H C wrote: > > Many of the posts to this list have clearly shown that > this "messenger spam" is not, in fact, coming in over > TCP port 139 (as works w/ 'net send' Carv and all, A 'net send' sent a message in my tests using UDP-135. I suspect is varies with what protocols are bound by the applications in questions and the machines in use. The test systems I used did not have netbios/tcp bound (139). The message was sent from an XP professional machine to an XP home machine. RPC can use many different underlying protocols as transport. The applications decide which protocols to use as endpoints. Details are here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/selecting_a_protocol_sequence.asp (may wrap) I don't know what the Messenger service and net send use but it seems from what everybody has said that they at least support both tcp/netbios(139) and dynamic ports provided by the UDP-135 mapper. I suspect they also support netbeui but don't have any evidence of that. Tools that may provide more information can be found on the Bindview site below. I haven't made the time yet to sort out all the classids to figure out what is actually happening: http://razor.bindview.com/tools/desc/rpctools1.0-readme.html -- Gary Flynn Security Engineer - Technical Services James Madison University Please R.U.N.S.A.F.E. http://www.jmu.edu/computing/runsafe ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Oct 17 2002 - 11:57:38 PDT