"Reasoner, Scott" wrote: > > At my organization, we run the Microsoft ISA Server to provide controlled > internet access on our internal network. This morning when I came in, there > was a Windows Messenger Service message on the screen (like from when you > use the NET SEND command). It's contents were advertising for college > diplomas (almost exactly the same text as some SPAM I've recieved). I'm > assuming this means that the ports used for SMB are not being properly > blocked from the internet (something that I know needs to be fixed). A lot of universities are reporting this. BTW. It doesn't come through netbios. We've got ports 137-139 and 445 blocked and we've seen it. It comes from the Windows Messenger service. This service is an RPC service. Client contact the RPC port (135) which then tells the client which high port the Messenger service is listening on. The Messenger service runs by default on NT, 2k, and XP computers. One site I looked at said it runs as service.exe. -- Gary Flynn Security Engineer - Technical Services James Madison University Please R.U.N.S.A.F.E. http://www.jmu.edu/computing/runsafe ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Oct 11 2002 - 14:03:16 PDT