| Port No | 135 |
| Service Name | MSRPC DCOM RPC BO (3) |
| RFC Doc | 0 |
| Protocol | TCP |
| Description | This signature detects attempts to exploit a buffer overflow in Windows RPC DCOM. |
| Reference Link | Port Number:135 Service Name:MSRPC DCOM RPC BO (3) Port:TCP |
| Attack | According to Symantec Resolution: The following workaround has been suggested by the vendor. The following ports should be blocked: TCP/UDP Port 135 TCP/UDP Port 139 TCP/UDP Port 445 A reliable source has indicated that TCP port 593 is also a potential channel for attacks. Microsoft has not mentioned this port in their revised bulletin. Administrators are advised to filter access to it any other ports which are not necessary. The Internet Connection Firewall in Windows XP or Windows Server 2003 will, by default, block inbound RPC traffic. Disable DCOM on all affected machines When a computer is part of a network, the DCOM wire protocol enables COM objects on that computer to communicate with COM objects on other computers. You can disable DCOM for a particular computer to help protect against this vulnerability, but doing so will disable all communication between objects on that computer and objects on other computers. If you disable DCOM on a remote computer, you will not be able to remotely access that computer afterwards to reenable DCOM. To reenable DCOM, you will need physical access to that computer. To manually enable (or disable) DCOM for a computer: 1. Run Dcomcnfg.exe. If you are running Windows XP or Windows Server 2003 perform these additional steps: * Click on the Component Services node under Console Root. * Open the Computers sub-folder. * For the local computer, right click on My Computer and choose Properties. * For a remote computer, right click on the Computers folder and choose New then Computer. Enter the computer name. Right click on that computer name and choose Properties. 2. Choose the Default Properties tab. 3. Select (or clear) the Enable Distributed COM on this Computer check box. 4. If you will be setting more properties for the machine, click the Apply button to enable (or disable) DCOM. Otherwise, click OK to apply the changes and exit Dcomcnfg.exe. To test if ncacn_http is running on port 80 (which may be an additional attack vector), telnet to port 80 and enter: RPC_CONNECT ip address:593 HTTP/1.0 |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.