What is up with port 135?

  • Thread starter Thread starter Matt
  • Start date Start date
M

Matt

We had the welchia virus come through with is now cleaned
and the rpc patch has been applied. We even loaded the
second patch that microsoft just released because they
figured out that the first patch for rpc didn't fix all
the vulns of the dcom. So both patches are applied and
there are no more virus. Here's my problem, I know for a
fact DNS is working correctly. Yet Ad when trying to
replicate my second Domain contoller gives me the error:
There are no more endpoints available from the endpoint
mapper. Error 1753. It's almost like DC2 is not
responding to it's own active directory. Like lights on
but nobody's home. Well when NetSTat -an is ran here is
what I get:

Proto Local Address Foreign Address
State
TCP 0.0.0.0:88 0.0.0.0:0
LISTENING
TCP 0.0.0.0:135 0.0.0.0:0
LISTENING
TCP 0.0.0.0:389 0.0.0.0:0
LISTENING
TCP 0.0.0.0:445 0.0.0.0:0
LISTENING
TCP 0.0.0.0:464 0.0.0.0:0
LISTENING
TCP 0.0.0.0:636 0.0.0.0:0
LISTENING
TCP 0.0.0.0:1027 0.0.0.0:0
LISTENING
TCP 0.0.0.0:1030 0.0.0.0:0
LISTENING
TCP 0.0.0.0:1055 0.0.0.0:0
LISTENING
TCP 0.0.0.0:1057 0.0.0.0:0
LISTENING
TCP 0.0.0.0:1059 0.0.0.0:0
LISTENING
TCP 0.0.0.0:1060 0.0.0.0:0
LISTENING
TCP 0.0.0.0:1061 0.0.0.0:0
LISTENING
TCP 0.0.0.0:1062 0.0.0.0:0
LISTENING
TCP 0.0.0.0:1096 0.0.0.0:0
LISTENING
TCP 0.0.0.0:1097 0.0.0.0:0
LISTENING
TCP 0.0.0.0:1105 0.0.0.0:0
LISTENING
TCP 0.0.0.0:1121 0.0.0.0:0
LISTENING
TCP 0.0.0.0:3372 0.0.0.0:0
LISTENING
TCP 0.0.0.0:5800 0.0.0.0:0
LISTENING
TCP 0.0.0.0:5900 0.0.0.0:0
LISTENING
TCP 10.2.100.2:139 0.0.0.0:0
LISTENING
TCP 10.2.100.2:389 10.2.100.2:2160
TIME_WAIT
TCP 10.2.100.2:389 10.2.100.2:2166
TIME_WAIT
TCP 10.2.100.2:1030 10.2.100.1:1026
ESTABLISHED
TCP 10.2.100.2:2148 10.2.100.2:135
TIME_WAIT
TCP 10.2.100.2:2149 10.2.100.2:135
TIME_WAIT
TCP 10.2.100.2:2150 10.2.100.2:135
TIME_WAIT
TCP 10.2.100.2:2151 10.2.100.2:135
TIME_WAIT
TCP 10.2.100.2:2152 10.2.100.2:135
TIME_WAIT
TCP 10.2.100.2:2153 10.2.100.2:135
TIME_WAIT
TCP 10.2.100.2:2154 10.2.100.2:135
TIME_WAIT
TCP 10.2.100.2:2155 10.2.100.2:135
TIME_WAIT
TCP 10.2.100.2:2156 10.2.100.2:135
TIME_WAIT
TCP 10.2.100.2:2157 10.2.100.2:135
TIME_WAIT
TCP 10.2.100.2:2158 10.2.100.2:135
TIME_WAIT
TCP 10.2.100.2:2159 10.2.100.2:135
TIME_WAIT
TCP 10.2.100.2:2161 10.2.100.2:135
TIME_WAIT
TCP 10.2.100.2:2162 10.2.100.2:135
TIME_WAIT
TCP 10.2.100.2:2167 10.2.100.2:135
TIME_WAIT
TCP 10.2.100.2:2170 10.2.100.2:135
TIME_WAIT
TCP 10.2.100.2:2176 10.2.100.1:389
TIME_WAIT
TCP 10.2.100.2:5900 10.2.254.2:4967
ESTABLISHED
TCP 127.0.0.1:389 127.0.0.1:1059
ESTABLISHED
TCP 127.0.0.1:389 127.0.0.1:1060
ESTABLISHED
TCP 127.0.0.1:389 127.0.0.1:1062
ESTABLISHED
TCP 127.0.0.1:1057 127.0.0.1:389
CLOSE_WAIT
TCP 127.0.0.1:1059 127.0.0.1:389
ESTABLISHED
TCP 127.0.0.1:1060 127.0.0.1:389
ESTABLISHED
TCP 127.0.0.1:1062 127.0.0.1:389
ESTABLISHED
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:1032 *:*
UDP 0.0.0.0:1052 *:*
UDP 0.0.0.0:1056 *:*
UDP 0.0.0.0:1058 *:*
UDP 0.0.0.0:1106 *:*
UDP 0.0.0.0:1187 *:*
UDP 0.0.0.0:2967 *:*
UDP 10.2.100.2:88 *:*
UDP 10.2.100.2:123 *:*
UDP 10.2.100.2:137 *:*
UDP 10.2.100.2:138 *:*
UDP 10.2.100.2:389 *:*
UDP 10.2.100.2:464 *:*
UDP 10.2.100.2:500 *:*


Why is port 135 so popular and in a time wait condition?
 
Yes both are time sync'd. However the first dc is working
correctly. It has 1 port listening for port 135. To where
as the second DC has all these ports linked to 135 and in
time_wait condition.
 
I hope we "cleaned" these machines by rebuilding after being infected and
didn't just use our antivirus software to clean up the virus. After
infection that should be standard to ensure we're not looking at any
backdoor issues left after an attack.

Port 135 is the port on which RPC listens and runs the RPC Endpoint Mapper
(RPCSS) process. The server is listening on port 135 for a remote
procedure call and when one is made the server and the client perform a
negotiation to determine what ports above 1024 they each have available.
They then select a port above 1024 that they have in common and agree to
perform the RPC process on one of these ports.

154596 HOWTO: Configure RPC Dynamic Port Allocation to Work with Firewall
http://support.microsoft.com/?id=154596

The error you're getting could be for numerous reasons - KDC service on one
dc is not working, dns is not properly configured, ports above 1024 not
open, etc. Check to make sure your DCs are properly configured and
operating correctly.

298143 How to Verify an Active Directory Installation
http://support.microsoft.com/?id=298143

291382 Frequently Asked Questions About Windows 2000 DNS and Windows Server
http://support.microsoft.com/?id=291382

David Pharr, (e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Content-Class: urn:content-classes:message
| From: <[email protected]>
| Sender: <[email protected]>
| References: <[email protected]>
<[email protected]>
| Subject: Re: What is up with port 135?
| Date: Mon, 24 Nov 2003 12:09:03 -0800
| Lines: 152
| Message-ID: <[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="iso-8859-1"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| Thread-Index: AcOyxs6MEgCCKAu1TCSiZwPE3x4evQ==
| Newsgroups: microsoft.public.win2000.active_directory
| Path: cpmsftngxa07.phx.gbl
| Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.active_directory:56971
| NNTP-Posting-Host: tk2msftngxa09.phx.gbl 10.40.1.161
| X-Tomcat-NG: microsoft.public.win2000.active_directory
|
| Yes both are time sync'd. However the first dc is working
| correctly. It has 1 port listening for port 135. To where
| as the second DC has all these ports linked to 135 and in
| time_wait condition.
|
|
| >-----Original Message-----
| >Maybe not the issue, but are the DC's time-sync'd?
| >
| >Matt wrote:
| >> We had the welchia virus come through with is now
| cleaned
| >> and the rpc patch has been applied. We even loaded the
| >> second patch that microsoft just released because they
| >> figured out that the first patch for rpc didn't fix all
| >> the vulns of the dcom. So both patches are applied and
| >> there are no more virus. Here's my problem, I know for
| a
| >> fact DNS is working correctly. Yet Ad when trying to
| >> replicate my second Domain contoller gives me the
| error:
| >> There are no more endpoints available from the endpoint
| >> mapper. Error 1753. It's almost like DC2 is not
| >> responding to it's own active directory. Like lights on
| >> but nobody's home. Well when NetSTat -an is ran here is
| >> what I get:
| >>
| >> Proto Local Address Foreign Address
| >> State
| >> TCP 0.0.0.0:88 0.0.0.0:0
| >> LISTENING
| >> TCP 0.0.0.0:135 0.0.0.0:0
| >> LISTENING
| >> TCP 0.0.0.0:389 0.0.0.0:0
| >> LISTENING
| >> TCP 0.0.0.0:445 0.0.0.0:0
| >> LISTENING
| >> TCP 0.0.0.0:464 0.0.0.0:0
| >> LISTENING
| >> TCP 0.0.0.0:636 0.0.0.0:0
| >> LISTENING
| >> TCP 0.0.0.0:1027 0.0.0.0:0
| >> LISTENING
| >> TCP 0.0.0.0:1030 0.0.0.0:0
| >> LISTENING
| >> TCP 0.0.0.0:1055 0.0.0.0:0
| >> LISTENING
| >> TCP 0.0.0.0:1057 0.0.0.0:0
| >> LISTENING
| >> TCP 0.0.0.0:1059 0.0.0.0:0
| >> LISTENING
| >> TCP 0.0.0.0:1060 0.0.0.0:0
| >> LISTENING
| >> TCP 0.0.0.0:1061 0.0.0.0:0
| >> LISTENING
| >> TCP 0.0.0.0:1062 0.0.0.0:0
| >> LISTENING
| >> TCP 0.0.0.0:1096 0.0.0.0:0
| >> LISTENING
| >> TCP 0.0.0.0:1097 0.0.0.0:0
| >> LISTENING
| >> TCP 0.0.0.0:1105 0.0.0.0:0
| >> LISTENING
| >> TCP 0.0.0.0:1121 0.0.0.0:0
| >> LISTENING
| >> TCP 0.0.0.0:3372 0.0.0.0:0
| >> LISTENING
| >> TCP 0.0.0.0:5800 0.0.0.0:0
| >> LISTENING
| >> TCP 0.0.0.0:5900 0.0.0.0:0
| >> LISTENING
| >> TCP 10.2.100.2:139 0.0.0.0:0
| >> LISTENING
| >> TCP 10.2.100.2:389 10.2.100.2:2160
| >> TIME_WAIT
| >> TCP 10.2.100.2:389 10.2.100.2:2166
| >> TIME_WAIT
| >> TCP 10.2.100.2:1030 10.2.100.1:1026
| >> ESTABLISHED
| >> TCP 10.2.100.2:2148 10.2.100.2:135
| >> TIME_WAIT
| >> TCP 10.2.100.2:2149 10.2.100.2:135
| >> TIME_WAIT
| >> TCP 10.2.100.2:2150 10.2.100.2:135
| >> TIME_WAIT
| >> TCP 10.2.100.2:2151 10.2.100.2:135
| >> TIME_WAIT
| >> TCP 10.2.100.2:2152 10.2.100.2:135
| >> TIME_WAIT
| >> TCP 10.2.100.2:2153 10.2.100.2:135
| >> TIME_WAIT
| >> TCP 10.2.100.2:2154 10.2.100.2:135
| >> TIME_WAIT
| >> TCP 10.2.100.2:2155 10.2.100.2:135
| >> TIME_WAIT
| >> TCP 10.2.100.2:2156 10.2.100.2:135
| >> TIME_WAIT
| >> TCP 10.2.100.2:2157 10.2.100.2:135
| >> TIME_WAIT
| >> TCP 10.2.100.2:2158 10.2.100.2:135
| >> TIME_WAIT
| >> TCP 10.2.100.2:2159 10.2.100.2:135
| >> TIME_WAIT
| >> TCP 10.2.100.2:2161 10.2.100.2:135
| >> TIME_WAIT
| >> TCP 10.2.100.2:2162 10.2.100.2:135
| >> TIME_WAIT
| >> TCP 10.2.100.2:2167 10.2.100.2:135
| >> TIME_WAIT
| >> TCP 10.2.100.2:2170 10.2.100.2:135
| >> TIME_WAIT
| >> TCP 10.2.100.2:2176 10.2.100.1:389
| >> TIME_WAIT
| >> TCP 10.2.100.2:5900 10.2.254.2:4967
| >> ESTABLISHED
| >> TCP 127.0.0.1:389 127.0.0.1:1059
| >> ESTABLISHED
| >> TCP 127.0.0.1:389 127.0.0.1:1060
| >> ESTABLISHED
| >> TCP 127.0.0.1:389 127.0.0.1:1062
| >> ESTABLISHED
| >> TCP 127.0.0.1:1057 127.0.0.1:389
| >> CLOSE_WAIT
| >> TCP 127.0.0.1:1059 127.0.0.1:389
| >> ESTABLISHED
| >> TCP 127.0.0.1:1060 127.0.0.1:389
| >> ESTABLISHED
| >> TCP 127.0.0.1:1062 127.0.0.1:389
| >> ESTABLISHED
| >> UDP 0.0.0.0:445 *:*
| >> UDP 0.0.0.0:1032 *:*
| >> UDP 0.0.0.0:1052 *:*
| >> UDP 0.0.0.0:1056 *:*
| >> UDP 0.0.0.0:1058 *:*
| >> UDP 0.0.0.0:1106 *:*
| >> UDP 0.0.0.0:1187 *:*
| >> UDP 0.0.0.0:2967 *:*
| >> UDP 10.2.100.2:88 *:*
| >> UDP 10.2.100.2:123 *:*
| >> UDP 10.2.100.2:137 *:*
| >> UDP 10.2.100.2:138 *:*
| >> UDP 10.2.100.2:389 *:*
| >> UDP 10.2.100.2:464 *:*
| >> UDP 10.2.100.2:500 *:*
| >>
| >>
| >> Why is port 135 so popular and in a time wait
| condition?
| >
| >
| >.
| >
|
 
Back
Top