Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re:

From: H C <keydet89 () yahoo com>
Date: Tue, 15 Oct 2002 07:12:57 -0700 (PDT)
Gary, 

As a followup, I read the articles you have
listed...very interesting, particularly the
myNetWatchman article.  It doesn't exactly jive w/
what I've seen when testing in my lab:

I performed a packet capture while running a Perl
script that invoked the NetMessageBufferSend() API
call from a Win2K machine to an NT machine - each was
a standalone setup.  The actual message contents were
sent to  TCP port 139 on the NT machine.  

I'll do more testing in order to verify what's going
on at a network level...but my concern is that if UDP
135 is being used, and you say you've closed the
NetBIOS ports on your firewall...what's going on?  Do
you have an IDS that's picking anything up?  

The only thing I can think of is that these popups are
not originating from the other side of the
firewall...thoughts?   



--- Gary Flynn <flynngn () jmu edu> wrote:

H C wrote:


I did some testing...and after reading this thread

and

seeing the DirectAdvertisers.com site, I decided

to

right up some code and see what happened (the code

is

below).  I tested this on a network...and it

worked

just fine.


I think some of the stuff is coming in on the MS-RPC
port - 135. We have all netbios over tcp ports
blocked
and we still see the spam.

Here is a good write-up that also contains a link to
good info about RPC and windows services:



http://www.mynetwatchman.com/kb/security/articles/popupspam/



http://www.hsc.fr/ressources/breves/min_srv_res_win.en.html


-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe



__________________________________________________
Do you Yahoo!?
Faith Hill - Exclusive Performances, Videos & More
http://faith.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: