Re: Microsoft "Messenger Service"

From: Richard Akerman (rakerman@bigfoot.com)
Date: 10/12/02

• Next message: Thom Stark: "Seeking short interviews with VARs doing security solutions"
• Previous message: : "Re: newish style of formmail attempts"
• In reply to: hector: "Re: Microsoft "Messenger Service""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: rakerman@bigfoot.com (Richard Akerman)
Date: 12 Oct 2002 12:37:31 -0700

"hector" <nospam@nospam.com> wrote in message news:<3Jnk9.13116$Ov6.2175405@e3500-atl1.usenetserver.com>...
> I was the original poster on this thread:
>
> I have since thing do all sorts of things to isolate my machine. I have not
> had it happen again since the original post I'm a developer and I'm very
> careful with things. I don't play e-games. I don't download anything I am
> aware about. The only thing not in my control is Microsoft's software, in
> particular Outlook and OE. On that original day it happen to me, I did
> the the following:
>
> 1) I was working from HOME on my Windows 2000/PRO machine. It is connected
> via ADSL.
>
> 2) It look like a NET SEND command which if I remember my netbios
> programming days, it is a NETBIOS functionality which means I must of had
> one the Microsoft netbeui ports open. I don't. To confirm this, I
> connected to my office machine via PCAnyWhere and issued a NET SEND to my
> home machine IP. It could not find the machine. I don't believe you can
> use NET SEND if the proper Microsoft ports 135-137 are not open. Maybe
> others can confirm this.

Check out these links on the NET SEND messenger spam issue

http://www.dslreports.com/forum/remark,4675583~root=security,1~mode=flat;start=20#4687551

http://www.dslreports.com/forum/remark,4675858~root=security,1~mode=flat#4682964

http://www.hsc.fr/ressources/breves/min_srv_res_win.en.html

The summary is it is using port 135, which is sneaky, because it's not
blocked by the usual NetBIOS filters.

-- Richard Akerman
http://www.akerman.ca/trojan-port-table.html#netsend

---

• Next message: Thom Stark: "Seeking short interviews with VARs doing security solutions"
• Previous message: : "Re: newish style of formmail attempts"
• In reply to: hector: "Re: Microsoft "Messenger Service""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: What are these ports? ... >>properly it keeps the connection around long enough to make sure the close ... I do have MS NTP client turned off. ... > Since I am not using NetBios why does it seem that the ports are open? ... You will still be using NetBIOS locally even if you aren't using it over the ... (microsoft.public.windowsxp.network_web) Re: Domain Controller port numbers ... Here is a list of ports... ... NetBIOS datagram service 138/udp ... Service overview and network port requirements for the Windows Server system ... > Windows cannot obtain the domain controller name for your computer ... (microsoft.public.windows.server.general) RE: nc help needed. ... You can even get Netcat to listen on the NETBIOS ports that are probably ... user can run a program that will bind to the NETBIOS ports. ... (Security-Basics) Can only view locally. ... resolved properly to your home machine - this is not a ... please note that you will need to open more ports ... at the server to ... >My web site runs on port 8082 because my Service ... (microsoft.public.windowsmedia.server) Re: Zone Labs Pro question ... NetBIOS is disabled but I'm still getting ... Can you tell me how I block outgoing TCP on ports ... > alerting function in the pro version allows for various levels of alerts. ... (comp.security.firewalls)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)