 135

Hi,

As mentioned, this looks like the effect of blaster worm virus. 10.20 is obsoleted so I am not sure if there were any patches released for this security vulnerability. The best bet is to cleanup all the windows systems that are affected by blaster worm if you don't have a choice to upgrade your system.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Alex Glennie
Honored Contributor

‎06-15-2004 04:36 AM

‎06-15-2004 04:36 AM

Re: Port 135

latest DCE 1.5 10.20 patch = PHSS_19739 or 19740 for the US.

As far as I'm aware it would be worth applying this patch first ...
0 Kudos
Reply
Heiner E. Lennackers
Respected Contributor

‎06-15-2004 07:06 AM

‎06-15-2004 07:06 AM

Re: Port 135

If you need the port 135 and you cannot disable it in inetd.conf, you may restrict the access to it to a list of trusted ip-adresses using the /var/adm/inetd.sec file.
if this makes any sense to you, you have a BIG problem
0 Kudos
Reply
Geoff Wild
Honored Contributor

‎06-15-2004 07:59 AM

‎06-15-2004 07:59 AM

Re: Port 135

Another thing to try is install a firewall on your server:

http://www.software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B9901AA

Though I don't know if that will work on the ole 10.20....

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.