TCP/135 (Microsoft RPC) traffic

One of the protocols monitored in FireGen ( is TCP/135 used by Microsoft RCP (Remote Procedure Call). The reason for this is the fact that RPC had a few vulnerabilities exploited in large scale attacks against systems running Microsoft Windows. Every day we can see attempts to connect to this port, all of them from IP addresses coming from China (121.14.212.x, 122.224.5.x, etc…). The question is, are these just infected computers randomly checking remote hosts for “holes” or are they directed by people? One can add these IPs to the “Monitored IPs” list in FireGen and see if they keep showing up.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: