Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Strange Message

From: "Jason Robertson" <jason () ifuture com>
Date: Fri, 11 Oct 2002 19:18:09 -0400
I would actually recommend the blocks
135-140 tcp/udp to be blocked 135 and 136 are also used by netbios
and 
445

On 11 Oct 2002 at 10:24, John Stauffacher wrote:

From:                   "John Stauffacher" <stauffacher () chapman edu>
To:                     "'Chris Brenton'" <cbrenton () chrisbrenton org>,
        "'Reasoner, Scott'" <SReasoner () BarthElectric com>
Copies to:              <incidents () securityfocus com>
Subject:                RE: Strange Message
Date sent:              Fri, 11 Oct 2002 10:24:39 -0700
Mailer:                 Microsoft Outlook, Build 10.0.3416


http://www.directadvertiser.com is the source of a lot of this. Their
app is used by spammers to send win-popups to machines....not just one
machine at a time, but whole bloks....


I would suggest firewalling off 137,138,139,445 (tcp AND udp) .... or
just not attach NetBUI to tcp/ip ....

-John Stauffacher

++
John Stauffacher
Network Administrator
Chapman University
stauffacher () chapman edu
714-628-7249

-----Original Message-----
From: Chris Brenton [mailto:cbrenton () chrisbrenton org] 
Sent: Friday, October 11, 2002 9:24 AM
To: Reasoner, Scott
Cc: incidents () securityfocus com
Subject: Re: Strange Message

On Fri, 2002-10-11 at 10:07, Reasoner, Scott wrote:


At my organization, we run the Microsoft ISA Server to provide

controlled

internet access on our internal network.


Hummm. Wasn't there an article a while back that Microsoft themselves
where yanking ISA and replacing them with Netscreen to get better
security? ;-)


This morning when I came in, there
was a Windows Messenger Service message on the screen (like from when

you

use the NET SEND command).  It's contents were advertising for college
diplomas (almost exactly the same text as some SPAM I've recieved). 


I have not see this but it does not surprise me. Between formmail, war
spamming, etc. etc. it was only a matter of time before they tried this
as well.


So, I'm curious, has anyone seen SPAM through the messenger service

like

this, or should I be concerned about a system compromise? 


I would certainly be concerned as this indicates you have NetBIOS/IP
exposed to the Internet. Chances are this spammer was not the first
person to notice this was exposed. Have you disabled null session
capability? If not this could be serious.

Do you log successful logon and logoff attempts as well as limit logon
tries to something like 3 failures? I ask because if the answer to both
of these questions are "no", It would be trivial to use something like
the NetBIOS Auditing Tool to enumerate all of your logon accounts and do
brute force cracking over the wire. Someone could own your box right now
and you would not be the wiser if these features are not enabled. If
they are enabled, the chances that someone else owns your box are lower
but certainly not impossible. An MD5 check of the file system is
certainly in order.

BTW, this is more of a general comment to everyone, if you run into a
problem like this and post to a public forum it's a good idea to post
the message from a Hotmail, Yahoo, etc. account as otherwise you let a
very large group of people know where you and and how they can break in.

HTH,
Chris
-- 
************************************** 
cbrenton () chrisbrenton org

find / -name \*yourbase\* -exec chown us:us {} \; 


------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com





--
Jason Robertson                
Now at the Nation Research Council.



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: