«
»

TCP/135 (Microsoft RPC) traffic


One of the protocols monitored in FireGen (www.firegen.com) is TCP/135 used by Microsoft RCP (Remote Procedure Call). The reason for this is the fact that RPC had a few vulnerabilities exploited in large scale attacks against systems running Microsoft Windows. Every day we can see attempts to connect to this port, all of them from IP addresses coming from China (121.14.212.x, 122.224.5.x, etc…). The question is, are these just infected computers randomly checking remote hosts for “holes” or are they directed by people? One can add these IPs to the “Monitored IPs” list in FireGen and see if they keep showing up.

Tags:

This entry was posted on September 29, 2008 at 1:51 pm and is filed under Firewall log analysis. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a comment