[Declude.JunkMail] Possible exploit on mail server
Don't know if this is related to spam or not... This morning I logged onto the NT4 server where we host both our web and mail server. Immediately noticed a Messenger Service box (like you get with net send from dos prompt) containing a typical spam message (edited): From our Research Dept ... Work From Home ... Type this address in your browser ... First I went into the Task Manager where confirmed it really was the Messenger Service (csrss) being used. Then I made sure the service executable had not been modified. Then I ran F-Prot to make sure there were no known viruses. Then I ran a tracert on the IP address mentioned in the spam. Then I checked the event log, but didn't have any relevant entries. Then I ran a recent Critical Update from the Microsoft site, just in case it applied to what I was seeing. I rebooted and the message is gone, but I don't know how they got in. There are only a few accounts on this server. IUSR and IWAM, administrator, myself and my boss, and a special account for FTP access. Any ideas? Keith Purtell, Web/Network Administrator VantageMed Operations (Kansas City) Email: [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Possible exploit on mail server
Don't know if this is related to spam or not... This morning I logged onto the NT4 server where we host both our web and mail server. Immediately noticed a Messenger Service box (like you get with net send from dos prompt) containing a typical spam message (edited): From our Research Dept ... Work From Home ... Type this address in your browser ... This is a recent technique used by spammers, but it's nothing more complex than using, in fact, NET SEND--which shouldn't have a chance in h*** of working against a firewalled server. Are you allowing NetBIOS ports through your fw for some reason? -Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Possible exploit on mail server
Don't know if this is related to spam or not... This morning I logged onto the NT4 server where we host both our web and mail server. Immediately noticed a Messenger Service box (like you get with net send from dos prompt) containing a typical spam message (edited): From our Research Dept ... Work From Home ... Type this address in your browser ... This is what some people are calling pop-up ads (which unfortunately is exactly the same term used for new web browser windows that pop up). This should only be possible for the spammer to accomplish if you are not running a firewall (or have one set up so that anyone can access ports 137/138/139). First I went into the Task Manager where confirmed it really was the Messenger Service (csrss) being used. Then I made sure the service executable had not been modified. Then I ran F-Prot to make sure there were no known viruses. Then I ran a tracert on the IP address mentioned in the spam. Then I checked the event log, but didn't have any relevant entries. Then I ran a recent Critical Update from the Microsoft site, just in case it applied to what I was seeing. I rebooted and the message is gone, but I don't know how they got in. There are only a few accounts on this server. IUSR and IWAM, administrator, myself and my boss, and a special account for FTP access. Any ideas? No virus, no vulnerability, no funny stuff. Just a firewall that isn't doing its job. Those messages can *only* be sent if the Internet can send NetBIOS messages to your computers (which normally should *not* be allowed). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Possible exploit on mail server
I had this happen also several times, about 2 months ago, I did everything you mentioned below. A friend had me download a utility called spybot, which found a cookie in my internet explorer that launches popup ad's automatically. Once I removed this, I haven't seen any since. http://spybot.safer-networking.de This month in PC magazine, they also talk about this sneaky, thing they are doing with ad cookies. You surf some web sites and it loads this in the background automatically. --- Steven Cmajdalka [EMAIL PROTECTED] The Graphics Group, Dallas, TX 75226 --- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Purtell Sent: Monday, March 31, 2003 4:11 PM To: Declude JunkMail (E-mail) Subject: [Declude.JunkMail] Possible exploit on mail server Don't know if this is related to spam or not... This morning I logged onto the NT4 server where we host both our web and mail server. Immediately noticed a Messenger Service box (like you get with net send from dos prompt) containing a typical spam message (edited): From our Research Dept ... Work From Home ... Type this address in your browser ... First I went into the Task Manager where confirmed it really was the Messenger Service (csrss) being used. Then I made sure the service executable had not been modified. Then I ran F-Prot to make sure there were no known viruses. Then I ran a tracert on the IP address mentioned in the spam. Then I checked the event log, but didn't have any relevant entries. Then I ran a recent Critical Update from the Microsoft site, just in case it applied to what I was seeing. I rebooted and the message is gone, but I don't know how they got in. There are only a few accounts on this server. IUSR and IWAM, administrator, myself and my boss, and a special account for FTP access. Any ideas? Keith Purtell, Web/Network Administrator VantageMed Operations (Kansas City) Email: [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Possible exploit on mail server
Thanks all for the advice. Ran some tests, and discovered our former firewall (which had firmware issues) was detached and never reconnected. We're installing another firewall. Keith Purtell, Web/Network Administrator VantageMed Operations (Kansas City) Email: [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Monday, March 31, 2003 4:28 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Possible exploit on mail server Don't know if this is related to spam or not... This morning I logged onto the NT4 server where we host both our web and mail server. Immediately noticed a Messenger Service box (like you get with net send from dos prompt) containing a typical spam message (edited): From our Research Dept ... Work From Home ... Type this address in your browser ... This is what some people are calling pop-up ads (which unfortunately is exactly the same term used for new web browser windows that pop up). This should only be possible for the spammer to accomplish if you are not running a firewall (or have one set up so that anyone can access ports 137/138/139). First I went into the Task Manager where confirmed it really was the Messenger Service (csrss) being used. Then I made sure the service executable had not been modified. Then I ran F-Prot to make sure there were no known viruses. Then I ran a tracert on the IP address mentioned in the spam. Then I checked the event log, but didn't have any relevant entries. Then I ran a recent Critical Update from the Microsoft site, just in case it applied to what I was seeing. I rebooted and the message is gone, but I don't know how they got in. There are only a few accounts on this server. IUSR and IWAM, administrator, myself and my boss, and a special account for FTP access. Any ideas? No virus, no vulnerability, no funny stuff. Just a firewall that isn't doing its job. Those messages can *only* be sent if the Internet can send NetBIOS messages to your computers (which normally should *not* be allowed). -Scott --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.