-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 07:07 AM 10/11/2002, Reasoner, Scott wrote: >At my organization, we run the Microsoft ISA Server to provide controlled >internet access on our internal network. This morning when I came in, there >was a Windows Messenger Service message on the screen (like from when you >use the NET SEND command). It's contents were advertising for college >diplomas (almost exactly the same text as some SPAM I've recieved). I'm >assuming this means that the ports used for SMB are not being properly >blocked from the internet (something that I know needs to be fixed). > >So, I'm curious, has anyone seen SPAM through the messenger service like >this, or should I be concerned about a system compromise? My initial >investigation of the machine shows nothing else out of the ordinary. Something similar was posted to another list- in fact, I thought you were the same poster, but it does not look like it. They reported the same message box, but an event logged with the following info: <snip> Application popup: Messenger Service : Message from WEBPOPUP02 to xxx on 10/11/2002 3:03:48 AM U N I V E R S I T Y D I P L O M A S Obtain a prosperous future, money earning power, and the admiration of all. 1 - 6 1 5 - 3 6 6 - 7 8 0 3 </snip> They reported that the only thing open on the server was 80. By default, ISA will block everything you don't allow in, but if you have configured ISA to open all/block specific, then you should know that the "ALL NetBIOS" filter did not include port 445- I reported this to MS and they said they fixed it in SP1. But that said, I doubt that is what is going on... Do you have an event log entry for the messenger service as well? Same WEBPOPUP02 box? And when you say there was a "message on the screen," was it on the ISA box or your own box inside the protected network? Assuming your ISA is configured properly and the other poster was also correct in only 80 being open, then it looks like there might be some sneaky way of invoking messenger. Or, someone is sending email attachments out that get executed internally that do a NET SEND EVERYONE or something like that. Hmmmm. - -- AD -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPab8P4hsmyD15h5gEQKragCglfuF1EK1dPDeB1O8XNqOOIUyUJYAoIZ7 1VnjUlx1RzyBP6mCEhkPQtjF =FKQb -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Oct 11 2002 - 09:27:39 PDT