Security Incidents mailing list archives
Re: Source of Windows PopUp SPAM
From: Gary Flynn <flynngn () jmu edu>
Date: Thu, 17 Oct 2002 13:49:26 -0400
H C wrote:
Many of the posts to this list have clearly shown that this "messenger spam" is not, in fact, coming in over TCP port 139 (as works w/ 'net send'
Carv and all, A 'net send' sent a message in my tests using UDP-135. I suspect is varies with what protocols are bound by the applications in questions and the machines in use. The test systems I used did not have netbios/tcp bound (139). The message was sent from an XP professional machine to an XP home machine. RPC can use many different underlying protocols as transport. The applications decide which protocols to use as endpoints. Details are here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/selecting_a_protocol_sequence.asp (may wrap) I don't know what the Messenger service and net send use but it seems from what everybody has said that they at least support both tcp/netbios(139) and dynamic ports provided by the UDP-135 mapper. I suspect they also support netbeui but don't have any evidence of that. Tools that may provide more information can be found on the Bindview site below. I haven't made the time yet to sort out all the classids to figure out what is actually happening: http://razor.bindview.com/tools/desc/rpctools1.0-readme.html -- Gary Flynn Security Engineer - Technical Services James Madison University Please R.U.N.S.A.F.E. http://www.jmu.edu/computing/runsafe ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Source of Windows PopUp SPAM Lawrence Baldwin (Oct 14)
- RE: Source of Windows PopUp SPAM Brenna Primrose (Oct 16)
- <Possible follow-ups>
- RE: Source of Windows PopUp SPAM Lawrence Baldwin (Oct 15)
- Re: Source of Windows PopUp SPAM Ron Trenka (Oct 16)
- Re: Source of Windows PopUp SPAM Michael Katz (Oct 16)
- Re: Source of Windows PopUp SPAM Nick FitzGerald (Oct 17)
- Re: Source of Windows PopUp SPAM Ron Trenka (Oct 16)
- RE: Source of Windows PopUp SPAM H C (Oct 16)
- RE: Source of Windows PopUp SPAM Rob Keown (Oct 16)
- RE: Source of Windows PopUp SPAM H C (Oct 17)
- Re: Source of Windows PopUp SPAM Gary Flynn (Oct 17)
- RE: Source of Windows PopUp SPAM H C (Oct 17)
- Re: Source of Windows PopUp SPAM Richard Akerman (Oct 18)
- Re: Source of Windows PopUp SPAM David Kennedy CISSP (Oct 20)