This blew me away! I am usually very careful and don't install anything I
don't need. I don't use ICQ, MSN or none of that crap. This is on my home
ADSL account.
How did this occur?
I turned off the Messager service, but some how this was "activated" and
"executed" on my machine.
To see if this was done from the outside, from my office machine at work, I
attempted a
"NET SENT home_ip HELLO"
to see if my home machine is open. It failed. So this came from WITHIN my
home machine!
Can someone give me some insight as to whats going on?
Also as I am cleaning up the machine, I have the resultant ports listening:
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1588 0.0.0.0:0 LISTENING
UDP 0.0.0.0:135 *:*
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:1026 *:*
UDP 0.0.0.0:1584 *:*
UDP 67.34.202.215:500 *:*
UDP 127.0.0.1:1616 *:*
Are any of these suspicious?
thanks
"yams" <Ih...@spammers.com> wrote in message news:<3%7g9.94379$2L.46...@e3500-atl2.usenetserver.com>...
>I believe I only had OutLook Express running writing a message when all of a
>sudden I got a "Messenger Service" popup message from an Internet Marketing
>spam site.
>
>This blew me away! I am usually very careful and don't install anything I
>don't need. I don't use ICQ, MSN or none of that crap. This is on my home
>ADSL account.
>
>How did this occur?
More than likely they used the "net send" command and directed the
spam to your domain. I've seen it happen three times in the last two
weeks. Most recently on Friday the 20th.
It would be nice to know for sure how it was done though. If anybody
has any Ideas...
Flex
I have since thing do all sorts of things to isolate my machine. I have not
had it happen again since the original post I'm a developer and I'm very
careful with things. I don't play e-games. I don't download anything I am
aware about. The only thing not in my control is Microsoft's software, in
particular Outlook and OE. On that original day it happen to me, I did
the the following:
1) I was working from HOME on my Windows 2000/PRO machine. It is connected
via ADSL.
2) It look like a NET SEND command which if I remember my netbios
programming days, it is a NETBIOS functionality which means I must of had
one the Microsoft netbeui ports open. I don't. To confirm this, I
connected to my office machine via PCAnyWhere and issued a NET SEND to my
home machine IP. It could not find the machine. I don't believe you can
use NET SEND if the proper Microsoft ports 135-137 are not open. Maybe
others can confirm this.
3) So I figured that somehow, this was done via maybe a hole/backdoor with a
HTML message I was reading in outlook or something. However, this couldn't
be it because quite simply I wasn't reading such a message. I was writing a
message. So I figure it was maybe something already installed on my
machine.
4) Since this is my home machine, my girls did use to use Yahoo or MSN chat
stuff a few months back. They don't any more, but I checked some
installation logs and found some MSN CHAT install problem. I removed all
the ActiveX objects from IE. I removed/uninstalled all programs I was not
familar with. I turned off any NT service I was not using, including
Messager Service and some others that open some ports on my machine.
5) I then did some Google research using "NET SEND" and "VIRUS" as keywords
and I found there was a recent Windows Security Flaw report AKA "Shatter"
as it was named by the founder of the flaw. It explains how there is a
fundamental flaw in Windows that Microsoft has since acknowledged. It
specifically illustrates how "NET SEND" can be used from a DESKTOP
application.
I was very busy and I didn't follow all the details of this report, but I
assumed this was only explanation for it.
The url for this shatter report is:
http://security.tombom.co.uk/shatter.html
The microsoft response to this report:
http://www.microsoft.com/technet/security/topics/htshat.asp
See ya
Hector
----
"Johnny Qwest" <nob...@nowhere.com> wrote in message
news:4jtsous9tmkgs3s22...@4ax.com...
The only explain for this is that SHATTER "flaw." See my other messge in
this thread.
---
"anon" <eny1en...@hotmail.com> wrote in message
news:bf29860f.02092...@posting.google.com...
Check out these links on the NET SEND messenger spam issue
http://www.dslreports.com/forum/remark,4675583~root=security,1~mode=flat;start=20#4687551
http://www.dslreports.com/forum/remark,4675858~root=security,1~mode=flat#4682964
http://www.hsc.fr/ressources/breves/min_srv_res_win.en.html
The summary is it is using port 135, which is sneaky, because it's not
blocked by the usual NetBIOS filters.
-- Richard Akerman
http://www.akerman.ca/trojan-port-table.html#netsend