Security Incidents mailing list archives

RE:

From: "Hay,Daniel" <DHay () EXCHANGE1 DREXEL EDU>
Date: Tue, 15 Oct 2002 14:51:33 -0400

We are in the same boat, We have udp/tcp 135-139 and 445 blocked but we still see the spam. We have identified 2 hosts 
on campus 1 is a Linux box running RedHat 7.3 the other seems to be a Win2k box. I've done a quick check of the Linux 
box but it doesn't appear to be compromised, one thing I did notice from external scanning is that RPC on the Linux box 
is not configured correctly and allows forwarding of RPC requests. I've not checked the windows box yet but I was 
thinking maybe the requests where being forwarded from outside the campus network to hosts inside via these 
misconfigured RPC installations. Any thoughts? Am I way off base here?

Cheers
Danny 

-----Original Message-----
From: H C [mailto:keydet89 () yahoo com] 
Sent: Tuesday, October 15, 2002 10:13 AM
To: Gary Flynn
Cc: incidents () securityfocus com; SReasoner () BarthElectric com; thor () hammerofgod com; prw () the-buddha com; 
cbrenton () chrisbrenton org
Subject: Re:

Gary, 

As a followup, I read the articles you have
listed...very interesting, particularly the
myNetWatchman article.  It doesn't exactly jive w/
what I've seen when testing in my lab:

I performed a packet capture while running a Perl
script that invoked the NetMessageBufferSend() API
call from a Win2K machine to an NT machine - each was
a standalone setup.  The actual message contents were
sent to  TCP port 139 on the NT machine.  

I'll do more testing in order to verify what's going
on at a network level...but my concern is that if UDP
135 is being used, and you say you've closed the
NetBIOS ports on your firewall...what's going on?  Do
you have an IDS that's picking anything up?  

The only thing I can think of is that these popups are
not originating from the other side of the
firewall...thoughts?   



--- Gary Flynn <flynngn () jmu edu> wrote:

H C wrote:


I did some testing...and after reading this thread

and

seeing the DirectAdvertisers.com site, I decided

to

right up some code and see what happened (the code

is

below).  I tested this on a network...and it

worked

just fine.


I think some of the stuff is coming in on the MS-RPC
port - 135. We have all netbios over tcp ports
blocked
and we still see the spam.

Here is a good write-up that also contains a link to
good info about RPC and windows services:

http://www.mynetwatchman.com/kb/security/articles/popupspam/

http://www.hsc.fr/ressources/breves/min_srv_res_win.en.html


-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe



__________________________________________________
Do you Yahoo!?
Faith Hill - Exclusive Performances, Videos & More
http://faith.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

RE: Hay,Daniel (Oct 15)
- RE: Hugo van der Kooij (Oct 15)
  - Cacheflow proxy abuse (was: no subject) Alain Fauconnet (Oct 16)
    - Re: Cacheflow proxy abuse (was: no subject) Hugo van der Kooij (Oct 16)
- RE: popup msg spamming Pavel Kankovsky (Oct 15)
- RPC-Spam issue, was => RE: H C (Oct 15)
- RE: T. Willner, Elitetraderz.com (Oct 16)
- Re: Gary Flynn (Oct 16)