Security Incidents mailing list archives
RE:
From: "Hay,Daniel" <DHay () EXCHANGE1 DREXEL EDU>
Date: Tue, 15 Oct 2002 14:51:33 -0400
We are in the same boat, We have udp/tcp 135-139 and 445 blocked but we still see the spam. We have identified 2 hosts on campus 1 is a Linux box running RedHat 7.3 the other seems to be a Win2k box. I've done a quick check of the Linux box but it doesn't appear to be compromised, one thing I did notice from external scanning is that RPC on the Linux box is not configured correctly and allows forwarding of RPC requests. I've not checked the windows box yet but I was thinking maybe the requests where being forwarded from outside the campus network to hosts inside via these misconfigured RPC installations. Any thoughts? Am I way off base here? Cheers Danny -----Original Message----- From: H C [mailto:keydet89 () yahoo com] Sent: Tuesday, October 15, 2002 10:13 AM To: Gary Flynn Cc: incidents () securityfocus com; SReasoner () BarthElectric com; thor () hammerofgod com; prw () the-buddha com; cbrenton () chrisbrenton org Subject: Re: Gary, As a followup, I read the articles you have listed...very interesting, particularly the myNetWatchman article. It doesn't exactly jive w/ what I've seen when testing in my lab: I performed a packet capture while running a Perl script that invoked the NetMessageBufferSend() API call from a Win2K machine to an NT machine - each was a standalone setup. The actual message contents were sent to TCP port 139 on the NT machine. I'll do more testing in order to verify what's going on at a network level...but my concern is that if UDP 135 is being used, and you say you've closed the NetBIOS ports on your firewall...what's going on? Do you have an IDS that's picking anything up? The only thing I can think of is that these popups are not originating from the other side of the firewall...thoughts? --- Gary Flynn <flynngn () jmu edu> wrote:
H C wrote:I did some testing...and after reading this threadandseeing the DirectAdvertisers.com site, I decidedtoright up some code and see what happened (the codeisbelow). I tested this on a network...and itworkedjust fine.I think some of the stuff is coming in on the MS-RPC port - 135. We have all netbios over tcp ports blocked and we still see the spam. Here is a good write-up that also contains a link to good info about RPC and windows services:
http://www.mynetwatchman.com/kb/security/articles/popupspam/
http://www.hsc.fr/ressources/breves/min_srv_res_win.en.html
-- Gary Flynn Security Engineer - Technical Services James Madison University Please R.U.N.S.A.F.E. http://www.jmu.edu/computing/runsafe
__________________________________________________ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos & More http://faith.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: Hay,Daniel (Oct 15)
- RE: Hugo van der Kooij (Oct 15)
- Cacheflow proxy abuse (was: no subject) Alain Fauconnet (Oct 16)
- Re: Cacheflow proxy abuse (was: no subject) Hugo van der Kooij (Oct 16)
- Cacheflow proxy abuse (was: no subject) Alain Fauconnet (Oct 16)
- RE: popup msg spamming Pavel Kankovsky (Oct 15)
- RPC-Spam issue, was => RE: H C (Oct 15)
- RE: T. Willner, Elitetraderz.com (Oct 16)
- Re: Gary Flynn (Oct 16)
- RE: Hugo van der Kooij (Oct 15)