I keep getting a message from my firewall about an Incoming Connection Alert.
It says the following:-
Someone from dial 81-131-63-6. in-addr.btopenworld.com[81.131.63.6], port 1204 wants to connect to port 135 owned by ‘Generic Host Process for Win32 Services’ on your computer.
The question is, should I allow or deny access to this port?
Thanks in advance.
Well I always look at it this way. If I didn’t make prior arrangments for someone to get access and I don’t know who or what that is I ALWAYS (no exceptions) say no to connects
hmmm … wonder if it’s the national lottery trying to verify your winning ticket ? :eek:
Even though I keep hitting the deny access button, this person/persons/company/lowlife/whatever is pretty keen to get onto my machine.
Just done a couple of WHOIS searches (many thanks Vajras for the link) and it looks like whoever it is, is situated in Amsterdam, so that might give me a little clue as to what they are trying to put onto my machine. The dirty bugger.
Enter a state of DENIAL!! DENY DENY DENY!!!
err… ahem… you should not accept any connections you (or your software) did not initiate. All else is attacks by cybersalesmen.
BTW… great sig! 
Thanks Glenn :drink:
…and your own IP is what ?
Originally posted by davepet
[B]I keep getting a message from my firewall about an Incoming Connection Alert.It says the following:-
Someone from dial 81-131-63-6. in-addr.btopenworld.com[81.131.63.6], port 1204 wants to connect to port 135 owned by ‘Generic Host Process for Win32 Services’ on your computer.
The question is, should I allow or deny access to this port?
Thanks in advance. [/B]
Take a look here:
http://forums.teamphoenixrising.net/showthread.php?s=&threadid=17011
Here is some info from work about port 135 access, I have stripped the work detail from it but it is important.
"Subject: INFO : New ‘Live’ RPC Exploit / LovSan Worm
Importance: High
All
Please note a new malware is currently being detected by the major AV vendors ( W32.LovSan / MSBLAST worm ) and initial priority has been set to ‘Medium on Watch’ - This threat is detected as a variant of Exploit-DcomRpc with the current McAfee 4283 DAT files and tries to exploit the MS03-026 vulnerability. ( subject of our recent ER6 patching activities. )
This threat scans IP ranges to look for target systems on TCP port 135. The worm attempts to exploit the DCOM RPC vulnerability on the target systems to download and execute the worm via tftp.
We will continue to keep a close eye on any developments as to infection rate, propagation on the Internet and communicate further if required.
I have just made 4283 the minimum DAT requirement to pass through the login script also – currently have approx 80% of known clients reporting in at this DAT version on ePO who will be protected irrespective of ER6 patch status.
Port 135 is blocked on our Internet gateways to prevent external access and whilst providing protection for this route there are no guarantees that a client could not become infected whilst outside the BP network and subsequently connect internally to become a host for this virus to spread within BP hence the critical focus on ensuring we have protection through both Anti-Virus and M’Soft patch options.
Symptoms
Presence of unusual TFTP* files
Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory
Error messages about the RPC service failing (causes system to reboot)
Client / Server creating excessive communications traffic on port 135
Once run, the worm creates the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run “windows auto update” = msblast.exe I just want to say LOVE YOU SAN!! Bill"
Thanks Wolf and Allen, i’ve checked in windows/system32 and the said file msblast isn’t there. I also checked the processes in the task manager and msblast isn’t there either, so it looks as though my firewall did the trick and kept the hacker AND the worm out.
BTW, although i’m running Windows XP, i’m using an independent firewall.
Thanks for all the advice.