From: H C (
Date: 10/15/02

Date: Tue, 15 Oct 2002 07:12:57 -0700 (PDT)
From: H C <>
To: Gary Flynn <>


As a followup, I read the articles you have
listed...very interesting, particularly the
myNetWatchman article. It doesn't exactly jive w/
what I've seen when testing in my lab:

I performed a packet capture while running a Perl
script that invoked the NetMessageBufferSend() API
call from a Win2K machine to an NT machine - each was
a standalone setup. The actual message contents were
sent to TCP port 139 on the NT machine.

I'll do more testing in order to verify what's going
on at a network level...but my concern is that if UDP
135 is being used, and you say you've closed the
NetBIOS ports on your firewall...what's going on? Do
you have an IDS that's picking anything up?

The only thing I can think of is that these popups are
not originating from the other side of the

--- Gary Flynn <> wrote:
> H C wrote:
> >
> > I did some testing...and after reading this thread
> and
> > seeing the site, I decided
> to
> > right up some code and see what happened (the code
> is
> > below). I tested this on a network...and it
> worked
> > just fine.
> I think some of the stuff is coming in on the MS-RPC
> port - 135. We have all netbios over tcp ports
> blocked
> and we still see the spam.
> Here is a good write-up that also contains a link to
> good info about RPC and windows services:
> --
> Gary Flynn
> Security Engineer - Technical Services
> James Madison University
> Please R.U.N.S.A.F.E.

Do you Yahoo!?
Faith Hill - Exclusive Performances, Videos & More

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: