Thanks all for the advice. Ran some tests, and discovered our former firewall (which had firmware issues) was detached and never reconnected. We're installing another firewall.
Keith Purtell, Web/Network Administrator VantageMed Operations (Kansas City) Email: [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry > Sent: Monday, March 31, 2003 4:28 PM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.JunkMail] Possible exploit on mail server > > > > >Don't know if this is related to spam or not... This morning > I logged onto > >the NT4 server where we > >host both our web and mail server. Immediately noticed a > Messenger Service > >box (like you get with > >"net send" from dos prompt) containing a typical spam > message (edited): > >"From our Research Dept ... > >Work From Home ... Type this address in your browser ..." > > This is what some people are calling "pop-up ads" (which > unfortunately is > exactly the same term used for new web browser windows that "pop up"). > > This should only be possible for the spammer to accomplish if > you are not > running a firewall (or have one set up so that anyone can > access ports > 137/138/139). > > >First I went into the Task Manager where confirmed it really was the > >Messenger Service (csrss) being > >used. Then I made sure the service executable had not been > modified. Then > >I ran F-Prot to make sure > >there were no known viruses. Then I ran a tracert on the IP address > >mentioned in the spam. Then I > >checked the event log, but didn't have any relevant entries. > Then I ran a > >recent Critical Update > >from the Microsoft site, just in case it applied to what I > was seeing. I > >rebooted and the message is > >gone, but I don't know how they got in. There are only a few > accounts on > >this server. IUSR and IWAM, > >administrator, myself and my boss, and a special account for > FTP access. > >Any ideas? > > No virus, no vulnerability, no funny stuff. Just a firewall > that isn't > doing its job. Those messages can *only* be sent if the > Internet can send > NetBIOS messages to your computers (which normally should > *not* be allowed). > -Scott > --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
