[Dshield] Re: [Full-Disclosure] Windows Messenger Popup SpamonUDP Port 1026

Rick Leske rick at jaray.net
Thu Jun 26 04:02:24 GMT 2003


Well here's a snip of some examples that one would clearly need to block
ports:

!
! Known Virus and Trojan ports
!
! MS SQL Slammer Worm
!
access-list 101 deny udp any any eq 1434 log
!
! Legacy small services no longer used
!
access-list 101 deny tcp any any range 0 19 log
access-list 101 deny udp any any range 0 19 log
!
! Finger
!
access-list 101 deny tcp any any eq 79 log
access-list 101 deny udp any any eq 79 log
!
! SNMP Trap
!
access-list 101 deny tcp any any range 161 162 log
access-list 101 deny udp any any range 161 162 log
!
! SMUX
access-list 101 deny tcp any any eq 199 log
access-list 101 deny udp any any eq 199 log
!
! SNMP Relay Port
access-list 101 deny tcp any any eq 391 log
access-list 101 deny udp any any eq 391 log
!
! AgentX
access-list 101 deny tcp any any eq 705 log
access-list 101 deny udp any any eq 705 log
!
! cisco SNMP TCP port
access-list 101 deny tcp any any eq 1993 log
access-list 101 deny udp any any eq 1993 log
!
! Lan-only DHCP and TFTP
!
access-list 101 deny udp any any range 67 69 log
access-list 101 deny tcp any any range 67 69 log
!
! Microsoft NETBIOS (messenger spam)
!
access-list 101 deny tcp any any range 135 139 log
access-list 101 deny udp any any range 135 139 log
access-list 101 deny tcp any any eq 445 log
access-list 101 deny udp any any eq 445 log
!
! Unix RPC
!
access-list 101 deny tcp any any eq 111 log
access-list 101 deny udp any any eq 111 log
!
! Lan-only unix services
!
access-list 101 deny tcp any any range 511 515 log
access-list 101 deny udp any any range 511 515 log
!
! IRCD
!
access-list 101 deny tcp any any eq 6667 log
access-list 101 deny udp any any eq 6667 log
!
! ICMP Fragments
!
access-list 101 deny icmp any any log
!
! Inbound ping
!
access-list 101 permit icmp any any echo
!
! Inbound ping response
!
access-list 101 permit icmp any any echo-reply
!
! Path MTU to function
!
access-list 101 permit icmp any any packet-too-big
!
! Flow control
!
access-list 101 permit icmp any any source-quench
!
! Time exceeded messages for traceroute and loops
!
access-list 101 permit icmp any any time-exceeded
!
! Block all other ICMP packets
!
access-list 101 deny icmp any any log
!
! Permit everything else
!
access-list 101 permit ip any any

Point being that the 'internet' is not a safe or adequately regulated
environment.  One can not assume that "Seat Belts" save lives - facts have
proven they do.. just as with blocking ports save corporations trillions of
dollars.

~Rick

----- Original Message ----- 
From: "morning_wood" <se_cur_ity at hotmail.com>
To: <jullrich at euclidian.com>; "General DShield Discussion List"
<list at dshield.org>
Cc: <full-disclosure at lists.netsys.com>
Sent: Saturday, June 21, 2003 4:02 PM
Subject: Re: [Dshield] Re: [Full-Disclosure] Windows Messenger Popup
SpamonUDP Port 1026


> the point being there should be no isp blocking of any ports period.
> Why? For what purpose? I would seek another provider if my ISP
> purposefly blocked ports. Unless a critical mass DDoS was in full
> disruption and temporary measuses taken to prevent further
> amplifiction, were used and full service restored after the threat was
> diminished.
>
> wood
>
> ----- Original Message ----- 
> From: "Johannes Ullrich" <jullrich at euclidian.com>
> To: "General DShield Discussion List" <list at dshield.org>
> Cc: "Joe Stewart" <jstewart at lurhq.com>;
> <full-disclosure at lists.netsys.com>
> Sent: Saturday, June 21, 2003 10:14 AM
> Subject: Re: [Dshield] Re: [Full-Disclosure] Windows Messenger Popup
> Spamon UDP Port 1026
>
>
> > Well, blocking port 1026 is probably not such a great idea. But
> > why would a non-windows user suffer if port 135-139 & 445 is
> blocked?
> >
> >
> >
> > On Sat, 2003-06-21 at 00:40, morning_wood wrote:
> > > so all users should suffer an ISP blocking ports just because some
> > > people run windows???? excuse me? Better would be to just disable
> > > windows mesaging service. or issue a patch for it, as opposed to
> > > blocking port traffic.
> > >
> > > wood
> > >
> > > ----- Original Message ----- 
> > > From: "Joe Stewart" <jstewart at lurhq.com>
> > > To: <list at dshield.org>
> > > Cc: <full-disclosure at lists.netsys.com>;
> <intrusions at incidents.org>;
> > > <isc at sans.org>
> > > Sent: Friday, June 20, 2003 7:37 PM
> > > Subject: [Full-Disclosure] Windows Messenger Popup Spam on UDP
> Port
> > > 1026
> > >
> > >
> > > > Windows Messenger Popup Spam on UDP Port 1026
> > > >
> > > > URL: http://www.lurhq.com/popup_spam.html
> > > > Release Date: June 20, 2003
> > > > Author: Joe Stewart
> > > >
> > > > LURHQ Corporation has observed traffic to large blocks of IP
> > > addresses
> > > > on UDP port 1026. This traffic started around June 18, 2003 and
> has
> > > > been constant since that time. LURHQ analysts have determined
> that
> > > the
> > > > source of the traffic is spammers who have discovered that the
> > > Windows
> > > > Messenger service listens for connections on port 1026 as well
> as
> > > the
> > > > more widely-known port 135. Windows Messenger has been a target
> for
> > > > spammers since late last year, because it allows anonymous
> pop-up
> > > > messages to be displayed on any Windows system running the
> messenger
> > > > service. Due to widespread abuse, many ISPs have moved to block
> > > > inbound traffic on UDP port 135. It appears the spammers have
> > > adapted,
> > > > so ISPs are urged to block UDP port 1026 inbound as well.
> > > >
> > > > It is possible to disable the messenger service on some
> platforms
> > > > following the instructions below. However, the fact that you can
> > > > receive these messages points to the fact that your computer is
> > > > unsecured and vulnerable to other possible attacks in the
> future.
> > > > Disabling the messenger service will stop the pop-up spam, but
> will
> > > > not protect you in any other way. Home users are encouraged to
> > > install
> > > > personal firewall software to block unauthorized connections to
> > > their
> > > > computers. Users are discourged from purchasing specialized
> Windows
> > > > Messenger popup blocking software as it is often sold by the
> same
> > > > company that is sending the popups.
> > > >
> > > > To disable the Messenger Service, follow the instructions for
> your
> > > > Windows version:
> > > >
> > > > Windows XP Home
> > > >   * Click Start, then click Control Panel.
> > > >   * Double-click Performance and Maintenance.
> > > >   * Double-click Administrative Tools.
> > > >   * Double-click Services.
> > > >   * Scroll down, highlight and right-click on Messenger and
> choose
> > > >     Properties
> > > >   * In the "Startup type" list, choose Disabled.
> > > >   * Click Stop, and then click OK.
> > > >
> > > > Windows XP Professional
> > > >   * Click Start, then click Control Panel.
> > > >   * Double-click Administrative Tools
> > > >   * Double-click Services
> > > >   * Scroll down, highlight and right-click on Messenger and
> choose
> > > >     Properties
> > > >   * In the "Startup type" list, choose Disabled.
> > > >   * Click Stop, and then click OK.
> > > >
> > > > Windows 2000/NT
> > > >   * Click Start, go to Settings, then click Control Panel.
> > > >   * Double-click Administrative Tools.
> > > >   * Double-click Service.
> > > >   * Double-click Messenger.
> > > >   * In the "Startup type" list, choose Disabled.
> > > >   * Click Stop, and then click OK.
> > > >
> > > > Windows 98/ME
> > > > The Windows Messenger Service cannot be disabled
> > > >
> > > > --
> > > >
> > > > About LURHQ Corporation
> > > > LURHQ Corporation is the trusted provider of Managed Security
> > > > Services. Founded in 1996, LURHQ has built a strong business
> > > > protecting the critical information assets of more than 400
> > > customers
> > > > by offering managed intrusion prevention and protection
> services.
> > > > LURHQ's 24X7 Incident Handling capabilities enable customers to
> > > > enhance their security posture while reducing the costs of
> managing
> > > > their security environments. LURHQ's OPEN Service Delivery(TM)
> > > > methodology facilitates a true partnership with customers by
> > > providing
> > > > a real time view of the organization's security status via the
> > > > Sherlock Enterprise Security Portal. For more information visit
> > > > http://www.lurhq.com/
> > > >
> > > > Copyright (c) 2003 LURHQ Corporation. Permission is hereby
> granted
> > > for
> > > > the redistribution of this document electronically. It is not to
> be
> > > > altered or edited in any way without the express written consent
> of
> > > > LURHQ Corporation. If you wish to reprint the whole or any part
> of
> > > > this document in any other medium excluding electronic media,
> please
> > > > e-mail advisories at lurhq.com for permission.
> > > >
> > > > Disclaimer
> > > > The information within this paper may change without notice. Use
> of
> > > > this information constitutes acceptance for use in an AS IS
> > > condition.
> > > > There are NO warranties implied or otherwise with regard to this
> > > > information. In no event shall the author be liable for any
> damages
> > > > whatsoever arising out of or in connection with the use or
> spread of
> > > > this information.
> > > >
> > > > Feedback
> > > > Updates and/or comments to:
> > > > LURHQ Corporation
> > > > http://www.lurhq.com/
> > > > advisories at lurhq.com
> > > >
> > > > _______________________________________________
> > > > Full-Disclosure - We believe in it.
> > > > Charter: http://lists.netsys.com/full-disclosure-charter.html
> > > >
> > >
> > > _______________________________________________
> > > list mailing list
> > > list at dshield.org
> > > To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
> ___________________________________________________________________
> Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.
>
>

___________________________________________________________________
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.




More information about the list mailing list