[unisog] I may have spoken too soon (Windows message)

Clarke Morledge chmorl at wm.edu
Thu Oct 10 22:09:53 GMT 2002

Thanks for feedback many of you have given me.

I neglected to mention that we do block TCP port 445, also.

Yes, this is primarily an annoyance (a noticeable one!), as others have
mentioned, but what bugs me is that somehow someone circumvented my
blocking of the Microsoft ports (137-139, 445) at our edge firewall to
"net send" our campus.  If you need one of these ports to accomplish a
"net send", then clearly the "net send" was done locally.

So it looks like an external host has exploited some Windows vulnerability
to drop some code in to do the "net send".

Since this Windows message spamming incident is so widespread among the
users of this list, there is probably a common vulnerability being
exploited.  But which one is it?

We've seen this only on XP systems so far, but that's far from being
conclusive.  We've only seen this once today each for the "diploma"
and "poetry" message.  Hopefully, by looking at the compromised internal
systems we can get a clue -- but no success so far.

It sounds like I need to take a closer look at port 135, too, the Windows
RPC portmapper.

Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187
chmorl at wm.edu

More information about the unisog mailing list