http://www.directadvertiser.com is the source of a lot of this. Their app is used by spammers to send win-popups to machines....not just one machine at a time, but whole bloks.... I would suggest firewalling off 137,138,139,445 (tcp AND udp) .... or just not attach NetBUI to tcp/ip .... -John Stauffacher ++ John Stauffacher Network Administrator Chapman University stauffacherat_private 714-628-7249 -----Original Message----- From: Chris Brenton [mailto:cbrentonat_private] Sent: Friday, October 11, 2002 9:24 AM To: Reasoner, Scott Cc: incidentsat_private Subject: Re: Strange Message On Fri, 2002-10-11 at 10:07, Reasoner, Scott wrote: > > At my organization, we run the Microsoft ISA Server to provide controlled > internet access on our internal network. Hummm. Wasn't there an article a while back that Microsoft themselves where yanking ISA and replacing them with Netscreen to get better security? ;-) > This morning when I came in, there > was a Windows Messenger Service message on the screen (like from when you > use the NET SEND command). It's contents were advertising for college > diplomas (almost exactly the same text as some SPAM I've recieved). I have not see this but it does not surprise me. Between formmail, war spamming, etc. etc. it was only a matter of time before they tried this as well. > So, I'm curious, has anyone seen SPAM through the messenger service like > this, or should I be concerned about a system compromise? I would certainly be concerned as this indicates you have NetBIOS/IP exposed to the Internet. Chances are this spammer was not the first person to notice this was exposed. Have you disabled null session capability? If not this could be serious. Do you log successful logon and logoff attempts as well as limit logon tries to something like 3 failures? I ask because if the answer to both of these questions are "no", It would be trivial to use something like the NetBIOS Auditing Tool to enumerate all of your logon accounts and do brute force cracking over the wire. Someone could own your box right now and you would not be the wiser if these features are not enabled. If they are enabled, the chances that someone else owns your box are lower but certainly not impossible. An MD5 check of the file system is certainly in order. BTW, this is more of a general comment to everyone, if you run into a problem like this and post to a public forum it's a good idea to post the message from a Hotmail, Yahoo, etc. account as otherwise you let a very large group of people know where you and and how they can break in. HTH, Chris -- ************************************** cbrentonat_private find / -name \*yourbase\* -exec chown us:us {} \; ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Oct 11 2002 - 14:03:54 PDT