Re: Stopping Admin Alert SPAM
From: Michael Katz (mike@procinct.com)
Date: 01/23/03
- Previous message: Jay Lagorio: "RE: Stopping Admin Alert SPAM"
- Maybe in reply to: Ed Sunder: "Stopping Admin Alert SPAM"
- Next in thread: The Blueberry: "Re: Stopping Admin Alert SPAM"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 23 Jan 2003 11:57:34 -0800 To: <focus-ms@securityfocus.com> From: Michael Katz <mike@procinct.com>
At 1/22/2003 07:41 AM, Ed Sunder wrote:
>Okay, I haven't found a good answer to this online and would appreciate
>any advice this group has... Our servers are being deluged with Admin
>Alert Spam's. At a certain point, particularly over a weekend, with no
>one actively looking at the machine, if there are enough messages it can
>cause some services to shut down. I read that blocking ports 137-139
>would stop these messages, but I did that in our firewall and yet the
>messages still came.
Based on what you describe, it appears that you are receiving Windows
pop-up messages generated by the Messenger service. This is _not_ the same
thing as Microsoft's MSN Messenger instant messaging client. The Messenger
service is enabled by default on Windows 2000, NT and XP systems.
>I'm wondering:
>1) If I disable the messenger service on the server, could there be any
>bad ramifications of that, other than potentially not receiving
>legitimate messages about system shutdowns etc.? Also, would that stop
>the problem?
If you disable the Messenger service, there are unlikely to be any bad
ramifications (except as you noted). Stopping and disabling the messenger
server _will_ stop these messages.
>2) Is there some other way to stop these messages? Are they coming in on
>another port etc.?
These messages are initiated by a request to UDP port 135 (Microsoft's RPC
endmapper), so if you block incoming traffic to UDP port 135, this should
stop these messages. Blocking this port at the network perimeter is a
standard security recommendation.
I recommend that you block at the firewall _and_ disable the service. In
fact, your firewall should be configured to only explicitly permit traffic
that you have specified. It sounds like you are blocking a few specific
ports, when you really should be blocking _all_ ports and allowing traffic
to the few specific ports to which you want to provide access.
Michael Katz
mike@procinct.com
Procinct Security
- Next message: Kurt Seifried: "Re: w2k server compromised"
- Previous message: Jay Lagorio: "RE: Stopping Admin Alert SPAM"
- Maybe in reply to: Ed Sunder: "Stopping Admin Alert SPAM"
- Next in thread: The Blueberry: "Re: Stopping Admin Alert SPAM"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
