Re: Strange Message

From: Deus, Attonbitus (Thor@HammerofGod.com)
Date: 10/11/02


Date: Fri, 11 Oct 2002 09:28:47 -0700
To: "Reasoner, Scott" <SReasoner@BarthElectric.com>, incidents@securityfocus.com
From: "Deus, Attonbitus" <Thor@HammerofGod.com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 07:07 AM 10/11/2002, Reasoner, Scott wrote:
>At my organization, we run the Microsoft ISA Server to provide controlled
>internet access on our internal network. This morning when I came in, there
>was a Windows Messenger Service message on the screen (like from when you
>use the NET SEND command). It's contents were advertising for college
>diplomas (almost exactly the same text as some SPAM I've recieved). I'm
>assuming this means that the ports used for SMB are not being properly
>blocked from the internet (something that I know needs to be fixed).
>
>So, I'm curious, has anyone seen SPAM through the messenger service like
>this, or should I be concerned about a system compromise? My initial
>investigation of the machine shows nothing else out of the ordinary.

Something similar was posted to another list- in fact, I thought you were
the same poster, but it does not look like it. They reported the same
message box, but an event logged with the following info:

<snip>
Application popup: Messenger Service : Message from WEBPOPUP02 to xxx on
10/11/2002 3:03:48 AM

U N I V E R S I T Y D I P L O M A S

Obtain a prosperous future, money earning power,
and the admiration of all.

1 - 6 1 5 - 3 6 6 - 7 8 0 3
</snip>

They reported that the only thing open on the server was 80. By default,
ISA will block everything you don't allow in, but if you have configured
ISA to open all/block specific, then you should know that the "ALL NetBIOS"
filter did not include port 445- I reported this to MS and they said they
fixed it in SP1. But that said, I doubt that is what is going on... Do
you have an event log entry for the messenger service as well? Same
WEBPOPUP02 box? And when you say there was a "message on the screen," was
it on the ISA box or your own box inside the protected network?

Assuming your ISA is configured properly and the other poster was also
correct in only 80 being open, then it looks like there might be some
sneaky way of invoking messenger. Or, someone is sending email attachments
out that get executed internally that do a NET SEND EVERYONE or something
like that. Hmmmm.

- --
AD

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPab8P4hsmyD15h5gEQKragCglfuF1EK1dPDeB1O8XNqOOIUyUJYAoIZ7
1VnjUlx1RzyBP6mCEhkPQtjF
=FKQb
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: new to ISA, but not firewalls
    ... the internal network in a direct way, and this is of the things that ISA2004 ... internet and the internal network, however i don't a know why any one would ... Remember if ISA LAT is empty, ... >> include the internal interface IP. ...
    (microsoft.public.isa)
  • Re: new to ISA, but not firewalls
    ... the internal network in a direct way, and this is of the things that ISA2004 ... internet and the internal network, however i don't a know why any one would ... Remember if ISA LAT is empty, ... >> include the internal interface IP. ...
    (microsoft.public.isa.configuration)
  • Re: new to ISA, but not firewalls
    ... the internal network in a direct way, and this is of the things that ISA2004 ... internet and the internal network, however i don't a know why any one would ... Remember if ISA LAT is empty, ... >> include the internal interface IP. ...
    (microsoft.public.isaserver)
  • Re: isa 2004 and rip2
    ... on RIP2 on the Internal network Interface then Install ISA? ... Or should I install ISA first, then configure RRAS? ... I have over 60 branch offices that are going to get Internet access ...
    (microsoft.public.isaserver)
  • Re: RWW - Cant login
    ... Premium and ISA. ... In the Microsoft Internet Security and Acceleration Server 2004 ... In the center pane, find a policy named SBS Internet Access Rule, ...
    (microsoft.public.windows.server.sbs)