svchost.exe ms-rpc port 135 - lsass.exe port 500 UDP - System port nbname(137)

[Guest]

[freshhh]

Comodo Firewall used : CFP_Setup_3.0.15.277_XP_Vista_x32
Windows XP SP2 Fully Updated. 

Few minutes after being online after a reinstall (removed the old one before) the firewall asked me to accept or deny those connections :

svchost.exe
124.207.131.91
ms-rpc
port : 135



svchost.exe
61.151.254.31
ms-rpc
port : 135

svchost.exe 118.0.40.26
ms-rpc
port : 135
(Japan)

svchost.exe 83.132.170.196
ms-rpc
port : 135
Portugal

svchost.exe
212.199.8.65
ms-rpc
port 135
Israel Tel Aviv


lsass.exe
193.190.208.38 UDP
Port 500


Application : System
Remote : 71.243.237.212 UDP
Port : nbname(137)
Verizon Internet Services Inc.


64.15.206.217 MS-ds 3478


83.97.212.427 MS-ds 445


How comes this is not blocked by default? 

I made a whois and it seems those IP are from China, Japan,...  Could it be hackers scan? 

I should add that NetBIOS is already desactivate in my operating system... 

[ggf31416]

P2P friendly mode means you will be asked about incoming connections, rather than blocking them without prompt.

[freshhh]

I confirm that I'm in P2P mode but since that kind of port's request (NETBIOS related) are not required for P2P sharing I don't understand the need to ask the user...  NETBIOS is mostly for network print sharing,... 

[freshhh]

This is also scary that since for Comodo's Firewall svchost.exe lsass.exe are "safe" tasks...  It will auto accept the request after a while if the user is away from the computer and so hasn't been able to decide by himself what to do... 

[Bernhard]

Comodo Firewall used : CFP_Setup_3.0.15.277_XP_Vista_x32
Windows XP SP2 Fully Updated. 

Few minutes after being online after a reinstall (removed the old one before) the firewall asked me to accept or deny those connections :

svchost.exe
124.207.131.91
ms-rpc
port : 135



svchost.exe
61.151.254.31
ms-rpc
port : 135

svchost.exe 118.0.40.26
ms-rpc
port : 135
(Japan)

svchost.exe 83.132.170.196
ms-rpc
port : 135
Portugal

svchost.exe
212.199.8.65
ms-rpc
port 135
Israel Tel Aviv


lsass.exe
193.190.208.38 UDP
Port 500


Application : System
Remote : 71.243.237.212 UDP
Port : nbname(137)
Verizon Internet Services Inc.


64.15.206.217 MS-ds 3478


83.97.212.427 MS-ds 445


How comes this is not blocked by default? 

I made a whois and it seems those IP are from China, Japan,...  Could it be hackers scan? 

I should add that NetBIOS is already desactivate in my operating system... 

Gee this is an old post, but I came across after I noticed my fire wall logging events on
port 137, did a Vivisimo search and found this post. The search also gave me hundreds of hits
concerning SEVERE security risks associated with these ports: 135,137 and 445
None offered a solution. My computer (System) is set up allowing me to try whatever I want with impunity
and I can ax whatever I feel like from the registry. If my system crashed I simply reclone from my
backup drive and in a few minutes all is well. The following works with Windows XP:
To get rid of these pesty nbname attemts to make port 137 UDP transmissions I simply
axed the key "NameServerPort" (which defines what port nbname wants to use...BEHIND YOUR BACK!)
click on [run] type regedit click [ok]
on the left pane navigate to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters]
while you are there you might as well fix the port 135problem along with 137:
locate the key TransportBindName in the right pane, double click it and then erase whatever is in
the popup, making it a blank. Then locate the key NameServerPort in the same pane
I deleted this key and never had another firewall alert again concerning these ports.
To close port 445 navigate on the left pane to the key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
Then on the right pane locate : "EnableDCOM"="Y"
double click this key and change the Y to a N
After that close regedit and reboot. You will never have another svchost or nbname problem again.

[Eddoes]

Gee this is an old post, but I came across after I noticed my fire wall logging events on
port 137, did a Vivisimo search and found this post. The search also gave me hundreds of hits
concerning SEVERE security risks associated with these ports: 135,137 and 445
None offered a solution. My computer (System) is set up allowing me to try whatever I want with impunity
and I can ax whatever I feel like from the registry. If my system crashed I simply reclone from my
backup drive and in a few minutes all is well. The following works with Windows XP:
To get rid of these pesty nbname attemts to make port 137 UDP transmissions I simply
axed the key "NameServerPort" (which defines what port nbname wants to use...BEHIND YOUR BACK!)
click on [run] type regedit click [ok]
on the left pane navigate to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters]
while you are there you might as well fix the port 135problem along with 137:
locate the key TransportBindName in the right pane, double click it and then erase whatever is in
the popup, making it a blank. Then locate the key NameServerPort in the same pane
I deleted this key and never had another firewall alert again concerning these ports.
To close port 445 navigate on the left pane to the key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
Then on the right pane locate : "EnableDCOM"="Y"
double click this key and change the Y to a N
After that close regedit and reboot. You will never have another svchost or nbname problem again.

Thanks this helped but how did you know how to do this?

[Ronny]

Hi freshhh, i'd say it depends on the way the traffic is flowing...

Is it incoming then it are "attacks" from possible virus infected systems. And you can setup a global block rule.
But if it's outgoing then you are probably infected and trying to "infect" others.

It's not blocked by default because the stealth wizard by default is:
Ask me for incoming connections, stealth on a per port basis, if you don't host a webserver or need other incoming traffic i suggest you set the stealth port wizard to "Block all incoming connections".
This will create a few extra rules in you global firewall policy.

[hippo9]

Hi Bernhard,
Thank you for your post, it helped a lot ... 

[cist]

Hy

I know that this is very old topic but i came across when i searched for solution to exact problem that i have.
Since Bernhard answered very well, I have just a quick question. If and when we disable those ports or related services, aren't we going to be unable to connect to other LAN resources? Like connect to shared folders and accessing various other services on other LAN computers.

Thanks and regards.

[Ronny]

From the top of my head, if you set this on a client it should still work.
If you configure this on the "server" it will fail.

If you only wish to disable the "old" NetBios over TCP port 137/138/139 thus leaving 445 listening you can simply set it to disabled on the TCP/IP Properties tab, WINS, select Disable NetBios over TCP/IP.

[cist]

Thanks Ronny,

I have 1 XP box, 2 Win7 boxes and 1 Linux.
Therefore i can safely disable NetBios over TCP/IP on all my machines and i am still going to be able to connect to all my boxes at home and use features like shared folders and media streaming in new win7 as long as i have 445 open?
Sorry for my ignorance but I was never so much into windows LAN networking

[Ronny]

Well you can try my suggestion and if it doesn't work you can easily switch it back on.

Are you running Samba server on the Linux host ?
I'm not sure if it's capable to communicate over TCP445, it could be needing TCP139 traffic.

[cist]

Are you running Samba server on the Linux host ?

Yes I do.

Well you can try my suggestion and if it doesn't work you can easily switch it back on.

Good point thought 

I checked under /etc/services and i found this entry: microsoft-ds  445/tcp  #Microsoft Naked CIFS
Therefore i think it should work, right.

Just one last quick question. What did you meant by "If you configure this on the "server" it will fail."?
As far as I understand every client it's potentially server too, right? Because at one point it could be some PC a server to the others when they want to connect to it, and at another time it can be a client because it want to connect to others.

Anyway I think I should play around a bit to see the effects right maybe this weekend

thanks a lot again

[Ronny]

Well to connect to an other hosts "service" the "client" needs to know what port to ask the "server" for this service, for instance if you use your browser it will default ask the "server" on TCP port 80 that's the agreed port for http traffic. If your "client" connects to a shared folder on a "server" depending on it's Windows version level it will start to connect on TCP445 and if that fails it will fallback to TCP139.

Now if you disable these ports on a "server" it won't be able to share it's files anymore 

And yes "client" and "server" can be both on a system depending on who shares what...

[Ronny]

For the samba server you can try the following on the linux host from a shell type:

netstat -an|grep 445

and see if port TCP 445 is in a state LISTENING

Repeat this for port 139

Read here for more about SMB/CIFS

[Tags:]