| Messenger Service window popped up on my Server! My Win2K Server, located at a data center, had a Windows Messenger Service window popped up on the desktop when I checked the server today. It had a couple of Messenger Service windows, all of it spam for university degrees. I don't believe the sending computer "DEGREES" was a legitimate name for the server.
I have anti-virus running on the server, but there's a good chance that other servers at the data center are compromised and broadcasting NET SENDs to the other servers at the data center.
Is there any way to track this down? |
|
|
|
 RdaxPremium
join:2001-05-18
El Dorado, AR | Another thread going (just started also).
»I can't explain this. |
|
pslossPremium
join:2002-02-24
Alpharetta, GA | reply to scottkeen
said by bigtuna:
My Win2K Server, located at a data center, had a Windows Messenger Service window popped up on the desktop when I checked the server today. It had a couple of Messenger Service windows, all of it spam for university degrees. I don't believe the sending computer "DEGREES" was a legitimate name for the server.
Wow, I can't decide whether this sounds like a desperate spammer or what...was this Win2K server visible from the Internet?
Thanks,
Philip Sloss |
|
| Yes, my server is at a data center and is serving as a IIS web server, SQL Server.
I just ran Trojan Hunter and everything came up negative.
I suspect that there is a compromised server at the data center. I know I can see other server at the data center, just by going to the SQL Server Enterprise Manager, and voila -- all the servers running SQL at the data center are visible.
Any ideas on how to track the source of a NET SEND? |
|
| reply to scottkeen
Hmmm, disregard my comments that I think it's from a data-center server...
I just did a NET SEND from my computer at home, to the IP address of my server at the data center, and the message box popped up on the server...
Uggggh...
This could be a serious DDoS issue, not to mention using up memory resources.
I don't have a firewall on the server... looks like it's time to get one.
Anyone like the Netgear FR314? $50 for one on eBay is pretty attractive |
|
 ZeCanardThe Cosmic Duck
join:2002-09-26
Euless, TX | One of our stations at work got that message too. Thing is, all our stations are clones of one another, so my guess is it's trying a bunch of different IP addresses and sending a net -send to those IP's. |
|
| reply to scottkeen
Re: Messenger Service window popped up on my Serve Based on the reports I am seeing, there is an upsurge in "NET SEND" spam.
There's a thread on it in Slashdot today.
»ask.slashdot.org/article.pl?sid=···/1945240
The best resource I have found is an article from TechTV
»www.techtv.com/screensavers/answ···2,00.htm
If you're new to NetBIOS-over-TCP, I also suggest
»www.microsoft.com/windows2000/te···wcug.htm
I'm going to put these on my webpage shortly.
--
Richard Akermanhttp://www.akerman.ca/trojan-port-table.html(covers trojan ports as well as general broadband security) |
|
 LocnarThe Malevolent SpherePremium
join:2000-10-12
GeekLand | reply to scottkeen
Re: Messenger Service window popped up on my Server! I had this same thing happen to me a week or so ago, It was my fault for getting them too. I had been doing some 'housecleaning' on the ports in my router, a RT314. The address on my machine is 192.168.0.10 and I set the router to send all unsolicited traffic to 192.168.0.100 but I accidently left off one of the '0' and sent all traffic to my machine *sigh*. Because of this, I started getting these damn Net Sends, after I reset the 'bit bin' ip back to 192.168.0.254 all the net sends stopped.
--
Growing old is mandatory; growing up is optional. |
|
| reply to scottkeen
I've just disabled the Messenger service.
command prompt...
NET STOP messenger |
|
pslossPremium
join:2002-02-24
Alpharetta, GA | reply to rakerman
Re: Messenger Service window popped up on my Serve said by rakerman:
The best resource I have found is an article from TechTV
»www.techtv.com/screensavers/answ···2,00.htm
If you're new to NetBIOS-over-TCP, I also suggest
»www.microsoft.com/windows2000/te···wcug.htm
I'm going to put these on my webpage shortly.
Stopping/disabling the Messenger service is the best solution, but I thought this was interesting: I'd assumed that the "net send" functionality was sent over tcp/139, as there are specs on this. But when I ran a net send from a Windows 2000 system to a Windows XP box, Ethereal shows that the message was delivered via udp/135! I'm going to now test to see if these messages can get through on udp or tcp 135 without NetBIOS running...so there may be a couple of different ports that need to be blocked.
Philip Sloss |
|
pslossPremium
join:2002-02-24
Alpharetta, GA | said by psloss:
But when I ran a net send from a Windows 2000 system to a Windows XP box, Ethereal shows that the message was delivered via udp/135! I'm going to now test to see if these messages can get through on udp or tcp 135 without NetBIOS running...so there may be a couple of different ports that need to be blocked.
I just "verified" this on an XP Pro setup. The XP Pro system has NetBIOS disabled and is not listening on tcp/139 or tcp/445. It is also not bound to udp ports 137-139 or 445. I can still push messages to that system with net send from a Win2K box. I haven't tried an NT4 system...
Can anyone else test this?
Thanks,
Philip Sloss |
|
 Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:6 | reply to scottkeen
Re: Messenger Service window popped up on my Server! Philip Sloss,
Did you read the article posted above on..
Windows 2000 TCP/IP
NetBIOS Over TCP/IP
The Windows 2000 implementation of NetBIOS over TCP/IP is referred to as NetBT. NetBT uses the following TCP and UDP ports:
UDP port 137 (name services)
UDP port 138 (datagram services)
TCP port 139 (session services)
NetBIOS over TCP/IP is specified by RFC 1001 and RFC 1002. The Netbt.sys driver is a kernel -mode component that supports the TDI interface. Services such as workstation and server use the TDI interface directly, while traditional NetBIOS applications have their calls mapped to TDI calls through the Netbios.sys driver. Using TDI to make calls to NetBT is a more difficult programming task, but can provide higher performance and freedom from historical NetBIOS limitations.
NetBIOS defines a software interface and a naming convention, not a protocol. NetBIOS over TCP/IP provides the NetBIOS programming interface over the TCP/IP protocol, extending the reach of NetBIOS client and server programs to the IP internetworks and providing interoperability with various other operating systems.
The Windows 2000 workstation service, server service, browser, messenger, and NetLogon services are all NetBT clients and use TDI to communicate with NetBT. Windows 2000 also includes a NetBIOS emulator. The emulator takes standard NetBIOS requests from NetBIOS applications and translates them to equivalent TDI functions.
Windows 2000 uses NetBIOS over TCP/IP to communicate with prior versions of Windows NT and other clients, such as Windows 95. However, the Windows 2000 redirector and server components now support direct hosting for communicating with other computers running Windows 2000. With direct hosting, NetBIOS is not used for name resolution. DNS is used for name resolution and the Microsoft networking communication is sent directly over TCP without a NetBIOS header. Direct hosting over TCP/IP uses TCP port 445 instead of the NetBIOS session TCP port 139.
By default, both NetBIOS and direct hosting are enabled, and both are tried in parallel when a new connection is established. The first to succeed in connecting is used for any given attempt. NetBIOS over TCP/IP support can be disabled to force all traffic to use TCP/IP direct hosting.
To disable NetBIOS over TCP/IP support
(see here for more)
»www.microsoft.com/windows2000/te···wcug.htm
microsoft-ds 445
tcp microsoft-ds Win2k+ Server Message Block
udp microsoft-ds Win2k+ Server Message Block
On Windows 2000 professional, there is always a share "ADMIN$",
so that it is essential to create a password for "Administrator"
Windows 2000/XP also use port 445 (microsoft-ds) for Microsoft networking without NetBIOS. |
|
pslossPremium
join:2002-02-24
Alpharetta, GA | said by Name Game:
Did you read the article posted above on..
Windows 2000 TCP/IP
Yes, but this isn't solely a NetBIOS issue. The Messenger service on Win2K and XP appears to be based on DCE RPC...if the spammers are basing their scans on NetBIOS availability, that's great. It gives everyone more time to stop and disable the Messenger service.
said by Name Game:
On Windows 2000 professional, there is always a share "ADMIN$"
This behavior -- administrative shares -- has existed in Windows NT since 3.5, probably all the way back to 3.1. Aside from the ADMIN$ and IPC$ shares, all local hard drives are also shared as $ (so C$, D$, E$, etc.). There are other shares on server versions (NETLOGON, for example).
Couple o'references on turning that off:
»support.microsoft.com/default.as···;q288164
»is-it-true.org/nt/atips/atips2.shtml
...but I'm not sure this is related to "net send spam."
Philip Sloss |
|
 KAD ImagingJust Shoot ItPremium
join:2002-09-21
Hialeah, FL | You are correct Phil regarding the ability to "net send" without NetBIOS running or even installed. See my post in another thread for the same issue.
»I can't explain this.
--
-The Cobra
"Heh, your broadband style is good grasshopper....but not good enough. Watch my Earthlink style..."
1222K download 218K upload (EL 1.5M/256K) |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:6 | reply to scottkeen
I was think about this support for Direct Hosting and Port 445.
However, the Windows 2000 redirector and server components now support direct hosting for communicating with other computers running Windows 2000. With direct hosting, NetBIOS is not used for name resolution. DNS is used for name resolution and the Microsoft networking communication is sent directly over TCP without a NetBIOS header. Direct hosting over TCP/IP uses TCP port 445 instead of the NetBIOS session TCP port 139.
By default, both NetBIOS and direct hosting are enabled, and both are tried in parallel when a new connection is established. The first to succeed in connecting is used for any given attempt. NetBIOS over TCP/IP support can be disabled to force all traffic to use TCP/IP direct hosting. |
|
KAD ImagingJust Shoot ItPremium
join:2002-09-21
Hialeah, FL | reply to scottkeen
As a second note. Thousands of our fellow Broadband users are extreme novices happily computing while broadcasting NetBIOS and every share on their computers to the world.
Bad for them. Worse for us is it gives hackers and "endless arsenal" of computers to wield attacks on the rest of us.
Tsk-tsk....
--
-The Cobra
"Heh, your broadband style is good grasshopper....but not good enough. Watch my Earthlink style..."
1222K download 218K upload (EL 1.5M/256K) |
|
pslossPremium
join:2002-02-24
Alpharetta, GA | reply to KAD Imaging
said by KAD Imaging:
You are correct Phil regarding the ability to "net send" without NetBIOS running or even installed. See my post in another thread for the same issue.
Just picked up the first block of UDP/135 data on my honeypot:
»www.mynetwatchman.com/LID.asp?IID=10063226
A nice message about free (hot) electronics...
Looks like AOL is still the platform of choice for spammers...
Philip Sloss |
|
