From: Aron Roberts (aron@socrates.berkeley.edu)
Date: Thu Oct 03 2002 - 10:45:53 PDT
>Several computers on the two different domains I work on had this message
>on the monitor when I came in this morning...
>
>[summary of message contents omitted]
>
>Has anybody else seen this?
Yes, others have. There has been an active discussion today regarding
this issue on the ucb-security list. (For subscription information,
please visit <http://ist-socrates.berkeley.edu:2002/ucb-security.html>.)
Eric Chamberlain wrote, in part:
>Several people have asked about a strange box on their Windows machines
>today. The message began with:
>Message from WX2 to (name of user) on 10/3/2002...
>
>This is not a virus, worm, or trojan. Using certain commands, it is
>possible to send messages to any windows machine that is listening.
>Spammers now like to use this ability of windows to send spam. They
>generally target a range of IP addresses and broadcast their message.
>
>There are a few ways to prevent this from happening. One is to disable
>the messenger service, but other services, like notification from print
>servers or UPS alerts, use this service for communication. The other
>option is to block NetBIOS/SMB traffic from getting to the machine, via
>firewall or router packet filtering. To block the traffic, ports
>137-139 and 445 both TCP and UDP need to be blocked. This will break
>windows file sharing and other features, so it would be best to only
>block IP address that the machine does not normally receive traffic
>from, off campus for example. CNS provides a list of campus subnets at
>ftp://ftp.net.berkeley.edu/pub/networks.local
John Ives also wrote:
>To the best of my knowledge there aren't any current exploits for the
>messenger service itself. This is not to say it is a entirely safe. At
>least on NT 4 (I'm not sure if this still holds for 2000/XP, since I
>haven't checked)
And Alexander Brown replied:
>Yes, it does. It also provides a partial list of services running on
>the system, the mac address, and what other systems you have open pipes to.
Aron Roberts
Workstation Software Support Group
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
This archive was generated by hypermail 2b29 : Thu Oct 03 2002 - 10:48:15 PDT