I would actually recommend the blocks 135-140 tcp/udp to be blocked 135 and 136 are also used by netbios and 445 On 11 Oct 2002 at 10:24, John Stauffacher wrote: From: "John Stauffacher" <stauffacherat_private> To: "'Chris Brenton'" <cbrentonat_private>, "'Reasoner, Scott'" <SReasonerat_private> Copies to: <incidentsat_private> Subject: RE: Strange Message Date sent: Fri, 11 Oct 2002 10:24:39 -0700 Mailer: Microsoft Outlook, Build 10.0.3416 > http://www.directadvertiser.com is the source of a lot of this. Their > app is used by spammers to send win-popups to machines....not just one > machine at a time, but whole bloks.... > > > I would suggest firewalling off 137,138,139,445 (tcp AND udp) .... or > just not attach NetBUI to tcp/ip .... > > -John Stauffacher > > ++ > John Stauffacher > Network Administrator > Chapman University > stauffacherat_private > 714-628-7249 > > -----Original Message----- > From: Chris Brenton [mailto:cbrentonat_private] > Sent: Friday, October 11, 2002 9:24 AM > To: Reasoner, Scott > Cc: incidentsat_private > Subject: Re: Strange Message > > On Fri, 2002-10-11 at 10:07, Reasoner, Scott wrote: > > > > At my organization, we run the Microsoft ISA Server to provide > controlled > > internet access on our internal network. > > Hummm. Wasn't there an article a while back that Microsoft themselves > where yanking ISA and replacing them with Netscreen to get better > security? ;-) > > > This morning when I came in, there > > was a Windows Messenger Service message on the screen (like from when > you > > use the NET SEND command). It's contents were advertising for college > > diplomas (almost exactly the same text as some SPAM I've recieved). > > I have not see this but it does not surprise me. Between formmail, war > spamming, etc. etc. it was only a matter of time before they tried this > as well. > > > So, I'm curious, has anyone seen SPAM through the messenger service > like > > this, or should I be concerned about a system compromise? > > I would certainly be concerned as this indicates you have NetBIOS/IP > exposed to the Internet. Chances are this spammer was not the first > person to notice this was exposed. Have you disabled null session > capability? If not this could be serious. > > Do you log successful logon and logoff attempts as well as limit logon > tries to something like 3 failures? I ask because if the answer to both > of these questions are "no", It would be trivial to use something like > the NetBIOS Auditing Tool to enumerate all of your logon accounts and do > brute force cracking over the wire. Someone could own your box right now > and you would not be the wiser if these features are not enabled. If > they are enabled, the chances that someone else owns your box are lower > but certainly not impossible. An MD5 check of the file system is > certainly in order. > > BTW, this is more of a general comment to everyone, if you run into a > problem like this and post to a public forum it's a good idea to post > the message from a Hotmail, Yahoo, etc. account as otherwise you let a > very large group of people know where you and and how they can break in. > > HTH, > Chris > -- > ************************************** > cbrentonat_private > > find / -name \*yourbase\* -exec chown us:us {} \; > > > ------------------------------------------------------------------------ > ---- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > -- Jason Robertson Now at the Nation Research Council. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Oct 14 2002 - 18:35:41 PDT