Security Incidents mailing list archives

Re: Strange Message

From: Gary Flynn <flynngn () jmu edu>
Date: Fri, 11 Oct 2002 17:40:59 -0400

Gary Flynn wrote:

 
BTW. It doesn't come through netbios. We've got ports 137-139 and
445 blocked and we've seen it.

It comes from the Windows Messenger service. This service is
an RPC service. Client contact the RPC port (135) which then
tells the client which high port the Messenger service is
listening on. The Messenger service runs by default on NT,
2k, and XP computers. One site I looked at said it runs
as service.exe.


Correction. svchost.exe

A high UDP port opens from this process when I send a message
locally.

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Strange Message Reasoner, Scott (Oct 11)
- Re: Strange Message Paul Wilson (Oct 11)
- Re: Strange Message Chris Brenton (Oct 11)
  - RE: Strange Message John Stauffacher (Oct 11)
    - RE: Strange Message Jason Robertson (Oct 14)
- Re: Strange Message Gary Flynn (Oct 11)
  - Re: Strange Message Gary Flynn (Oct 14)
- <Possible follow-ups>
- Re: Strange Message Deus, Attonbitus (Oct 11)