Strange pop-up messages on the DC? 2

Ovatvvon · Oct 16, 2002

Hello,
I came in today and unlocked the desktop on the domain controller here. To my surprise, there was a pop-up message on the screen in the form of an alert box. It reads:

(TITLE BAR= "Messenger Service&quot

=====================================================
Message from MICROSOFT to [this ip address] on 10/16/2002 4:04:43 AM

Please Come And Get Angry At US!

http://microsoftcorp.net-shop.com

=====================================================

I don't believe this to be a virus...I actually just reloaded the whole DC 2 days ago.

Does anyone know what may have caused this...or what it should mean to me? -Ovatvvon :-Q

Ovatvvon · Oct 17, 2002

well, to my knowledge...yes. That would be effective because it would totally shut that port down. I think some firewalls don't necessarily shut down the port though...they monitor it...or they can shut others down as well. Whatever you set it up to do...and it also has to do with how good the software is. I just never had much use for it...so therefore, I also don't have a lot of experience with it. I just know I don't to add in 65,535 ports (minus 3) to be allowed to pass data through my NIC.

So I think I'm just going to go with the software. -Ovatvvon :-Q

JWFdev · Oct 17, 2002

one thing too...

If you block only the ports you think you're supposed to be using... and you still receive these spams... then they must have cracked or found a bug in the MS software.

Has anyone that got this message used a firewall that you've considered reliable?

Also... broto said to...
Start with blocking NetBIOS on ports 137, 138, and 139, both UDP and TCP. Any firewall software should be able to accomplish this.

Why not just choose disable netbios on the wins tab of the properties window for the nic card that you're connected to the internet on, (if you don't have two get another one)? You don't need it there do you. chances are you don't.

then again... if if you still get the messages... then they are coming in the front door of your normal service and these people found a security bug.

Are you sure Brontosaurus that those port and NETBIOS had to be used to do this? They are either calling them on the victim's machine or the victim's machine just listened to them send it. That's what I'm wondering about this...

is the net command being run on the victime machine (and naturally it will hear it)... or does the victim machine just hear it coming through the NIC. Sincerely,
John Ford

CoolClark · Oct 17, 2002

If you want to test your setup go out to grc.com Steve Gibson has some great info and tools for testing your system for possible problems.

Ovatvvon · Oct 17, 2002

Netbios is disabled on my server and I can still receive the messages (testing with an associate).

Maybe the ports alone have to do with it...will wait to get the software first though. -Ovatvvon :-Q

JWFdev · Oct 17, 2002

can you audit the net command and see if it was called on your machine from the command line?

if there is a worm on your machine... or if the hack sends the command to call it on your machine... won't auditing it in the event viewer help?

I'm still wondering that... is the net command being invoked on your command line or sent to you and processed becuase your computer is listening.

Also... ZONE ALARM has a free version you could download and install within a half an hour if you want to test things further tonight with your associate. zonelabs.com Sincerely,
John Ford

Ovatvvon · Oct 17, 2002

I'm pretty sure that it's independent between both nodes. If I try to send to another guys machine, it comes up unsuccessfull. I have to talk to him tomorrow to see what they do that prevents it from going through...but the point is, is that it sends it regardless of the other end. Then it reports back whether it was successfull or not.

I think the machines are listening as well. If you block the ports though, if it is indeed those 3 listed, then the 'would be' receiving end never gets it. I'm going to talk to him tomorrow and see if they block those ports. The machine I tried to send it to is also a win2k server with sp2.
-Ovatvvon :-Q

hjm3857 · Oct 17, 2002

couple of notes on the above line of discussion:

1 how to stop the net send messages from coming to your machine. stop the messenger service. If you want to see what is listening on your machine, run netstat from the command line. If you want realy cool info on it, use a freeware tool called "active ports" it can be found at :

http://www.protect-me.com/index.htm

It shows all active ports and thier stat, the PIC and exe associated with them, and the remote node and port. It also lets you kill processes. very cool tool.

2 Using the port filtering capacity in windows as a firewall. Port and address filtering are the most basic form of firewall. Technicaly speaking it would be a firewall, but it would be a very poor one. It has no inteligence or self protective features. I recomend the above suggestion of zonealarm. it is a great product. I would also recomend a hardware based firewall. Cisco has released a soho version of the PIX. It is the model 501 it sells for about 400 dollars for the base model and is well worth it.

JWFdev · Oct 17, 2002

I've sure liked the two URL posted...

http://www.protect-me.com

and

http://www.grc.com

THANKS! Sincerely,
John Ford

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Strange pop-up messages on the DC? 2

Ovatvvon

Programmer

Ovatvvon

Programmer

JWFdev

Technical User

CoolClark

MIS

Ovatvvon

Programmer

JWFdev

Technical User

Ovatvvon

Programmer

hjm3857

Vendor

JWFdev

Technical User

Similar threads

Part and Inventory Search

Sponsor