Re: Strange Message

["Deus, Attonbitus" <Thor () HammerofGod com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 07:07 AM 10/11/2002, Reasoner, Scott wrote:
> At my organization, we run the Microsoft ISA Server to provide controlled
> internet access on our internal network.  This morning when I came in, there
> was a Windows Messenger Service message on the screen (like from when you
> use the NET SEND command).  It's contents were advertising for college
> diplomas (almost exactly the same text as some SPAM I've recieved).  I'm
> assuming this means that the ports used for SMB are not being properly
> blocked from the internet (something that I know needs to be fixed).
>
> So, I'm curious, has anyone seen SPAM through the messenger service like
> this, or should I be concerned about a system compromise?  My initial
> investigation of the machine shows nothing else out of the ordinary.

Something similar was posted to another list- in fact, I thought you were 
the same poster, but it does not look like it.  They reported the same 
message box, but an event logged with the following info:

<snip>
Application popup: Messenger Service : Message from WEBPOPUP02 to xxx on
10/11/2002 3:03:48 AM

U N I V E R S I T Y D I P L O M A S

Obtain a prosperous future, money earning power,
and the admiration of all.

1 - 6 1 5 - 3 6 6 - 7 8 0 3
</snip>

They reported that the only thing open on the server was 80.  By default, 
ISA will block everything you don't allow in, but if you have configured 
ISA to open all/block specific, then you should know that the "ALL NetBIOS" 
filter did not include port 445- I reported this to MS and they said they 
fixed it in SP1.  But that said, I doubt that is what is going on...  Do 
you have an event log entry for the messenger service as well?  Same 
WEBPOPUP02 box?  And when you say there was a "message on the screen," was 
it on the ISA box or your own box inside the protected network?

Assuming your ISA is configured properly and the other poster was also 
correct in only 80 being open, then it looks like there might be some 
sneaky way of invoking messenger.  Or, someone is sending email attachments 
out that get executed internally that do a NET SEND EVERYONE or something 
like that.  Hmmmm.

- --
AD






-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPab8P4hsmyD15h5gEQKragCglfuF1EK1dPDeB1O8XNqOOIUyUJYAoIZ7
1VnjUlx1RzyBP6mCEhkPQtjF
=FKQb
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com