×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Stopping NetBIOS Spam?

Cliff posted more than 11 years ago | from the nothing-is-sacred dept.

Spam 97

MoonFacedAssassin asks: "I woke up this morning to find that my computer had a Windows messaging pop-up window with an advertisement about getting diplomas and degrees. I was quite shocked to find that my Bellsouth DSL IP address had been spammed. Has this happened to anyone else? Other than closing off the port which this can come through, are there any other ways to block this spam? And, how responsible is Bellsouth (or any ISP for that matter) in handling issues like this?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

97 comments

um. (4, Insightful)

danielrose (460523) | more than 11 years ago | (#4430230)

Are you new?
Seems to me that restricting the port would be the sane method of preventing outside persons from exploiting your system. The same as any other service on any other port.

Re:um. (5, Informative)

pruneau (208454) | more than 11 years ago | (#4430437)

I concur with you danielrose [mailto].

<RANT> Without denying MoonFacedAssassin [mailto] the right to a response to a very pertinent question, I think that posting that on Ask SlashJeeves [slashdot.org] shows a suprising level of ignorance from Cliff. Or he is at the end of some coding spree? Because this question does dot belong here, but rather on some newsgroup like comp.security.firewall (someone help me there).

Anyway, let me end my RANT section by saying that the level of interest of ask slashdot has regularly reached new lows every day.

I'm worried, to say the least

</RANT>

But let's drop the political/marketing aspect of that and take car of some real technical stuff:

(Yeah you guessed it, I'm getting pedantic during insomnias (it's 3:00 here)).
  1. Get over it: an IP does not get spammed, because scannig block of addresses does not require any kind of disclosure from your ISP. They only have to have a router advertising their block of IP to the internet for those block of addresses to be scanned. Because having such a setup is one of the primary requirements to be an ISP. Sorry. Even residing into some secret whois database won't change anything there.

    Believe me, I've got firsthand experiences of having systems simply plug onto the internet, not even having some DNS record, and beeing scanned after one days of routable IP presence.

    And no, you don't want them to "protect" you from that, because if they start going big brother on you, you will notice a real drop on the number of things you can do online. Unless you really want only to surf and e-mail a bit, that will be perfectly understandable.

    But that's another debate: since internet is a jungle now, do we want to see some new kind of ISP that babysits theyr not-so-technical users ?

  2. The second thing that worries me is that if you got a window messaging message, this means that you probably have a whole slew of netbios services exposed to the internet. Now listen carefully: if you ever have a shared printer or worst, drive, your machine is already hacked. Even not having shares might no be sufficient to protect you.

    I'm not trying to scare you there, it`s just a fact.

    In this case, please unplug from the network and reinstall from scratch. Do not backup any executablte. And the first time you re-plug you machine on the internet, please go immediately shopping for a personnal firewall, like ZoneAlarm and such. Once this one is done, either make sure your anti-virus software is up to date, or get you one. This will give you a reasonnable amount of security.

  3. If you followed me this far, well thank you !!!
Now, welcome to a brave new world !

Re:um. (4, Insightful)

biglig2 (89374) | more than 11 years ago | (#4430547)

Netbios exposed to the internet? Ouchies. If your set-up has security that bad then the ISP isn't the peroson to ask for help - because who knows what else you've left lying open?

you are right, unbind netbios (2)

leuk_he (194174) | more than 11 years ago | (#4440623)

It is as simple as that, just unbind the netbios protocol from the tcp/ip stack that is linked to the internetet.

NT4: control panel -> network -> services -> services, just make sure under your internet ip (dail up adpater) nothing else then tcp/ip is checked.

win2000: network -> make sure only tcp/ip is checked.

Stopping the messager services will stop the spam, an leaves your PC open to the internet. But it helps against BOFH.

Re:um. (1)

afidel (530433) | more than 11 years ago | (#4431716)

Umm any ISP, especially a broadband one that does not give 255.255.255.255 as a subnet mask is asking for trouble and is doing their customers a disservice. Both my dialup ISP and my brothers cable modem ISP use this as a fairly standard first measure because it stops viruses and worms that start scanning with the local network. It also keeps peoples open shares from showing up in network neighborhood etc.

Re:um. (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4434173)

You fucking moron. Think before you talk.

Re:um. (2, Informative)

Yottabyte84 (217942) | more than 11 years ago | (#4435484)

255.255.255.255 is not a valid subnet mask. the most restrictive possible subnet mask is 255.255.255.252, and it has two usable IPs, one for a gateway and one for a computer.

Re:um. (2)

afidel (530433) | more than 11 years ago | (#4439848)

Actually it is valid, it just means nothing is on the subnet, not even your pc =) I can show you screenshots if you'd like.

Re:um. (1)

Yottabyte84 (217942) | more than 11 years ago | (#4440292)

It's still useless.

Re:um. (1)

pruneau (208454) | more than 11 years ago | (#4475148)

Well, just to settle (probably too late) that dispute:

You both are probably right. When you have a PPP link (PPP over ADSL or PPP over ethernet), since this is a point-to-point link the netmask is 255.255.255.255. This is not a security measure, this is PPP.

Now, if you have a cable modem that is not using PPPOE but DHCP (my case), then this is obviously not a valide netmask (mine is 255.255.255.0).

Go read any TCP/IP and networking-related howto and come back, guys !

Re:um. (2)

"Zow" (6449) | more than 11 years ago | (#4432979)

But that's another debate: since internet is a jungle now, do we want to see some new kind of ISP that babysits theyr not-so-technical users ?

We've got that already. It's called AOL.

-"Zow"

Re:um. (1, Funny)

GalionTheElf (515869) | more than 11 years ago | (#4473239)

since internet is a jungle now, do we want to see some new kind of ISP that babysits theyr not-so-technical users?


What, they don't have AOL where you're from? ^_^

Overlooking the obvious (1, Troll)

esac17 (201752) | more than 11 years ago | (#4430245)

Don't run windows ...

Re:Overlooking the obvious (5, Insightful)

jilles (20976) | more than 11 years ago | (#4430342)

Especially not if you don't know how to configure it. There's even a GUI for disabling NETBIOS.

Re:Overlooking the obvious (3, Insightful)

kableh (155146) | more than 11 years ago | (#4433592)

Give me a break. Install Redhat 7.2 on PC, then plug that straight into the internet and tell me how long it takes to get r00ted. It took me all of 2 minutes at my last job.

A good start would be a decent software firewall. Tiny Software used to offer theirs for free for personal use, but seem to have taken it down from their website =(. If you scour the net, you might be able to find it for download from one of those shareware sites.

A reinstall also would be prudent. When I'm doing a fresh install I try to keep the machine behind a device doing NAT until I have proper firewall software installed and my box patched.

Shut it down? (2, Informative)

Inominate (412637) | more than 11 years ago | (#4430248)

I got one of these just the other day.
I believe shutting down the messenger service will stop them.

Re:Shut it down? (2, Interesting)

Blkdeath (530393) | more than 11 years ago | (#4431365)

I believe shutting down the messenger service will stop them.
Yeah, great idea - shut down the service that allows crackers to send you a banner advertising their illicit activities and force them to work in stealth mode.

That's worse than a band-aid for a broken arm, we're into tumor land here.

Re:Shut it down? (2)

Blkdeath (530393) | more than 11 years ago | (#4474485)

It seems as if two moderators have seen fit to mod me down for my (parent) post. Well I'm sorry, but if anything I think it's stating the obvious. If someone has found a way to gain entry to your computer, you should investigate how they got in, not shut off the message that's telling you that they were there.

This is why firewalls exist. Block all, allow some. For starters, block ports 135 and 137:139. These are ports that have been so readily available, and so frequently abused that many major broabdand ISPs in North America have taken to blocking them at all client access points.

These SPAMmers, if anything, are doing people a FAVOUR , and my point was simply that instead of stopping the 'annoying message', you could take it appropriately as a 'heads up' to the fact that you are running a vulnerable system and do something about it.

I apologize if some of you consider statement of the obvious as flamebait, but I gess as they say 'Common sense isn't very common.'

stop the service (3, Informative)

Sam Lowry (254040) | more than 11 years ago | (#4430284)

On Windows NT/2000/XP, stop the messaging service and enjoy ;-)

HOW TO stop the service (2)

Krelnik (69751) | more than 11 years ago | (#4431304)

I figure since you're not firewalled, you probably are not aware of the method to stop the Messenger service. Go to a command prompt or pick "Run" from the start menu and type:

NET STOP MESSENGER

To make sure it doesn't restart next time you reboot, go into Control Panel, find the Services applet. Set the Messenger service to startup settings of "Manual" or "Disabled" (as opposed to "Automatic" which restarts it at every boot).

That works for NT, 2000 and XP. If you are still running 95/98/Me, then may god have mercy on your soul.

Re:HOW TO stop the service (2)

Blkdeath (530393) | more than 11 years ago | (#4431381)

To make sure it doesn't restart next time you reboot, go into Control Panel, find the Services applet. Set the Messenger service to startup settings of "Manual" or "Disabled" (as opposed to "Automatic" which restarts it at every boot).
"Manual" will start the service whenever any other service requests it.

PS - See my other post about why this is not a good idea.

Re:HOW TO stop the service (2)

extra88 (1003) | more than 11 years ago | (#4436761)

Win9x doesn't have a Messenger service, all it has is an optional application called WinPop that even if you install it, it won't run on startup so if it's running, it's because you put it there. There are other programs which can serve as a substitute for WinPop but they all work the same way.

Re:stop the service (0)

Anonymous Coward | more than 11 years ago | (#4436442)

...and regular users doesn't really need "NetBIOS over TCP/IP" support either (stop that service too). Plus, in options for th e DUN-connection, specify that the connection uses only TCP/IP and not IPX, file sharing or whatever else is there.

Firewall yourself... (5, Informative)

earthdark (582375) | more than 11 years ago | (#4430286)

TechTV [techtv.com] covered this earlier this year so you might want to read their breif article for more information.

Basically, they're port scanning for open port 139s and spam IP that comes up positive. Either turn off the messenger service in services or install a firewall/router and block incoming tcp connections on port 139 (NetBIOS).

While you're at it, turn off the remote registry service...

Re:Firewall yourself... (1)

Calcbert (40347) | more than 11 years ago | (#4439795)

Don't take my words as authority by any means, but in my experience at my summer job, locking down a Win2K/XP server should not include turning off the Remote Registry Service, as it fscks up stuff kinda bad.

You said it yourself... (5, Insightful)

xt (225814) | more than 11 years ago | (#4430306)

Block the port. To be honest, I can't understand why you would leave any ports open, when on an always-on connection, with a static IP address. Unless you have a service running on a port, that you want it to be public accessible, all other ports should be blocked and stealth. Experience says this is especially true for netbios ports...

As for the second part, you cannot count on an ISP's usage terms to protect you from malicious acts. For good or for bad, they sell access services, not security services.

Re:You said it yourself... (2)

bakes (87194) | more than 11 years ago | (#4430764)

You don't even have to have an always-on connection to see this. Earlier this week I was watching the message log on a system I had just upgraded - which has a dialup modem and dynamic IP - and within ten minutes we were getting probes on a number of ports, 137 and 139 in particular.

I wish I could pop up a message on their screens. Something polite and respectful like 'piss off you little bastard'.

Re:You said it yourself... (3, Funny)

Basje (26968) | more than 11 years ago | (#4431009)

Many of these probes are probably open windows machines on your subnet. Note their IP, and from within run or a commandbox on windows type:
net send ipnumber "your message"

It's implemented in samba too. Eiter in smbsend or smbclient. Look it up if you need it.

Re:You said it yourself... (2)

bakes (87194) | more than 11 years ago | (#4442558)

No, that's not it. The probes are not from the local network, they are coming over the modem/ppp interface.

PS: Funny?

Re:You said it yourself... (5, Interesting)

diesel_jackass (534880) | more than 11 years ago | (#4431565)

>I wish I could pop up a message on their
>screens. Something polite and respectful
>like 'piss off you little bastard'.

I don't know about popping a message, but you could have fun with Slap [securitysoftware.cc]:

Slap [securitysoftware.cc] - If you're like me you run firewall software that tells you when someone tries to access your system. Sometimes I respond with a few packets of my own just to let them know that I am paying attention. I wrote Slap to make responding to these access attempts easier and more entertaining. Just enter the IP address of the person you wish to slap and click on the Slap button. The program will attempt to access all the ports in the list and send them a packet with a personal message. (The default message is 'Leave Me Alone!') Slap integrates with Black Ice and Zone Alarm and can use information received from these software firewalls to "Auto Slap" intruders and add their attacks to your list of responses. --Here is a cool Wav [securitysoftware.cc] file to use with this.

Re:You said it yourself... (1)

Black Copter Control (464012) | more than 11 years ago | (#4434281)

Block the port.

Do you even need to have that port open to the net? If it's a standalone machine with no servers, you shouldn't even be listening on that port. I remember that there was a place that described how to disable NetBios -- As I remember it, you simply attach it to some unused 'network device' that never attaches to anything... That way wintendos is happy because it thinks that netbios is still bound, but it never talks to anything outside of your machine.

Ultimately, though, I'd say (along with just about everybody else her): don't run Windows exposed to the net. I've seen emperical tests that found that you can't install and upgrade a win-2000 box while attached to the net before you get owned... One student of mine tried 4 times without getting an uninfected box.

That's the reason why everybody and their dog is selling DSL/Cable hub/firewall/routers. They're going for under $100 these days. Go out and buy one If you can't get a linux/BSD router running on an old P/66.

Happening at colleges too (2, Interesting)

Q3vi1 (611292) | more than 11 years ago | (#4430312)

This same issue just came across on the Departmental Computing mailing list for my college University of Oregon. The following is an excerpt from an e-mail by our Senior Security Engineer on the subject:
I think that port 135 might be common here. But that's gonna hurt, because I think that port number has historically been overloaded to now mean more than one thing depending on which Win OS version you are running.

Here's an XP -> SMBd example. I can see that by using WinXP machine and testing
net send "blah"
This uses an ephemeral port on the source and targets port 135 UDP on the destination. Succeeds.
MS: Q150543 [microsoft.com]
Or DCOM stuff like this:
Protocol: DCOM
In: TCP on port 135
You must open TCP and UDP on port 135. This port is used for initial Windows Media server-to-client and server-to-encoder communications, as well as essential processes. The protocol used for these initial communications is DCOM.
Microsoft says block it at the firewall:
MS Security Bulletin [microsoft.com]
Looks like a toughy though. I think we could break some stuff easily here if we're not careful. We'll have to talk this over. Removing Winpopup.exe or disabling Windows Messenger service seems like an obvious fix for a disgruntled user.

Re:Happening at colleges too (3, Informative)

Krelnik (69751) | more than 11 years ago | (#4431339)

I think that port 135 might be common here. But that's gonna hurt...

Your so-called "Senior Security Engineer" needs to get a little more training. Port 135 has absolutely nothing to do with the Windows Messenger service.

Port 135 is the RPC/DCOM portmapper in Windows. It performs the exact same service that port 111 does on a Unix box offering RPC services. It allows remote RPC calls to "find" the dynamically assigned port that their target service is running on.

Windows Messenger does not use RPC or DCOM. It uses part of the same protocol that SAMBA uses.

Re:Happening at colleges too (2)

Samus (1382) | more than 11 years ago | (#4431412)

Actually a lot of the SMB protocol is RPC based. The SAMBA guys just decode the messages and then run the appropriate code. I believe there is a next generation off shoot of SAMBA that is looking into making an RPC based version. I think one of the big problems though is that MS hasn't released and open source friendly version of the documentation that explains the stubs.

Differences betwen SAMBA RPC and DCE RPC (2)

Krelnik (69751) | more than 11 years ago | (#4431548)

a lot of the SMB protocol is RPC based...

We're getting into topic creep, but I guess nobody will mind because the original topic was so silly....;-)

That is a different kind of RPC's, that pre-date Windows. It does not use 135. Microsoft usually screws things up the first time, and reinvents it several times after. This is one of them.

The RPC stuff in SAMBA dates from the old LAN Manager days, and ran over the same port the file and print sharing did (139). This stuff existed in the days of DOS and Win16, long before COM and DCOM ever existed. It worked well enough to add a few functions to this subsystem. It had lots of problems: it was not easily extensible, couldn't be run on top of other protocols, and was not object oriented, etc.

Later, when Microsoft was building what became COM and DCOM (and what was then called OLE), they realized they needed a more robust RPC mechanism. They decided to use DCE [opengroup.org] RPC [opengroup.org], theoretically an open standard. It is what DCOM is built on top of.

SAMBA continues to use the "old" RPC mechanism (for compatibility), and therefore does not use this port. If you look into the API documentation for the API's exposed on top of these RPC's, you'll see Microsoft deprecates many of them.

Re:Differences betwen SAMBA RPC and DCE RPC (2)

Jeremy Allison - Sam (8157) | more than 11 years ago | (#4432540)

Close but not correct.

As you're informing people about DCE here, you should also realize it was a transport independent RPC. It will run over SMB on ports 139 and 445. We implement it..... :-). 135 is only DCE over "raw" TCP. It can be transported in other ways....

Jeremy Allison,
Samba Team.

Re:Differences betwen SAMBA RPC and DCE RPC (2)

Krelnik (69751) | more than 11 years ago | (#4432805)

Yes I am aware of that. However, he was talking about the old-style "WNET" RPC's that run directly in the SMB protocol, which as you know are a different thing entirely.

Re:Happening at colleges too (2)

rakerman (409507) | more than 11 years ago | (#4436633)

This has been confirmed. Rather than reading the rest of the oh-so-superior Slashdotters who will tell you "that's impossible 135 has nothing to do with it blah blah" go over to DSLreports where they actually analyzed the traffic and confirmed it's coming over UDP 135.

DSLreports Broadband Security Forum [dslreports.com]

So the actions to take are:

  1. temporarily disable the service with NET STOP messenger
  2. block UDP 135
  3. permanently disable the messenger service in your Services control panel

Firewall your PC (0, Redundant)

BalkanBoy (201243) | more than 11 years ago | (#4430317)

Common sense today is to use a firewalls [firewallguide.com]on all home connections (e.g. Zonealarm). That would have prevented the NetBios 'hack' you experienced through the netbios port.

Protect yourself (1, Redundant)

DreamerFi (78710) | more than 11 years ago | (#4430327)

Block the port, use zone alarm, or (shameless plug) install this firewall [dubbele.com]

-John

NetBSD firewall is cool :-) (2)

smartfart (215944) | more than 11 years ago | (#4434043)

This firewall distro works great. I know everyone likes Freesco [freesco.org], and I use that too on occasion, but I've had the NetBSD firewall running at one of my client's offices for about a year and a half, and it's given me absolutely no trouble at all. Several people in our LUG [nolug.org] use it as well.

Great product :-)

I got one of these too (1)

Emnar (116467) | more than 11 years ago | (#4430332)

Funny, today I got one of these for the first time. My first thought was, "Why didn't somebody think of this before?"

The fix for this should be either at the OS or user level. Personal firewalls are not hard to find, and inexpensive compared to the cost of net access. If ISP's start blocking every port that could be abused, sooner or later we'll ALL be turned into one-way consumers.

Re:I got one of these too (0, Flamebait)

Anonymous Coward | more than 11 years ago | (#4430446)

Because Windows XP is the first home version of Windows that uses the messaging system...

Re:I got one of these too (1)

dar (15755) | more than 11 years ago | (#4431857)

Baloney. Winpopup has been in every version of Windows that I've used (most of them) since Windows 3.11 (Windows for Warehouses er Workgroups).

Block, but use rules. (2, Interesting)

cryptor3 (572787) | more than 11 years ago | (#4430355)

I assume that you don't want to block the port because you want to have fully functional file sharing with people you know in your vicinity.

I think that what you probably want is to block the port to all IP addresses that are not in your subnet (local network). Therefore, if anyone spams you in the future, they have to be inside BellSouth, and you can (probably) get their account closed. But chances are, there's not gonna be anyone spamming like that from inside BellSouth.

That happened to me... (2, Informative)

Gangis (310282) | more than 11 years ago | (#4430471)

That happend to me around Midnight on Monday. I shut off the "Messenger" service in WinXP (although 2k has the same service) and I still had NetBIOS running without getting network popups (who uses them anyways?)

Hope this helps.

P.S. The "Messenger" service in the Services list has nothing to do with Windows/MSN Messenger, so please don't confuse the two. ^_^

Dear Slashdot, (5, Funny)

crapulent (598941) | more than 11 years ago | (#4430520)

Dear Slashdot,

When I go to work, I leave my front door unlocked and slightly ajar. The other day when I got back, I found vagrants sleeping on my sofa and defecating in my sink. Other than closing and locking my door when I leave, how can I get rid of them? Has this ever happened to you? Also, can I sue my landlord over this? Thanks.

Yours,
Confused in Cleveland

Re:Dear Slashdot, (2)

freaksta (524994) | more than 11 years ago | (#4431077)

Sorry. I'll move my stuff out tonight.. just don't drink the 1800 in the cabnet, the toilet was clogged.

Re:Dear Slashdot, (1)

SN74S181 (581549) | more than 11 years ago | (#4431698)

Dear Confused in Cleveland,

It is against the law for the vagrants to sleep on your sofa and defecate in your sink. You should call the police and have them arrested for trespassing.

It might be a good idea to start locking the door when you will be away, but it isn't necessary for you to lock the door to press charges against these people. Please do so, vigorously.

Re:Dear Slashdot, (2)

ka9dgx (72702) | more than 11 years ago | (#4431945)

Dear Confused in Cleveland,
It is within your rights to defend your property with the force of arms. If they refuse to leave, you may find it necessary to use gun control to enforce your wishes.

Gun Control - With your loaded weapon (safety off), aim at the intended target, and while slowly exhaling, squeeze the trigger.

--Mike--

you're not alone... (1)

jkramar (583118) | more than 11 years ago | (#4431073)

Yesterday, I also saw a stupid diploma Windows Messenger spam, at school. It claimed, as I recall, to come from WEBPOPUP02. In any case, I'm hoping that the school takes account of that and does the obvious (blocks off the port to people outside the network).

Make a little firewall... (4, Informative)

mnordstr (472213) | more than 11 years ago | (#4431101)

I have 2 Windows computers at home that have public static IPs. Instead of using my DSL router on the windows machines, I've given them local IP addresses (192.168.*.*) and route them through my Linux server. There I've put up an iptables firewall with DNAT and SNAT, so that when the windows computers are routed through the firewall, they get their public IPs assigned to them, and you can access the computers from the outside with the public IPs. On the Linux router I've added tons of rules, and one of the most important rule is the one that blocks ports 0-1024 on all windows machines. All important ports are usually below 1024, so I can basically run filesharing, etc. without having to worry about users accessing the files from the Internet (or accessing windows messaging). However, since all ports above 1024 are unblocked, and have a public IP due to the SNAT, the users on the windows machines can use P2P apps, play games online, etc. since their machines are accessible from the outside. This has worked extremely well for a long time, no need for firewalls on the windows boxes (like Norton Internet Security). I haven't experienced any viruses, hackers or unwanted pr0n sent to the printers because of open ports. :-)

Re:Make a little firewall... (0)

Anonymous Coward | more than 11 years ago | (#4434121)

since when is pr0n unwanted?

Crappy ISP! (3, Interesting)

haplo21112 (184264) | more than 11 years ago | (#4431242)

Most decent DSL/CABLE Modem providers block the netbios ports these days...thats just sad that they have those ports open and avialable for traffic on thier network.

Hint: Get a linksys router and those ports will no longer be available for spam...

Hint2: Don't leave windows machine hanging on the wire like that unless they are memebers of NT domain. It will stepup the security of the Netbios connections.

Hint3: Not ever leave an improperly secured NT machine hanging on the wire like that....

Hint4: see hint 1

Re:Crappy ISP! (1)

TildaBacon (615452) | more than 11 years ago | (#4431489)

I don't believe that this spam was a netbios related. I was on www.foxnews.com and if you leave it up for 5 min or so with javascript turned on it pops up. I think its just an add that looks like a windows message. (Just tested it on my bsd box and it pops up !) Guess that goes in the tricky spam bucket.

Re:Crappy ISP! (1)

RedWolves2 (84305) | more than 11 years ago | (#4431803)

No it is actually a NETBios communications message. It is getting sent using the net send command in Windows. I have had a couple of these messages. Very annoying.

Re:Crappy ISP! (3, Insightful)

Blkdeath (530393) | more than 11 years ago | (#4432868)

I was on www.foxnews.com and if you leave it up for 5 min or so with javascript turned on it pops up. I think its just an add that looks like a windows message.
Gee, I'd forgotten how annoying those popups were since I installed a browser [mozilla.org] that blocks popups. Alternatively, I could have installed another browser [opera.com] that showcases the same functionality. It's like a whole different WWW without popups. :)

But seriously, this NetBIOS messenger problem is quite real, and is (almost) entirely the fault of the end-user. Putting a Windows machine on the Internet without some form of firewall (software or hardware) is an invitation to get violated in some way or another. All I have to say is, these people are already once lucky - their file and print shares are exposed to the world, so with a bit of password trickery (or exposing one of the many NETBIOS vulnerabilities that exist at various patch levels of each of the Windows OS variants) one can easily access the data and/or send malicious print jobs (hint: MS Paint, black background, 100 copies. Else, SPAM)

There are also cases of people who actually run/administer a firewall that's obviously mis-configured to the point of being futile, so don't expect the mere presence of such a thing to protect you. One individual on the Security Focus Incidents mailing list is reporting this very same 'problem' on his network running Microsoft ISA firewall.

If you're unable (for whatever reason) to install a software firewall, obtain and configure an Internet router. There are dozens (hundreds) on the market, and the vast majority of them (that we've dealt with/sold) come with port forwarding to the internal machines disabled per default. For single-computer owners, SMC makes a one-port Internet router that could simply be installed inline with the users' cable/DSL 'modem' for security and peace of mind. Moreover, it saves the user from having to install annoying PPPoE client software on their machines.

Like the poster before alluded (rather amusingly) to; if you leave your door ajar, don't be surprised when you come home to find people roosting in your house, or that some of your things are missing. Sure, the person may have broken the law, but putting out the welcome mat is just asking for trouble.

Two dumb birds for the price of one.... (3, Insightful)

coyote-san (38515) | more than 11 years ago | (#4432010)

This stupid question (block the port, be done with it) has given me a potentially useful idea.

How hard would it be to send a message back to the boxes that have some code red or similar virus. Basically you ask my web server for c:/scripts/something, you get a Windows message back informing you in no uncertain terms that your box is infected and the OS needs to be reinstalled.

This isn't an attack, but if enough people did it (just one message per infection attempt) people would soon be forced to do something because of the barrage of messages. And the people who let their boxes REMAIN infected with a virus that's been out in the wild for over a year are hardly the type of people to have locked down port 139.

Re:Two dumb birds for the price of one.... (2)

maggard (5579) | more than 11 years ago | (#4432260)

How hard would it be to send a message back to the boxes that have some code red or similar virus. Basically you ask my web server for c:/scripts/something, you get a Windows message back informing you in no uncertain terms that your box is infected and the OS needs to be reinstalled.
Somebody already did this last year. It was a java app that sat on a box minding it's own business. If Nimda tried to infect it then a popup would be sent to the attacking machine along with a URL containing directions on how to clean up the problem.

Unfortunately I blew away the machine I used for that yesterday and for the life of me can't quickly Google up the app, doubtless somebody here will recognize it. It was good stuff, even reported numbers, easy to verify for security, etc.

Re:Two dumb birds for the price of one.... (1)

loners (561941) | more than 11 years ago | (#4434347)

Then they just spoof the sending IP address. You would get your own popup.

Re:Two dumb birds for the price of one.... (2)

coyote-san (38515) | more than 11 years ago | (#4442366)

You can't easily spoof the IP address for HTTP (since it requires a TCP/IP handshake), and I was suggesting sending a message in response to a virus attack, not spam.

After you're done bashing the Win2k user... (1)

FosterSJC (466265) | more than 11 years ago | (#4432014)

How about trying to provide some assistance...

I received two of these messages within the last month. The first puzzled me, but only briefly, since I was ragingly drunk. The second one bothered me however. It didn't seem right to me that someone should be able to do message me like that without my explicitly allowing it (and really, how can they give you a PHD or University Degree by filling out a short 5 minute form?! It's crazy.)

In any case, my first inclination was to try and find some sort of messenging service in Win2k and turn it off, which I promptly did. But isn't this just applying a bandaid to a scratch on your arm, while your entrails are spilling out of your abdomen? I mean, this must be a sign that my system is not that secure.

But is it really true, according to one poster, that if I share a drive or a printer I have been "HACKED ALREADY"? And whether I am or not, aren't there other choices besides reformatting, changing ISPs, blocking lots of ports useful to me, or just unplugging my box? I have to say poster, that you were a little curt.

In any case, I am looking for (relative)layman's advice that isn't as drastic and cynical as this (can I find such a advice on Slashdot?) for the Win2k user; also, I would appreciate some suggestions for software a) to help clean up my system if it needs it, b) to divine the actual level of current security (or lack thereof), c)to create the firewall that so many people tell me I need. Share/freeware would also be nice on this college student's budget.

Thank you for your patience and any help is greatly appreciated.

Re:After you're done bashing the Win2k user... (1)

superflippy (442879) | more than 11 years ago | (#4432339)

Thank you! This is exactly what I was thinking. We had this happen in our research group this morning and our sysadmin is out sick today. None of us were stupid enough to actually click on the message, but it disturbed us, and we want to make sure it doesn't happen again.

Installing a personal firewall will likely mean facing The Wrath of the Sysadmin when he returns Monday. But looking at other posts, it seems like disabling Windows Messaging is a fairly good solution.

Frankly, I'm surprised this happened to us since our group has its own full-time Sysadmin who makes sure our little corner of the campus network is secure and up-to-date with patches, and is ruthless about security on our individual computers. As a result, most other campus Internet problems don't affect us, except when the main router goes down or a cable gets sliced or something like that. So I have trouble believing that this was caused by a lax configuration of Win2K.

FORMAT YOUR HARD DRIVE and reinstall. (3, Informative)

Ashurbanipal (578639) | more than 11 years ago | (#4432345)

OK, please do not regard this as bashing. It's just the correct answer to anyone with this problem - if you don't like it, the problem is not in the answer.

NETBIOS CANNOT BE SECURED. If you leave your netbios ports open, you can be cracked to such a degree that it will be impossible for anyone other than a forensic analyst (who will boot from a linux or BSD boot disk) to detect. Netbios is only a viable solution on TRUSTED networks, which the Internet isn't, by definition.

YOU ARE PROBABLY OWNED. Your machine is most likely already completely compromised, and is happily working on cracking RC5 ciphers for somebody you've never met. See the honeynet project [honeynet.org] for more information (incidentally, one of the founders of honeynet reportedly got cracked by el8; everybody can make mistakes).

YOUR BEST OPTION IS TO FORMAT YOUR HARD DRIVE. The fastest, most reliable way to remove any possibility of a problem is to reload your system from a read-only media - i.e. your windows distribution disk. You must scrub the hard drive first, though; there are programs that can survive windows reinstallation unless this step is taken. You must also disconnect your Internet connection until you have a firewall running, to be absolutely safe; you should buy the firewall or get a friend with a more secure system to download one for you, since anything you download with your machine is suspect.

Hope this helped!

Re:FORMAT YOUR HARD DRIVE and reinstall. (1, Funny)

Anonymous Coward | more than 11 years ago | (#4433288)

Thank you Steve Gibson.

HOW-TO: CYA on the Internet while using Windows (2)

Da VinMan (7669) | more than 11 years ago | (#4432394)

(You will have to graduate from newbie status in order to take advantage of my advice. This means that you will have to climb the learning curve and actually go read some stuff. You can spend a chunk of cash on products to avoid doing just that, but that's much less fun.)

If you're doing things like turning on file sharing or sharing printers, it's (supposedly) very easy to hack you. I say supposedly only because I haven't actually tried this. It's such an infamous hole though that I do believe it. To turn this off, unbind the NetBIOS protocol from the modem/network card that connects you to the Internet. In Windows 2000, that you means you go to the Properties for your network connection (in the Control Panel) and uncheck the 'File and Printer Sharing for Microsoft Networks' option. (It's very easy to fix this in Win9x too using roughly the same technique.) You may have to reboot, I don't recall. That problem will then be solved.

Now to protect yourself from other intrusions and threats.

If you're just running a dial-up connection and don't leave your machine on the network for extended periods of time, then a product like ZoneAlarm (www.zonelabs.com - look for the free version) will serve you well. Actually, it serves you well in two ways: 1) it protects your machine from the outside world coming into your machine in an unauthorized fashion and 2) it protects adware on your machine from phoning home without your permission (actually it prevents everything from using the Internet until you grant permission, not just adware). This is sufficient for dialup.

For broadband users and users who want to leave their machine on the Internet for extended periods of time (more than a couple hours at a time), I recommend using an honest to goodness separate firewall. There is a lot that can be said about this, far more than I know really, but I well give you a couple pointers.

First of all, one of your options is to use a second PC as the firewall. It will need to have 2 network cards, you will need a router or hub for your home LAN, and you will have to get the cable modem (or DSL for that matter; with which I have no experience - shouldn't be too hard) working with that extra PC (via Windows would be easiest to start with). Once that's setup, go grab a Linux distribution like IPCop (or SmoothWall - they're very similar, in fact they were the same product at one time), and install it on that PC. It will require that you reformat the hard drive, so don't plan on storing any files on it. A small hard drive is sufficient. There are FAQs and forums on the IPCop and SmoothWall sites that will help get you setup.

Your second option in the category of 'real protection' (for home users anyway) is to just go buy a hardware firewall. So instead of a second PC, you just go buy a device that does essentially the same thing. I won't go into detail on these as I have no experience with them. I just thought you should know about them.

Two last points:
-PLEASE keep a current anti-virus product actively running on your machine and keep it up to date. If you need a free one, go to http://www.grisoft.com to get the free personal version of the AVG anti-virus product. This one has saved my butt several times from several infections. It may or may not be the best product out there, but it works for me.

-To protect yourself from browser window popups and other shenanigans, go grab WebWasher at http://www.webwasher.com/en/products/wwash/downloa d_license.htm. You will occasionally find that it interferese with pages that make heavy use of Javascript, but you can turn it off when needed. The added protection from annoying web sites is worth the small inconvenience it may sometimes cause.

As always, this advice is just a starting point. Today's perfect security solution may be an open door tomorrow. It's up to you to keep yourself informed and to take action when problems arise.

Good luck and have fun!

Re:HOW-TO: CYA on the Internet while using Windows (0)

Anonymous Coward | more than 11 years ago | (#4433713)

How do you get viruses, I'm really curious. I have never, never been infected. Ever! I don't have AV software, I don't think I need it. I guess the reason why is that I never trust attachments, I don't trust executables, and I dunno. I got e-mail klez stuff twice, that's it, I deleted it done, didn't open or anything. I've used outlook, outlook express, eudora, netscape, and mozilla's clients. I've never been infected.

Re:HOW-TO: CYA on the Internet while using Windows (2)

Da VinMan (7669) | more than 11 years ago | (#4433948)

Simply put, you get a virus by running a program which is already infected with the virus. The infected program can come from someone who purposefully infected it, or it can come from someone who is unintentially spreading it to you.

Let's take a couple of examples:

1. Someone sends you an executable game via email, 'ElfBowling.exe' for example. You trust this person, so you save the file, fire up the game, and proceed to knock over some elves. The next day, you find out that everybody in your email address book received messages from you encouraging them to visit some porn sites. What happened? You ran an untrusted program. I think you'll understand this example.

2. Someone sends you their resume. You trust this person, so you save the file, and fire up MS Word to see it. The next day, you find out that everybody in your email address book received messages from you encouraging them to visit some porn sites. What happened? You didn't run an untrusted program, right? Well, no you didn't, not knowingly at least. See, Word documents can contain macros. Macros can do a number of things, like make text bold, save files, etc. Macros can also be used for bad things, like deleting all your files, for example. Again, we're back to a program that's causes the problem.

I *really* recommend that you get an anti-virus program and check out your system(s). You may have a virus and not even know it. Many viruses don't give you any visible clue that they're present until they do something obnoxious. Then it's too late. You may have to trash the entire hard drive just to clean up.

Hope that helps...

Responsibility... (1)

Kalzus (86795) | more than 11 years ago | (#4432063)

If I may ask, why are you relying on the ISP to handle this?

It's an unfortunate consequence of the way the network is that one should be watching over one's own machines.

Why not block the port ? (1)

billcopc (196330) | more than 11 years ago | (#4432436)

Quit whining, the easy way to fix it is to block the port, no 'but's. The proper way would be to get rid of NetBIOS or whatever messaging device is being abused.

Re:Why not block the port ? (2)

josepha48 (13953) | more than 11 years ago | (#4433187)

Yes and he can use zonealarm or blackice to block the ports and be done with it. I cannot believe crap like this is showing up on slashdot these days. They must be hard pressed for news or something. In the unix world these messages don't happen cause any smart unix admin has a firewall and / or proxy set up to block and log this crap.

Happened Here Too (0, Redundant)

yancey (136972) | more than 11 years ago | (#4432830)


It happened here just this morning. Spammers suck. Congress sucks for not banning advertising by email. Oh well, back to life.. back to reality.

Disable Messenging (1)

andrew_lewis (534971) | more than 11 years ago | (#4432848)

1. Click Start Menu 2. Click Settings 3. Click Control Panel 4. Click Administrative Tools 5. Click Services 6. Find Messenger in list, view properties 7. Change Startup Type to Disabled 8. Click OK 9... 10. Profit! NOTE: This has nothing to do with MSN Messenger it's purely the "NET SEND" command.

turn off your computer, or... (0)

Anonymous Coward | more than 11 years ago | (#4432913)

http://www.techtv.com/screensavers/answerstips/sto ry/0,24330,3374542,00.html

Please, don't disable windows messenging (0)

Anonymous Coward | more than 11 years ago | (#4434057)

Please, windows users, don't disable windows messenging, it can't hurt by itself, and it's very convenient to explain to the people filling my snort log that they are infected by a virus (and are going to be nuked BTW).

port 135-139 open to the internet (0)

Anonymous Coward | more than 11 years ago | (#4434515)

First of all, I'm not an anoymous coward. I simply don't want to sign up for another junk mailing list by signing up "correctly" This does not make me a coward, this makes slashdot rude for forcing me to either say nothing, post to "anonymous coward" or give them information they 'need' only because its a possible profit generator though they will not have to deal with the consequences. If they want to pay me for the use of my information fine, if they want to deal with all the crap that will surely come my way (meaning someone from slashdot manually deals with my junk email onsite at my office everyday, that's fine too. If they don't offer those options, I'm not a coward for keeping my information to myself. That said, lets move on...

Reguarding ports 135-139 being open to the internet. Lets make an analogy: computers to cars. With cars, can a 5 year old get in a drive whenever they want or do you need to be at least 16 in most states? If you are caught driving without a licence, do you go on your way after the officer apoligizes for having the gaul to expect you to have a licence or do you get a ticket/get arrested? If you get in an accident, are you expeted to have insurance or is saying you are sorry using the fact you didn't understand as your excuse? Do you get to walk away from the next accident for the same reason or are the authorities and your insurance company going to be a little miffed with you? What about the other car? Did they say "no problem, I'll pay for everything, you didn't know any better." or are they really upset since their car is totaled and their rates will probably go up through no fault of their own?

Where am I going with this analogy? Well, lets face facts. Computers and cars are different in the sense that car trouble is obvious and in your face whereas computer trouble is usually too nebulous for most of us to figure out. When your carberator on your car goes bad, your car dies and won't start. When a certain .dll file goes bad on your computer, a large network address bank in Florida may be the ones suffering the consequeses. Thus, computers and cars are different and the idea that computers are harmelss toys and that all trouble with them is a personal, local experience couldn't be more wrong. These harmelss toys we have at home are in a big way responcible for the billions of dollars lost due to worms and viruses. How is this possible? Well, since we're talking about a network, what happens at one end can directly impact the other. If a home computer doesn't take basic security precausions, the corporate/government/bank/whatever computer at the other can be taken down. This has happend before. The internet worm all the way back I think 10 years ago, nimda, code red, I love you, etc.,... are all examples of how fast and pervasive worms and viruses can be with the smorgasboard of open computers out there. If these open computers had simple basic protection, these worldwide attacks wouldn't have spread so fast and wouldn't continue to survive. Afterall, if everyone had the deffinitions for the nimda virus, it couldn't spread. Thus, since it continues, we have proof there are machines without nimda av deffinitions out there. After a year, that is not only irresponcible, but is boardering on criminial.

Its bad enough we have to deal with major vendors caring not about secure coding so they can make sure to beat the competition to the market with their new product or course to be advertised as 'secure', the last thing we need is the masses absolving themselves of responsibility simply to avoid learning the basic requisite computer knowledge.

Remember the car? We had to get licences right? If we don't start educating ourselves or decline from using what we se as a toy, but what in reality is a dangerous tool of high technology - just like a car, we will only make the problem worse.

A computer is a complex piece of equipment. Its not something you can expect to just know how to use simply because you signed a check to purchase the equipment. Either make sure you cover you bases by asking or hiring somebody to consult you, then REALLY and ACTUALLAY follow their advice, don't dog around, be lazy and think "oh, it won't be me, someone else will get hacked" or think "I don't really need to do that, that would cost 100 dollars, he/she must be wrong." Remember - if you don't know why you should block port 135 at the firewall, you have no place to say anything about anyone being right or wrong about computer security - you are if anything in learning mode.

So... lets get out there and either learn or find someone who knows, take a look at our networks and plug the holes! There is no excuse for not doing so. Its the wild west out there - more reason than ever not to hedge your bets or hope you won't be a victim or think it someone elses problem. Just like driving, we share the road, so your skill driving the car is absolutly my concern - I'm not the a$$ if you think otherwise.

Justin Moebus

Re:port 135-139 open to the internet (0)

Anonymous Coward | more than 11 years ago | (#4435539)

you need sneakemail.com. BTW, /. has never spammed me. ( I signed up with sneakemail.com, the address was only ever given to /. and it gets no spam. )

Is this really just now picking up? (2)

AvitarX (172628) | more than 11 years ago | (#4438044)

I see a lot of posts like, I got one last night, ect.

Also I first just noticed it on my girlfriend's familly computer, zone alarm kept popping up, someone is trying to access net bios services. I did a tracert and it was from a NY ISP.

I wrote down the addresses of the attempted accesser (don;t want to offend any good hackers here) for later exploration (the deafault win98 install doesn't have the tools I wanted). Anyway is all this activity recently because of some as of yet undiscovered worm?, is it a worm that has been around that is starting to do this? have lots of attempted uninvited resource accessing people just decided it would be fun to try out (perhaps rotting flesh 1337 krew just posted a file or tool to do this?). Or is this something that has always happened a lot?

BTW, this was a dynamic dial-up account, not an always on DSL/cable.

smoothwall (0)

zonker (1158) | more than 11 years ago | (#4438095)

install smoothwall on an old machine in front of your home computers and relax.

Simple answer (1)

Ezekiel Zachariah (615718) | more than 11 years ago | (#4439079)

Get the freeware program ZoneAlarm. It will protect your computer from most things, and a good anti-virus (AVG is a good free one). Bothe of these programs are available on Cnet's download database, just search for them. Also, unless you need your computer to be on all the time, turn it off. This will lower your exposure, and your computer will have less "events" to deal with. Hope this helps.

The Nut Behind the Wheel (0)

Anonymous Coward | more than 11 years ago | (#4439087)

You give most of it away in your submission. You use the word 'Windows', and five will get you ten you have a lot of dumb junk like Java, VBScript, web scripting, JavaScript and stuff like that turned on all over the place.

NetBIOS spamming? Check the nut behind the wheel first before you go shouting 'wolf'.

You get what you deserve. (0)

Anonymous Coward | more than 11 years ago | (#4444841)

Well folks. I wonder what kinds of jerks we have around. After all these Microsoft injected security risks of the recent past, why would any sane mind still run a non-firewalled, unpatched M$ machine on a permanent connection? If you do, you get what you deserve. Get a life dudes.

Thank You (0)

Anonymous Coward | more than 11 years ago | (#4453166)

I've also had the same problem. I appreciate all the helpful information from people who don't act like pompous SOB's.

So to everyone who gave great tips - THANK YOU!!!

Sincerely,
Earl
Omaha, NE

Re:Thank You (1)

opello (243896) | more than 11 years ago | (#4473396)

Yeah, my school's subnets (all 5 of them) were included in an attack, but computing services hasn't shared the cure ... thanks (although I had it disabled on one computer, totally forgot about it until I got 3 of these spams)

Be Glad (1)

DRnetman86 (617230) | more than 11 years ago | (#4457391)

I'm actually quite happy that my ISP (Optimum Online) doesn't block ports such as Netbios. Some other ISPs have blocked ports such as the ports for Gnutella, Kazaa, etc. While my ISP technically doesn't want you to be a server of any kind (as stated in their EULA), they never respond to a lone user running an FTP to access their files from a remote location. As stated by many before me, it shouldn't be the ISP's responsibility, but the end user's. Once they turn off netbios, they'll start putting obscure caps on (my friend has a 15k upload because of one). It should only be the ISP's responsibility if it greatly diminishes service. In the case of my friend, who installed IIS on his Windoze box, some spammers exploited his SMTP server and sent out thousands of spams from his computer which brought many local clients to a complete slowdown. The ISP notified him and let him know. The ISP should be your friend, but not restrict you.

Microsoft's worst enemy... the spammer (0)

Anonymous Coward | more than 11 years ago | (#4505668)

hip hip hooray!!! let the spammers work for us (opensource users) by annoying the hell out of microsoft users

GO yonder and spam microsoft's customers to kingdom come...

Downloads
http://downloads-zdnet.com.com/3000-2 085-10122374. html

http://www.microsoft.com/windowsxp/home/using/pr od uctdoc/en/default.asp?url=/windowsxp/home/using/pr oductdoc/en/net_send.asp
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...