We are in the same boat, We have udp/tcp 135-139 and 445 blocked but we still see the spam. We have identified 2 hosts on campus 1 is a Linux box running RedHat 7.3 the other seems to be a Win2k box. I've done a quick check of the Linux box but it doesn't appear to be compromised, one thing I did notice from external scanning is that RPC on the Linux box is not configured correctly and allows forwarding of RPC requests. I've not checked the windows box yet but I was thinking maybe the requests where being forwarded from outside the campus network to hosts inside via these misconfigured RPC installations. Any thoughts? Am I way off base here? Cheers Danny -----Original Message----- From: H C [mailto:keydet89at_private] Sent: Tuesday, October 15, 2002 10:13 AM To: Gary Flynn Cc: incidentsat_private; SReasonerat_private; thorat_private; prw@the-buddha.com; cbrentonat_private Subject: Re: Gary, As a followup, I read the articles you have listed...very interesting, particularly the myNetWatchman article. It doesn't exactly jive w/ what I've seen when testing in my lab: I performed a packet capture while running a Perl script that invoked the NetMessageBufferSend() API call from a Win2K machine to an NT machine - each was a standalone setup. The actual message contents were sent to TCP port 139 on the NT machine. I'll do more testing in order to verify what's going on at a network level...but my concern is that if UDP 135 is being used, and you say you've closed the NetBIOS ports on your firewall...what's going on? Do you have an IDS that's picking anything up? The only thing I can think of is that these popups are not originating from the other side of the firewall...thoughts? --- Gary Flynn <flynngnat_private> wrote: > H C wrote: > > > > I did some testing...and after reading this thread > and > > seeing the DirectAdvertisers.com site, I decided > to > > right up some code and see what happened (the code > is > > below). I tested this on a network...and it > worked > > just fine. > > I think some of the stuff is coming in on the MS-RPC > port - 135. We have all netbios over tcp ports > blocked > and we still see the spam. > > Here is a good write-up that also contains a link to > good info about RPC and windows services: > > http://www.mynetwatchman.com/kb/security/articles/popupspam/ > http://www.hsc.fr/ressources/breves/min_srv_res_win.en.html > > -- > Gary Flynn > Security Engineer - Technical Services > James Madison University > > Please R.U.N.S.A.F.E. > http://www.jmu.edu/computing/runsafe __________________________________________________ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos & More http://faith.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Oct 15 2002 - 13:55:22 PDT