NT Messenger Service- Can you be hacked thru it?

[DasaniDrinker]

NT 4.0 SP6:

In all my years of messing with NT boxes, I have never seen an advertisement just pop up on a server as it did on ours today. Something about University Enrollment, with a valid phone number listed (yes, I called their answering service, which sounded legit). I tried to kill it with Task Manager, when that failed I hit the "x" in the corner.

Top of the box showed "Messenger Service". Then the sales pitch and an "OK" button at the bottom.

Our server has an exposed IP address, while we all have non-routable 192.x.x.x addresses on our LAN.

Has anyone ever heard of this? Is this nothing to worry about or is it too late for us?? Hacked? Virus? HELP! please....

Also, can i turn off the Messenger Service in the Services interface without it effecting normal network/internet usability?

Thanks in advance!

 

[Grenage]

This sounds like the old exploit we used to have some fun with a while ago. you could use NET SEND to send a message to an NT/2k machine over the internet like you would across the network. It's nothing too much to worry about, since thet probably have that message to attempt to send to a huge range of IP addresses and you weren't picked out.

Either way don't worry too much although you can stop it if you wanted to.

 

[DasaniDrinker]

Thank you!

 

[caddnima]

Deng,

I just had the same message this morning on my W2K Server... They are selling diplomas of some sort...

Are you sure that this is safe..?

 

[jtb]

Are you certain it ain't MSN Messenger (or Aol Instant Messenger or Yahoo Instant Messaenger)? Those "tools" do provide security risks...

May need to crank down the firewall filters another notch... JTB
Solutions Architect
MCSE-NT4, MCP+I, MCP-W2K, CCNA, CCDA,
CTE, MCIWD, i-Net+, Network+
(MCSA, MCSE-W2K, MCIWA, SCSA, SCNA in progress)

 

[ensorg]

Block NetBIOS at your firewall and it will stop these messages.

 

[louky]

I have a computer at home that is connected via DSL to the internet. I also had this nt/win2k messenger service popup on my win2k machine (this was not an AOL/MSN/etc. instant messenger popup) last night (Oct 15th). I am running Norton Personal Firewall, and it blocks ports 137-139 via a default setup (which I only modified a little - but I left 137-139 blocked), so I also wondered how they did this. I also turned off 'file sharing' and 'client for Microsoft' on the NIC... This could be a window programmed to imitate a messenger service popup, or perhaps Norton's firewall is not doing its job. In any case I disabled the Messenger service. Grenage, ensorg, and anyone else who has any further insight into this (so far) seemingly innocent exploit would be appreciated....

 

[DasaniDrinker]

Hello everyone! I found out where this is coming from.

View the following link:

http://wired.com/news/technology/0,1282,55795,00.html

(or goto wired.com and find the article on the opening page)

This is harmless trick "for now". I have shut down the messenger service permanently on our gateway server. Hopefully stopping any future hacker/virus attempts using this new technology.

Thank you all for your replies! Good luck!
Michael
aka DasaniDrinker

 

[JohnBates]

Hi all,

I'm getting these also thru my cable modem. No firewall up (yet). The email client and browser were closed at the time.

To those that have disabled Messenger Sevice - Did this eliminate the problem ?

Thanks, John

 

[Grenage]

If you close down the service you cannot get the NET SEND messages no