Re: Strange MessageFrom: Deus, Attonbitus (Thor@HammerofGod.com)
- Previous message: Matthew Franz: "RE: Forensics CD"
- Maybe in reply to: Reasoner, Scott: "Strange Message"
- Next in thread: Chris Brenton: "Re: Strange Message"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 11 Oct 2002 09:28:47 -0700 To: "Reasoner, Scott" <SReasoner@BarthElectric.com>, email@example.com From: "Deus, Attonbitus" <Thor@HammerofGod.com>
-----BEGIN PGP SIGNED MESSAGE-----
At 07:07 AM 10/11/2002, Reasoner, Scott wrote:
>At my organization, we run the Microsoft ISA Server to provide controlled
>internet access on our internal network. This morning when I came in, there
>was a Windows Messenger Service message on the screen (like from when you
>use the NET SEND command). It's contents were advertising for college
>diplomas (almost exactly the same text as some SPAM I've recieved). I'm
>assuming this means that the ports used for SMB are not being properly
>blocked from the internet (something that I know needs to be fixed).
>So, I'm curious, has anyone seen SPAM through the messenger service like
>this, or should I be concerned about a system compromise? My initial
>investigation of the machine shows nothing else out of the ordinary.
Something similar was posted to another list- in fact, I thought you were
the same poster, but it does not look like it. They reported the same
message box, but an event logged with the following info:
Application popup: Messenger Service : Message from WEBPOPUP02 to xxx on
10/11/2002 3:03:48 AM
U N I V E R S I T Y D I P L O M A S
Obtain a prosperous future, money earning power,
and the admiration of all.
1 - 6 1 5 - 3 6 6 - 7 8 0 3
They reported that the only thing open on the server was 80. By default,
ISA will block everything you don't allow in, but if you have configured
ISA to open all/block specific, then you should know that the "ALL NetBIOS"
filter did not include port 445- I reported this to MS and they said they
fixed it in SP1. But that said, I doubt that is what is going on... Do
you have an event log entry for the messenger service as well? Same
WEBPOPUP02 box? And when you say there was a "message on the screen," was
it on the ISA box or your own box inside the protected network?
Assuming your ISA is configured properly and the other poster was also
correct in only 80 being open, then it looks like there might be some
sneaky way of invoking messenger. Or, someone is sending email attachments
out that get executed internally that do a NET SEND EVERYONE or something
like that. Hmmmm.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
-----END PGP SIGNATURE-----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com