Re: Application Popup Messenger Service SPAM

From: jj (unixquest@hotmail.comNoSpam)
Date: 10/24/02 

From: "jj" <unixquest@hotmail.comNoSpam>
Date: Thu, 24 Oct 2002 21:39:52 GMT

"Karl Levinson [x y] MVP" <levinson_k@excite.com> wrote:
>
> NO NO NO. Use a firewall. You don't need or want TCP and UDP ports 135
> through 139 or 445 to pass to the internet or from the internet in either
> direction. It is a very large security risk. Hackers can get a list of
> login IDs on your system and then try to log in and crack the password,
> among other things. If you don't believe me, check out the live real-time
> hacking statistics at www.dshield.org and check out how often hackers scan
> those ports, then ask yourself why they're scanning those ports so often.
>
> It is not a bad idea to also disable the Messenger service, but I think it
> is a mistake to not also use a firewall, unless you have a really good
> reason to do so.
>
> ===========

But I *do* use a fire wall -- Zone Alarm. The defaults set by zone alarm
itself to allow svchost.exe & services.exe Internet Server/Allow privileges
was the culprit in this case, as far as I can tell. I check Zone Alarm logs
often, it seems to do a good job. I cannot do a ping nor tracert from any
outside computer. GRC leak test, and shields up tests show Stealth Mode on
ALL ports, so either this is a false positive Stealth, or something else is
getting through, that is why I thought it might be a trojan. But as far as I
can tell, my system is clean. AnalogX proxy is bound to the nic serving the
cable modem, and other computers on the home network have isolated nics to
this. File sharing is done on separate nics using IPX only, there should be
no broadcasting of anything to the internet.

If svchost.exe and services.exe is not the culprit here, then give me a clue
on what is. I have change both to "ask for privileges" in zone alarm to see
if I can find out if another program or service is responsible. I am trying
to read up on RPC to see if I can get any clues. Any thoughts about all this
most welcome.

j

Relevant Pages

  • Re: Webserver, DMZ, ports questions
    ... Internet accesible services like SMTP have a seperate ... DMZ or a third interface in the firewall. ... As far as source / destination ports goes. ... from the internet to my web server, ...
    (Focus-Microsoft)
  • Re: statefull inspection FW and hackers
    ... Stateful inspection can be best understood with security zones/level. ... most of the firewall dont allow anything to come from low ... This would mean that if internal user accesses internet ... In turn that will give to the attacker a way to understand what ports ...
    (Security-Basics)
  • Re: Using SBS 2003 for all remote access.
    ... > the firewall config or will the wizard handle this for me ... SBS Product Team ... If I am allowing access to any ports open on ... >>>>> NICs and I have a managed switch in the cabinet. ...
    (microsoft.public.windows.server.sbs)
  • Re: FIREWALL- worth the effort ?
    ... I only use internet intermitently and "pull the plug out" ... Do you have a home Cable/DSL Router? ... forward any ports from the outside world to your Macthrough ... The other function of a firewall is to prevent out bound ...
    (comp.sys.mac.system)
  • Re: Adding Programs w/ActiveSync 3.7
    ... > would be granted access to the internet. ... my firewall typically advises me that software is ... Activesync uses certain ports to communicate with the Pocket PC. ... install the software... ...
    (microsoft.public.pocketpc.activesync)