Here is a free program which performs those win popups. If you want download it and check how it works (ports, etc.). Get it here: http://www.computec.ch/software/denial_of_service/winpopup-flooder/winpopup-flooder.zip Later. T0m --- "Hay,Daniel" <DHayat_private> wrote: > We are in the same boat, We have udp/tcp 135-139 and 445 blocked but > we still see the spam. We have identified 2 hosts on campus 1 is a > Linux box running RedHat 7.3 the other seems to be a Win2k box. I've > done a quick check of the Linux box but it doesn't appear to be > compromised, one thing I did notice from external scanning is that > RPC on the Linux box is not configured correctly and allows > forwarding of RPC requests. I've not checked the windows box yet but > I was thinking maybe the requests where being forwarded from outside > the campus network to hosts inside via these misconfigured RPC > installations. Any thoughts? Am I way off base here? > > Cheers > Danny > > -----Original Message----- > From: H C [mailto:keydet89at_private] > Sent: Tuesday, October 15, 2002 10:13 AM > To: Gary Flynn > Cc: incidentsat_private; SReasonerat_private; > thorat_private; prw@the-buddha.com; cbrentonat_private > Subject: Re: > > Gary, > > As a followup, I read the articles you have > listed...very interesting, particularly the > myNetWatchman article. It doesn't exactly jive w/ > what I've seen when testing in my lab: > > I performed a packet capture while running a Perl > script that invoked the NetMessageBufferSend() API > call from a Win2K machine to an NT machine - each was > a standalone setup. The actual message contents were > sent to TCP port 139 on the NT machine. > > I'll do more testing in order to verify what's going > on at a network level...but my concern is that if UDP > 135 is being used, and you say you've closed the > NetBIOS ports on your firewall...what's going on? Do > you have an IDS that's picking anything up? > > The only thing I can think of is that these popups are > not originating from the other side of the > firewall...thoughts? > > > > --- Gary Flynn <flynngnat_private> wrote: > > H C wrote: > > > > > > I did some testing...and after reading this thread > > and > > > seeing the DirectAdvertisers.com site, I decided > > to > > > right up some code and see what happened (the code > > is > > > below). I tested this on a network...and it > > worked > > > just fine. > > > > I think some of the stuff is coming in on the MS-RPC > > port - 135. We have all netbios over tcp ports > > blocked > > and we still see the spam. > > > > Here is a good write-up that also contains a link to > > good info about RPC and windows services: > > > > > http://www.mynetwatchman.com/kb/security/articles/popupspam/ > > > http://www.hsc.fr/ressources/breves/min_srv_res_win.en.html > > > > -- > > Gary Flynn > > Security Engineer - Technical Services > > James Madison University > > > > Please R.U.N.S.A.F.E. > > http://www.jmu.edu/computing/runsafe > > > __________________________________________________ > Do you Yahoo!? > Faith Hill - Exclusive Performances, Videos & More > http://faith.yahoo.com > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ===== Latest Stock Market News And Analysis At: www.elitetraderz.com Phone: +56-9-3193229 Fax: +56-2-3260048 CEO: Thomas Willner __________________________________________________ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos & More http://faith.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Oct 16 2002 - 16:09:18 PDT