Yep, it's a known "feature". The deal is that although you may be blocking NetBIOS on your firewall, you can do a programmatically do a "net send" to port 135, which you can't unbind from your external NIC.
You need to firewall your machine to cut off this unwanted ingress. Doubly so because of the recent DoS discovered at the end of last week, for which Microsoft will NOT be producing a fix for NT4 servers. Andrew 8) -----Original Message----- From: Keith Purtell [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2003 2:11 PM To: Declude JunkMail (E-mail) Subject: [Declude.JunkMail] Possible exploit on mail server Don't know if this is related to spam or not... This morning I logged onto the NT4 server where we host both our web and mail server. Immediately noticed a Messenger Service box (like you get with "net send" from dos prompt) containing a typical spam message (edited): "From our Research Dept ... Work From Home ... Type this address in your browser ..." First I went into the Task Manager where confirmed it really was the Messenger Service (csrss) being used. Then I made sure the service executable had not been modified. Then I ran F-Prot to make sure there were no known viruses. Then I ran a tracert on the IP address mentioned in the spam. Then I checked the event log, but didn't have any relevant entries. Then I ran a recent Critical Update from the Microsoft site, just in case it applied to what I was seeing. I rebooted and the message is gone, but I don't know how they got in. There are only a few accounts on this server. IUSR and IWAM, administrator, myself and my boss, and a special account for FTP access. Any ideas? Keith Purtell, Web/Network Administrator VantageMed Operations (Kansas City) Email: [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
