[unisog] I may have spoken too soon (Windows message)

Clarke Morledge chmorl at wm.edu
Thu Oct 10 19:50:00 GMT 2002

We've been getting both of these "diploma" and "poetry" messages, and like
Martin, we block ports 137-139 at the firewall.

Two questions:

(1) Does anybody know how we are getting hit by this?

(2) Does anybody have any IDS signatures to detect it?

Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187
chmorl at wm.edu

On Thu, 10 Oct 2002, Martin Radford wrote:

> --On 10 October 2002 08:24 -0400 Rita Seplowitz Saltz
> <rita at princeton.edu> wrote:
> > I've just heard from a colleague with a Windows machine that she
> > found a message window as she started up, advertising diplomas for
> > sale.
> > 
> > I've notified our Network and PC Systems folks.  Given the silence
> > for the past few days, I certainly believed we had it licked, but
> > this new report does not sound good!
> What's interesting is that I had a colleague report this to me this
> morning.  However, we firewall ports 137-139 at our incoming router, so
> this must have come from within our network.  I just wonder whether
> this might be happening via infected attachments, or similar.
> Martin
> -- 
> Martin Radford  (Martin.Radford at bristol.ac.uk)
> Personal Computer Systems Team
> Information Systems & Computing
> University of Bristol Information Services
> PGP keyID:       5D2D92E9
> PGP fingerprint: 137E 0277 9D78 7447 71D0 BB3D C20D BB9A 5D2D 92E9

More information about the unisog mailing list