Sitting here playing Black and White when what should pop up but a message from GOLARGER advertising for some website.. I've never had my messenger service (Using 2k) openly exploited before, anyway I can prevent this from happening again?
Just got my messenger service exploited.. 2k..
- Thread starter TheVrolok
- Start date
SaigonK
Diamond Member
Go to START - > SETTINGS -> CONTROL PANEL -> ADMINISTRATIVE TOOLS -> SERVICES.
Find the "messenger" service and set it to manul, don;t diasble it as some applications such as printer control software, use the service and will start it when they need it.
That should cure your problem.
Find the "messenger" service and set it to manul, don;t diasble it as some applications such as printer control software, use the service and will start it when they need it.
That should cure your problem.
zone alarm should take care of it, if it doesnt it means that it's either not set up correctly or malfunctioning. My guess would be configuration.
-Spy
-Spy
What SaigonK said is what you do.
I have to point out no a firewall will not stop this. If you people that said get a firewall would like me to prove it send me your IP and make sure the service is on. I have tested it with zone alarm pro, tiny, sygate, norton internet security. The message got threw them all.
I have to point out no a firewall will not stop this. If you people that said get a firewall would like me to prove it send me your IP and make sure the service is on. I have tested it with zone alarm pro, tiny, sygate, norton internet security. The message got threw them all.
If you are curious to see this in action you can spam yourself. Make sure messenger service is on in services. From your command promt C:\>net send your IP your message here.
Noid
Platinum Member
- Sep 20, 2000
- 2,390
- 193
- 106
I know it wont. (Im using pro version)
And I did have someone prove it would block it also.
Those messages go thru firewalls AND routers.
You need to disable the service.
I even wrote MS about it ... because in my case ,,, I had a stalker...
And theres no log of where the messages were comming from in Event log (W2K)
(IP number)
And I did have someone prove it would block it also.
Those messages go thru firewalls AND routers.
You need to disable the service.
I even wrote MS about it ... because in my case ,,, I had a stalker...
And theres no log of where the messages were comming from in Event log (W2K)
(IP number)
Ill consider installing Win2k on the machine Im building now (if I can, I dont feel like digging up scsi drivers and stuff) to prove you all wrong.
I gaurantee that if you have Tiny PF configured correctly, nothing will get in... not even net commands.
IIRC the messenger service uses TCP port 139, block that and you're set.
Of course, never having used Zone Alarm I have no clue how one would do that in ZA
By the way, can you actually configure "block from any to blah proto tcp port 139" type rules in ZA?
Of course, never having used Zone Alarm I have no clue how one would do that in ZA
By the way, can you actually configure "block from any to blah proto tcp port 139" type rules in ZA?
Noid
Platinum Member
- Sep 20, 2000
- 2,390
- 193
- 106
Yes ... and thanks for the tip ...
All programs that try to access the internet are caught by ZA.
You then have the option to allow or not, and it gets listed in ZA programs no matter which you choose.
From there, just got into programs, and modify ports.
So ... in W2K ... select the SERVICES.EXE program, and disble port 137.
UDP and TCP? ... I'd do both just to make sure.
Oh ... Are you sure port 137 for SERVICES.EXE is the only process using it?
All programs that try to access the internet are caught by ZA.
You then have the option to allow or not, and it gets listed in ZA programs no matter which you choose.
From there, just got into programs, and modify ports.
So ... in W2K ... select the SERVICES.EXE program, and disble port 137.
UDP and TCP? ... I'd do both just to make sure.
Oh ... Are you sure port 137 for SERVICES.EXE is the only process using it?
Does any of the popular personal firewalls allow for more traditional firewall rulesets?
That is, filtering by ports, sources, destination, etc, rather than by program?
Im running a PF firewall so it's not an issue for me personally, but I recon it might be useful to know one if I have to install one for someone else one of these days
That is, filtering by ports, sources, destination, etc, rather than by program?
Im running a PF firewall so it's not an issue for me personally, but I recon it might be useful to know one if I have to install one for someone else one of these days
Originally posted by: Sunner
Does any of the popular personal firewalls allow for more traditional firewall rulesets?
That is, filtering by ports, sources, destination, etc, rather than by program?
Im running a PF firewall so it's not an issue for me personally, but I recon it might be useful to know one if I have to install one for someone else one of these days
I think tiny (zerio or something?) allows you to do this. But Im not positive.
wish I had been here earlier today, it's UDP ports 135-138 that the messenger service recieves messages thru which is why some firewalls dont block it correctly. A properly configured firewall will not allow this thru.
I'll PM you my IP, please prove me wrong.
-Spy
I'll PM you my IP, please prove me wrong.
-Spy
Microsoft Knowledge Base Article - 330904
According to this article The Messenger service uses UDP ports 135, 137, and 138; TCP ports 135, 139, and 445; and an ephemeral (that is, short-lived) port number greater than 1024.
Make sure your firewall is set up right. Default settings don't catch this IMO.
According to this article The Messenger service uses UDP ports 135, 137, and 138; TCP ports 135, 139, and 445; and an ephemeral (that is, short-lived) port number greater than 1024.
Make sure your firewall is set up right. Default settings don't catch this IMO.
thanks for the link, it's nice that Microsoft took the time to make this information publicly available, and to make sure that their built-in XP firewall can block it (if you have SP1).
-Spy
Noid
Platinum Member
- Sep 20, 2000
- 2,390
- 193
- 106
Sunner:
I didnt say ZA couldnt do those setups also.
_________________________________________________
From the MS link ::::::
If you are running Windows 2000 and connect to the Internet directly (by using a cable modem, a DSL modem, or a dial-up modem, for example), obtain and install a third-party firewall product that blocks inbound NetBIOS and UDP broadcast traffic.
__________________________________________________
Zone Alarm can do to the 'internet zone' for NetBIOS, but UPD ports need to be manualy entered.
But, what about the 'outlived ports 1024 and above'? ??
How many ports does that mean to block?
I ask because, my ZA is already configured to block incoming NetBIOS. But not those specific UDP and TCP ports.
I was wondering why my PC was trying to contact PC's in foriegn countries. (Korea, China, Suadi Arabia, Kuwait)
Although ZA was blocking my PC's outgoing connection requests, I wanted to stop the requests at the source (incoming).
So, I'm going to try adding the UDP incoming ports tonight, to see if the outgoing connections attempts disappear.
(and see if my game server still can be seen by players)
OH ... Which ports above 1024 and how many?
I didnt say ZA couldnt do those setups also.
_________________________________________________
From the MS link ::::::
If you are running Windows 2000 and connect to the Internet directly (by using a cable modem, a DSL modem, or a dial-up modem, for example), obtain and install a third-party firewall product that blocks inbound NetBIOS and UDP broadcast traffic.
__________________________________________________
Zone Alarm can do to the 'internet zone' for NetBIOS, but UPD ports need to be manualy entered.
But, what about the 'outlived ports 1024 and above'? ??
How many ports does that mean to block?
I ask because, my ZA is already configured to block incoming NetBIOS. But not those specific UDP and TCP ports.
I was wondering why my PC was trying to contact PC's in foriegn countries. (Korea, China, Suadi Arabia, Kuwait)
Although ZA was blocking my PC's outgoing connection requests, I wanted to stop the requests at the source (incoming).
So, I'm going to try adding the UDP incoming ports tonight, to see if the outgoing connections attempts disappear.
(and see if my game server still can be seen by players)
OH ... Which ports above 1024 and how many?
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes Discussion Threads
- Started by Tigerick
- Replies: 21K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
-
Facebook
Twitter