[unisog] I may have spoken too soon (Windows message)

Harris, Michael C. HarrisMC at health.missouri.edu
Thu Oct 10 21:43:06 GMT 2002


on 2000/XP you can turn off messages using "net stop messenger" but this may adversely effect other services that send messages.

here are headers (below) out of Shadow for the 139 version of popup messages

according to how Netbios functions it will probably hit you on 445 to 2000/XP machines, even if 135,137-9 is blocked.
please correct me if anyone can prove /disprove this

mike

2002/10/10-14:45:12.055646 216.127.74.158.3184 > x.x.248.7.135:  udp 1
2002/10/10-14:45:12.056064 x.x.248.7.135 > 216.127.74.158.3184:  udp 84
2002/10/10-14:45:15.704829 216.127.74.158.137 > x.x.248.7.137:  >>> NBT UDP Pkt(137): Query; REQ; BCAST
2002/10/10-14:45:15.705211 x.x.248.7.137 > 216.127.74.158.137:  >>> NBT UDP Pkt(137): Query; POS; RESP; UNICAST
2002/10/10-14:45:15.849915 216.127.74.158.4196 > x.x.248.7.139: S 2537354744:2537354744(0) win 16384  (DF)
2002/10/10-14:45:15.850199 x.x.248.7.139 > 216.127.74.158.4196: S 1870893074:1870893074(0) ack 2537354745 win 17520  (DF)
2002/10/10-14:45:15.984036 216.127.74.158.4196 > x.x.248.7.139: . ack 1870893075 win 17520 (DF)
2002/10/10-14:45:15.984153 216.127.74.158.4196 > x.x.248.7.139: P 2537354745:2537354817(72) ack 1870893075 win 17520 >>> NBT Pkt: NBT Session Request Flags=0x81000044 (DF)
2002/10/10-14:45:15.985409 x.x.248.7.139 > 216.127.74.158.4196: P 1870893075:1870893079(4) ack 2537354817 win 17448 >>> NBT Pkt: NBT Session Granted Flags=0x82000000 (DF)
2002/10/10-14:45:16.231773 216.127.74.158.4196 > x.x.248.7.139: . ack 1870893079 win 17516 (DF)
2002/10/10-14:45:17.194965 216.127.74.158.4196 > x.x.248.7.139: P 2537354817:2537354881(64) ack 1870893079 win 17516 >>> NBT Pkt: NBT Session Packet Flags=0x0 Length=60  SMB Pkt: SMBsendstrt (REQ)(DF)
2002/10/10-14:45:17.345099 x.x.248.7.139 > 216.127.74.158.4196: . ack 2537354881 win 17384 (DF)
2002/10/10-14:45:21.051583 x.x.248.7.139 > 216.127.74.158.4196: P 1870893079:1870893120(41) ack 2537354881 win 17384 >>> NBT Pkt: NBT Session Packet Flags=0x0 Length=37  SMB Pkt: SMBsendstrt (REQ) (DF)
2002/10/10-14:45:21.367737 216.127.74.158.4196 > x.x.248.7.139: . ack 1870893120 win 17475 (DF)
2002/10/10-14:45:38.656731 216.127.74.158.4196 > x.x.248.7.139: P 2537354881:2537355048(167) ack 1870893120 win 17475 >>> NBT Pkt: NBT Session Packet Flags=0x0 Length=163  SMB Pkt: SMBsendtxt (REQ) (DF)
2002/10/10-14:45:38.657427 x.x.248.7.139 > 216.127.74.158.4196: P 1870893120:1870893159(39) ack 2537355048 win 17217 >>> NBT Pkt: NBT Session Packet Flags=0x0 Length=35  SMB Pkt: SMBsendtxt (REQ) (DF)
2002/10/10-14:45:38.961617 216.127.74.158.4196 > x.x.248.7.139: . ack 1870893159 win 17436 (DF)
2002/10/10-14:45:43.663955 216.127.74.158.4196 > x.x.248.7.139: P 2537355048:2537355216(168) ack 1870893159 win 17436 >>> NBT Pkt: NBT Session Packet Flags=0x0 Length=164  SMB Pkt: SMBsendtxt (REQ) (DF)
2002/10/10-14:45:43.667604 x.x.248.7.139 > 216.127.74.158.4196: P 1870893159:1870893198(39) ack 2537355216 win 17049 >>> NBT Pkt: NBT Session Packet Flags=0x0 Length=35  SMB Pkt: SMBsendtxt (REQ) (DF)
2002/10/10-14:45:43.955016 216.127.74.158.4196 > x.x.248.7.139: . ack 1870893198 win 17397 (DF)
2002/10/10-14:45:44.074266 216.127.74.158.4196 > x.x.248.7.139: P 2537355216:2537355383(167) ack 1870893198 win 17397 >>> NBT Pkt: NBT Session Packet Flags=0x0 Length=163  SMB Pkt: SMBsendtxt (REQ) (DF)
2002/10/10-14:45:44.231197 x.x.248.7.139 > 216.127.74.158.4196: . ack 2537355383 win 16882 (DF)
2002/10/10-14:45:48.668250 x.x.248.7.139 > 216.127.74.158.4196: P 1870893198:1870893237(39) ack 2537355383 win 16882 >>> NBT Pkt: NBT Session Packet Flags=0x0 Length=35  SMB Pkt: SMBsendtxt (REQ) (DF)
2002/10/10-14:45:48.964847 216.127.74.158.4196 > x.x.248.7.139: . ack 1870893237 win 17358 (DF)
2002/10/10-14:46:07.867961 216.127.74.158.4196 > x.x.248.7.139: P 2537355383:2537355548(165) ack 1870893237 win 17358 >>> NBT Pkt: NBT Session Packet Flags=0x0 Length=161  SMB Pkt: SMBsendtxt (REQ) (DF)
2002/10/10-14:46:07.868688 x.x.248.7.139 > 216.127.74.158.4196: P 1870893237:1870893276(39) ack 2537355548 win 16717 >>> NBT Pkt: NBT Session Packet Flags=0x0 Length=35  SMB Pkt: SMBsendtxt (REQ) (DF)
2002/10/10-14:46:08.111578 216.127.74.158.4196 > x.x.248.7.139: . ack 1870893276 win 17319 (DF)
2002/10/10-14:46:09.021695 216.127.74.158.4196 > x.x.248.7.139: P 2537355548:2537355666(118) ack 1870893276 win 17319 >>> NBT Pkt: NBT Session Packet Flags=0x0 Length=114  SMB Pkt: SMBsendtxt (REQ) (DF)
2002/10/10-14:46:09.208195 x.x.248.7.139 > 216.127.74.158.4196: . ack 2537355666 win 16599 (DF)
2002/10/10-14:46:12.869005 x.x.248.7.139 > 216.127.74.158.4196: P 1870893276:1870893315(39) ack 2537355666 win 16599 >>> NBT Pkt: NBT Session Packet Flags=0x0 Length=35  SMB Pkt: SMBsendtxt (REQ) (DF)
2002/10/10-14:46:13.032931 216.127.74.158.4196 > x.x.248.7.139: P 2537355666:2537355707(41) ack 1870893315 win 17280 >>> NBT Pkt: NBT Session Packet Flags=0x0 Length=37  SMB Pkt: SMBsendend (REQ) (DF)
2002/10/10-14:46:13.220577 x.x.248.7.139 > 216.127.74.158.4196: . ack 2537355707 win 16558 (DF)
2002/10/10-14:46:17.869451 x.x.248.7.139 > 216.127.74.158.4196: P 1870893315:1870893354(39) ack 2537355707 win 16558 >>> NBT Pkt: NBT Session Packet Flags=0x0 Length=35  SMB Pkt: SMBsendend (REQ)  (DF)
2002/10/10-14:46:18.114747 216.127.74.158.4196 > x.x.248.7.139: F 2537355707:2537355707(0) ack 1870893354 win 17241 (DF)
2002/10/10-14:46:18.115390 x.x.248.7.139 > 216.127.74.158.4196: F 1870893354:1870893354(0) ack 2537355708 win 16558 (DF)
2002/10/10-14:46:18.237912 216.127.74.158.4196 > x.x.248.7.139: . ack 1870893355 win 17241 (DF)


-----Original Message-----
From: Clarke Morledge [mailto:chmorl at wm.edu]
Sent: Thursday, October 10, 2002 2:50 PM
To: unisog
Subject: Re: [unisog] I may have spoken too soon (Windows message)


We've been getting both of these "diploma" and "poetry" messages, and like
Martin, we block ports 137-139 at the firewall.

Two questions:

(1) Does anybody know how we are getting hit by this?

(2) Does anybody have any IDS signatures to detect it?

Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187
757-221-1536
chmorl at wm.edu

On Thu, 10 Oct 2002, Martin Radford wrote:

> --On 10 October 2002 08:24 -0400 Rita Seplowitz Saltz
> <rita at princeton.edu> wrote:
> 
> > I've just heard from a colleague with a Windows machine that she
> > found a message window as she started up, advertising diplomas for
> > sale.
> > 
> > I've notified our Network and PC Systems folks.  Given the silence
> > for the past few days, I certainly believed we had it licked, but
> > this new report does not sound good!
> 
> What's interesting is that I had a colleague report this to me this
> morning.  However, we firewall ports 137-139 at our incoming router, so
> this must have come from within our network.  I just wonder whether
> this might be happening via infected attachments, or similar.
> 
> Martin
> -- 
> Martin Radford  (Martin.Radford at bristol.ac.uk)
> Personal Computer Systems Team
> Information Systems & Computing
> University of Bristol Information Services
> PGP keyID:       5D2D92E9
> PGP fingerprint: 137E 0277 9D78 7447 71D0 BB3D C20D BB9A 5D2D 92E9



More information about the unisog mailing list