Strange pop-up messages on the DC? 2

[Ovatvvon]

Hello,
I came in today and unlocked the desktop on the domain controller here. To my surprise, there was a pop-up message on the screen in the form of an alert box. It reads:

(TITLE BAR= "Messenger Service&quot
=====================================================
Message from MICROSOFT to [this ip address] on 10/16/2002 4:04:43 AM

Please Come And Get Angry At US!

http://microsoftcorp.net-shop.com

=====================================================

I don't believe this to be a virus...I actually just reloaded the whole DC 2 days ago.

Does anyone know what may have caused this...or what it should mean to me? -Ovatvvon :-Q

 

[GrnEyedLdy]

Ovatvvon,

That looks like a "console message". Which would have been sent to you from somewhere in your internal network. Sounds like someone is playing a joke on you.

Console messages can be sent from the Computer Management console. Someone obviously knew your IP address since it was sent directly to the IP and not to the computer name.

Let us know how this works out.

Patty

 

[hjm3857]

The message was sent with a net command (specificaly " net send x.x.x.x body of message" replace x.x.x.x with your IP address and "body of message" with , , , well you know. The interesting clue here is the From information you saw. Since it said from Microsoft, that means that either this was done by a savvy person or it was done from a person using a computer named "Microsoft". If you don't think that you have the "savvy user" within your network and you don't have a computer named Microsoft within your network, you need to take a look at your firewall (or lack of) because that type of packet should not be allowed to enter your network from the Internet.

Hope that helps,
Jay Mosser
jaym@optymgroup.com

 

[Ovatvvon]

Well, that's the strange part then because this isn't a "business" server. It's a development server in my home. I'm a sole proprietor for software development. So there isn't an internal network running here.

What port(s) should I be blocking for this? -Ovatvvon :-Q

 

[GrnEyedLdy]

Looks like your not the only one this is happening to...there is a new post regaring this issue titled "Strange Hack..." posted by Polluxo.

Interesting...

Patty

 

[pollux0]

it looks like this is the new "thing" for advertisments. Email spam doesnt work so people are using this route. The problem is that this crosses the line into "craking" and is illegal as opposed to spam mail which is not. I have not been able to figure out a way to stop it without shutting down the messenger service. we need this because it is a company domain with many computers! if anyone can help figure out how to stop this intrusion, please help.

thanks

 

[Ovatvvon]

Is there no way to track what IP address this message originated at? -Ovatvvon :-Q

 

[pollux0]

there is. we can even call the phone number on the advertisment!! but that will only stop one cracker...we have had about 3 of these messeges pop up within the last few weeks and all seem to be different orgins. this is one:

**********************************************
Application popup: Messenger Service : Message from WEBPOPUP03 to ***.**.**.**** on 10/9/2001 7:40:13 PM

U N I V E R S I T Y D I P L O M A S

Obtain a prosperous future, money earning power,
and the admiration of all.

Diplomas from prestigious non-accredited
universities based on your present knowledge
and life experience.

No required tests, classes, books, or interviews.

Bachelors, masters, MBA, and doctorate (PhD)
diplomas available in the field of your choice.

No one is turned down.

Confidentiality assured.

CALL NOW to receive your diploma
within days!!!

1 - 6 1 5 - 3 6 6 - 7 8 0 3

Call 24 hours a day, 7 days a week, including
Sundays and holidays.
**********************************************

 

[Ovatvvon]

well, first things first. First I want to handle this one I recieved...then prevent anymore from comming.

The message I recieved didn't leave an IP or phone number on the actual message. How can I go about finding out it's origin? -Ovatvvon :-Q

 

[brontosaurus]

Start with blocking NetBIOS on ports 137, 138, and 139, both UDP and TCP. Any firewall software should be able to accomplish this.

 

[pollux0]

so im guessing anyone can send this type of message to any computer using "manage" from my computer or at the dos prompt (net send). seems silly doesnt it?

 

[nhidalgo]

i been getting the same crap. I have been logging the ip addresses that they are coming from and sending a message back to them. It is usaually a dialup account that they are beeing sent from.

Nick

 

[Ovatvvon]

How are you logging their IP address? My event viewer isn't giving me their IP...only the computer name "MICROSOFT" that they used.

Also, how are they making more than one line? I messed around with messages sending to myself, but can only enter body messages with one line in them. How do they span the messages across multiple lines? I want to be able to send them back several messages if one should pop up right in front of me! (short term solution yes, but would be somewhat gratifying)

(I'm surprised, Microsoft doesn't allow the blocking of specific ports via the windows networking software. You either allow all ports, or only allow specific ones. I guess I'll have to invest in a firewall...didn't want to have to do that just for a development server hidden on the net. Oh well) -Ovatvvon :-Q

 

[nhidalgo]

I have been using zone alarm to log their ip addresses. It will give you their dns host name also,so you could really report them to their ISP if you wanted to. Zone alarm give you a free 30 day trial. Go to

http://www.download.com

and search for it. I would assume that they are using vb or something to make the message more than one line.

Nick

 

[CoolClark]

Actually OV M$ does allow you to block ports. It's under advance settings in TCP\IP Properties - TCP\IP Filtering. You can setup your box to only allow certain ports.

 

[Ovatvvon]

well, it doesn't for me. I'm running Windows 2000 Server with SP2.

It only allows me to allow all ports, or to allow specific ones that I list. Doesn't allow me to block specific ones. -Ovatvvon :-Q

 

[JWFdev]

Hello Ovatvvon,

What about filtering ports using the filtering coming on the "properties" dialog of the NIC card???

I've been wondering this myself. I'm busy setting up a server myself these past few weeks. It's just a small three computer network.

Anyways... I've read and read about using firewalls but never had/seen suggestions to just use the filtering in the properties/options/ip security/ip filtering settings. You know what I mean?

right-click on "Local Area Connection" and click properties, then "options"

Does anybody know why this should not suffice as a firewall or not??? Sincerely,
John Ford

 

[CoolClark]

OV, it IS kind of backwards but it can be done. ZoneAlarm is a better "inexpensive" solution for blocking ports. By the way I think NT4.0 allowed you to net send the contents of a text file. I don't have any 4.0 boxes sitting around anymore to test it though.

 

[Ovatvvon]

oh ok, sure. I see what you're saying coolclark. I don't think I'll do that though...it seams very cumbersome to just block 3 ports. ya know?

I think I may just invest in zomealarm.

JWFdev, that's what we were talking about.
-Ovatvvon :-Q

 

[JWFdev]

sorry... I skipped those two posts.

Anyways... isn't this just as effective as a firewall? I'm just wondering why I haven't seen tons and tons of "How-to's" written suggesting this. I'd be nice to fine one that offered suggestions on port settings and reliability.

Anyone know more or had experience with doing this?
Sincerely,
John Ford