[unisog] I may have spoken too soon (Windows message)

Arnold, Jamie harnold at binghamton.edu
Fri Oct 11 12:55:09 GMT 2002

I'm not convinced that this is an internally compromised machine.  To jump
to that conclusion with no effort in proving the theory is folly.

-----Original Message-----
From: Clarke Morledge [mailto:chmorl at wm.edu] 
Sent: Thursday, October 10, 2002 6:10 PM
To: unisog
Subject: Re: [unisog] I may have spoken too soon (Windows message)

Thanks for feedback many of you have given me.

I neglected to mention that we do block TCP port 445, also.

Yes, this is primarily an annoyance (a noticeable one!), as others have
mentioned, but what bugs me is that somehow someone circumvented my blocking
of the Microsoft ports (137-139, 445) at our edge firewall to "net send" our
campus.  If you need one of these ports to accomplish a "net send", then
clearly the "net send" was done locally.

So it looks like an external host has exploited some Windows vulnerability
to drop some code in to do the "net send".

Since this Windows message spamming incident is so widespread among the
users of this list, there is probably a common vulnerability being
exploited.  But which one is it?

We've seen this only on XP systems so far, but that's far from being
conclusive.  We've only seen this once today each for the "diploma" and
"poetry" message.  Hopefully, by looking at the compromised internal systems
we can get a clue -- but no success so far.

It sounds like I need to take a closer look at port 135, too, the Windows
RPC portmapper.

Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187
chmorl at wm.edu

More information about the unisog mailing list