Full Disclosure mailing list archives
Re: Odd Behavior - Windows Messenger Service
From: jklemenc () fnal gov
Date: Wed, 16 Jul 2003 16:37:58 -0500
This is because, by default, the Messenger service is started. It is one of the many services that hide behind the catch-all MS Networking Ports (tcp/139 & tcp/445). In a MS world using NET SEND, one must be able to resolve both your NetBios name and be able to route to your IP address, and they cannot hide their identity. However, using smbclient on Unix platforms, they can mask themselves pretty easily. Either your machine name is the same as your DNS name -OR- the spammer made an anonymous IPC$ connection to your machine, asked for the NetBios name, then sent you a message using: smbclient -M <your NetBios machine name> -U <the From user, spoofed> -I <your IP address> This is one of the many reasons to NOT have the MS Networking ports exposed to the Internet. Even though you disabled the shares and such, the Server and Client services were probably still running. MS does not disable these by default since they are the core of MS Networking. I would rather MS take the UNIX approach, or at least the RPC style, and have each listening service be on their own port instead of via named-pipes over a common port. But this is all a leftover from the old WFW NetBios days... Why is the message on your uninitialized desktop? Well, a Message can either be sent to a specific logged-in user -OR- to an entire machine. Using the smbclient example above, it is sent to a machine, where it sits on a 'console' until someone finally logs in. This is the same as having a Windows server where after you log in, you have some PopUps about applications that failed to start or items that exceeded the Perf Monitor values, etc. Nothing different there except this message came from an outside source. If you want to know more, perform a search on the various Security Focus lists archives about the 'Universitiy Diploma' popup spam. Basically, I re-iterated the same above as I did originally on those lists. |---------+--------------------------------------> | | morning_wood | | | <se_cur_ity () hotmail com> | | | Sent by: | | | full-disclosure-admin@lists| | | .netsys.com | | | | | | | | | 07/16/2003 03:11 PM | | | | |---------+-------------------------------------->
------------------------------------------------------------------------------------------------------------------------------|
| | | To: Martin <nakal () web de>, full-disclosure () lists netsys com | | cc: | | Subject: Re: [Full-disclosure] Odd Behavior - Windows Messenger Service |
------------------------------------------------------------------------------------------------------------------------------|
I can confirm this behavior. This service is enabled on Windows 2000 and XP by default. I noticed it on my sister's PC after she clicked away 3 advertisement pop-ups and growling at the PC. I think that the average user does not know how to disable it. (And btw: NO, the average MS-Windows user is NOT USING any firewalls.)
more to the point... THERE WAS NO LOGIN PERIOD this was a fresh install.. waiting at the login prompt.. the pop up was there before any user ( admin ) settings initialized or login took place. once again.. this is out of the box install following all prompts, no sharing etc. ( only setting computer name and workgroup )reboot.. sit at login prompt.. login.. pop up was waiting on an uninitialized desktop.. this is my question / issue... NOT my personal security or lack of knowlege about basic networking / security. disabling the service is easy, im reporting on default out of the box behavior, not how to get rid of it or protect myself. please all.. re-read my scenario... donnie _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Odd Behavior - Windows Messenger Service, (continued)
- Re: Odd Behavior - Windows Messenger Service gregh (Jul 19)
- Re: Odd Behavior - Windows Messenger Service Thijs Dalhuijsen (Jul 18)
- RE: Odd Behavior - Windows Messenger Service Bojan Zdrnja (Jul 18)
- Re: Odd Behavior - Windows Messenger Service morning_wood (Jul 18)
- RE: Odd Behavior - Windows Messenger Service Bojan Zdrnja (Jul 18)
- RE: Odd Behavior - Windows Messenger Service ops-lists (Jul 17)
- Re: Odd Behavior - Windows Messenger Service morning_wood (Jul 17)
- RE: Odd Behavior - Windows Messenger Service Jay Sulzberger (Jul 16)
- Re: Odd Behavior - Windows Messenger Service morning_wood (Jul 16)
- Re: Odd Behavior - Windows Messenger Service morning_wood (Jul 17)
- Re: Odd Behavior - Windows Messenger Service Neil McKellar (Jul 17)
- Re: Odd Behavior - Windows Messenger Service Ron DuFresne (Jul 17)
- Re: Odd Behavior - Windows Messenger Service Jay Sulzberger (Jul 17)
- Re: Odd Behavior - Windows Messenger Service morning_wood (Jul 17)
- Re: Odd Behavior - Windows Messenger Service Jay Sulzberger (Jul 17)
- Re: Odd Behavior - Windows Messenger Service gregh (Jul 17)