Unknown Messenger Service?

[caddnima]

When I check my W2k Server this morning I have this message from a Messenger Service....


Its a freaking spam thing that sells Diploma...

How did they achieved this so I can protect our server...
I think we've been compromised...

Thanks

 

[GlenJohnson]

Check your anti-virus stuff and the log files in c:\winnt\system32\logfiles and see if they managed to ftp anything into it. Also check your event viewer. There may be a simple awnser, but I think I'd be ticked also. Good luck. Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com


"A person often meets his destiny on the road he took to avoid it."
Jean de La Fontaine (1621-1695); French poet.

 

[caddnima]

They are also having the same problem on the NT Thread and they told me that these guys just use the "net send" command to everybody with a certain IP address randomly...

And they said I dont have to worry about it...

what do you think?

 

[GlenJohnson]

What have you got for a firewall? If nothing, they are probably correct. I'm behind a firewall, and I mistankenly think all networks are, while they are not. I would still check the log files in system32. Test the theory. You know what the ip is of the server. Take a w2k machine, connect to the internet, and do a net send xxx.xxx.xxx.xxx. Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com


"A person often meets his destiny on the road he took to avoid it."
Jean de La Fontaine (1621-1695); French poet.

 

[disord3r]

Go to your Services control panel item and disable the Messenger Service. This will stop those annoying ads for weight loss pills, diplomas, etc, but it may also disable any legitimate services that depend on the Messenger Service.

I did it on mine without any negative effects, but I don't do much on my system by browse the web and update sites using InterDev. You may want to check with a system admin before doing this if it's a work machine or mission critical server.

 

[GlenJohnson]

Good point disord3r. Guess I didn't think of it because I use net send all the time. People don't awnser phones, and I need to contact them, they may be logged onto a different pc somewhere else, they still get the message. Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com


"He who doubts nothing, knows nothing."
Greek proverb.

 

[JestJoan]

Ah...the joy of Messenger Service. It's been a while since I've used 2000, so I'm not 100% sure about the navigation on it, but on XP you can disable this crap by going to Control Panel > Performance & Maintenance > Administrative Tools > Services, selecting Messenger from list and disabling it in Properties.

 

[GlenJohnson]

Got the same thing at home. Disabled messinger there because I don't need it. I'm running a wireless network and connect to the net via cable modem. Think that's how they got in. Glen A. Johnson
Johnson Computer Consulting
MCP W2K
glen@nellsgiftbox.com


"What really happens is trivial in comparison to what could occur."
Robert von Musil (1880-1942); Austrian author.

 

[Seizure]

The fact that someone can reach the messaging service from the internet is not good. Get behind NAT or get port 139 closed. Have someone do a port scan from the outside to see what else is open. Jim - Synnex Info Tech

 

[gizla]

This is to do with rpc listening this port is impossible to close on external nic on windows servers what this basically means is that you need a firewall that blocks incoming rpc requests otherwise people can send messages to your server, it does not necessarily mean your box has been comprimised but none the less hackers may find exploits to use rpc ports to their advantage i think the range is 135-139 but a hardware based fireall or get a old 486 or pentium with 2 network cards and run smoothwall (linux based) or similir firewall.

 

[GlenJohnson]

I've started using zone alarm. I still want to use net send, and zone's free and easy. Glen A. Johnson
Johnson Computer Consulting
MCP W2K
glen@johnsoncomputers.us



"Uniformity is death, diversity is life."
Mikhail A. Bakunin (1814-1876); Russian writer and revolutionary.

 

[caddnima]

Hey Glen,

I tried using zone on my w2k, it did'nt work

 

[GlenJohnson]

I have 2 desktops with w2k and a laptop, and I use it on all three. What went wrong. (I connect my laptop to the internet using a wireless router, that's why I use zone. No cables so people in theory hit my machine remotely even with messaging turned off. I do see people trying to come in with zone.) Glen A. Johnson
Johnson Computer Consulting
MCP W2K
glen@johnsoncomputers.us



"Uniformity is death, diversity is life."
Mikhail A. Bakunin (1814-1876); Russian writer and revolutionary.

 

[dankelt]

You can set filters on your network interfaces to block ports, including RPC. This can cause problems of course because it blocks it for everyone, including the server itself. A better way of securing your server without adding any hardware or software is by using IPsec. You can set rules up for denying port access based on source and destination Addresses.

If nothing else, get your servers behind some kind of firewall, either software or hardware. I can't begin to tell you how full my router logs are from infected IIS servers, and netbios attacks.

 

[creamy]

I got this same pop-up spam, even though I had uninstalled Windows Messenger and cleaned my system of spamware.

Pictures of the pop-up spam, and instructions for stopping it are here:

http://www.jmu.edu/computing/security/info/winmsg.shtml

 

[dankelt]

I got this same pop-up spam, even though I had uninstalled Windows Messenger and cleaned my system of spamware.

That's because the Windows Messenger Service has nothing to do with "Windows Messenger" or Spam/Spy Ware.