Re: Odd Behavior - Windows Messenger Service

["morning_wood" <se_cur_ity () hotmail com>]

this is no misconfigured server, as I stated .. I FOLOWED THE PROMPTS OUT
OF THE BOX to install XP
    it IS behind a router IN the DMZ ( port 445 is open to it ) , the
message did NOT come from my LAN, as I am the only one on it.
Donnie


----- Original Message ----- 
From: "Benjamin Meade" <ben () lanwest com au>
To: <full-disclosure () lists netsys com>
Sent: Wednesday, July 16, 2003 2:59 AM
Subject: RE: [Full-disclosure] Odd Behavior - Windows Messenger Service


> To me, that means that either the box was connected to the 'net without
> a firewall or being locked down, or
> someone on your lan is spamming, either knowingly, or unknowningly.
>
> Don't know why you posted this to every bug list in the known world, as
> it seems like a misconfiguration, not a bug.
> In this particular case, you will deserve the flames.
>
> Benjamin Meade
> System Administrator
> LanWest Pty Ltd
>
>
> -----Original Message-----
> From: full-disclosure-admin () lists netsys com
> [mailto:full-disclosure-admin () lists netsys com] On Behalf Of
> morning_wood
> Sent: Wednesday, 16 July 2003 5:37 PM
> To: bugtraq () securityfocus com; vulnwatch () vulnwatch org;
> full-disclosure () lists netsys com; 0day
> Subject: [Full-disclosure] Odd Behavior - Windows Messenger Service
>
>
> Donnie Werner
> morning_wood () exploitlabs com
> July 16, 2003
>
> WindowsR networking ( TCP) and messenger service are both initialized
> before any user/admin login has taken place, and are remotely accessable
>
>
> odd... setting up default XP box in DMZ  I complete the install setting
> up networking ( dhcp ) and ( workgroup ) only one passworded
> administrator account as prompted by the instalation media.... reboot.
> I leave box unatended for aprox 30 minuts at the login screen... Upon
> sucessfull passworded login, a message-ala-windows messenger service is
> displayed.. ( damn spammers )
>
> BEFORE THE DESKTOP !!! and before anything ( except wallpaper ) has
> initialized
>
>
> here is output from a remote nbtenum session before a sucessfull login
> of a freshly booted XP box
>
> Network Adapter Adapter: \Device\NetbiosSmb
> MAC Address: 000000000000
> Adapter: \Device\NetBT_Tcpip_{D36A0C7D-1EC4-417E-9A7C-DF4F13AF9D4C}
> MAC Address: 00A0CC397071
> Logged On Users Username: 333\BITCHBOX$
> Logon Server:
> Share Information IPC$
> ADMIN$
> C$
>
> dunno if this particular behavior has been observed before ( im donning
> NomexR for the flames )
>
> Donnie Werner
> http://exlpoitlabs.com
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html