Stopping NetBIOS Spam? 97
MoonFacedAssassin asks: "I woke up this morning to find that my computer had a Windows messaging pop-up window with an advertisement about getting diplomas and degrees. I was quite shocked to find that my Bellsouth DSL IP address had been spammed. Has this happened to anyone else? Other than closing off the port which this can come through, are there any other ways to block this spam? And, how responsible is Bellsouth (or any ISP for that matter) in handling issues like this?"
Shut it down? (Score:2, Informative)
I believe shutting down the messenger service will stop them.
stop the service (Score:3, Informative)
Firewall yourself... (Score:5, Informative)
Basically, they're port scanning for open port 139s and spam IP that comes up positive. Either turn off the messenger service in services or install a firewall/router and block incoming tcp connections on port 139 (NetBIOS).
While you're at it, turn off the remote registry service...
Re:um. (Score:5, Informative)
I concur with you danielrose [mailto].
<RANT> Without denying MoonFacedAssassin [mailto] the right to a response to a very pertinent question, I think that posting that on Ask SlashJeeves [slashdot.org] shows a suprising level of ignorance from Cliff. Or he is at the end of some coding spree? Because this question does dot belong here, but rather on some newsgroup like comp.security.firewall (someone help me there).
Anyway, let me end my RANT section by saying that the level of interest of ask slashdot has regularly reached new lows every day.
I'm worried, to say the least
But let's drop the political/marketing aspect of that and take car of some real technical stuff:
Believe me, I've got firsthand experiences of having systems simply plug onto the internet, not even having some DNS record, and beeing scanned after one days of routable IP presence.
And no, you don't want them to "protect" you from that, because if they start going big brother on you, you will notice a real drop on the number of things you can do online. Unless you really want only to surf and e-mail a bit, that will be perfectly understandable.
But that's another debate: since internet is a jungle now, do we want to see some new kind of ISP that babysits theyr not-so-technical users ?
I'm not trying to scare you there, it`s just a fact.
In this case, please unplug from the network and reinstall from scratch. Do not backup any executablte. And the first time you re-plug you machine on the internet, please go immediately shopping for a personnal firewall, like ZoneAlarm and such. Once this one is done, either make sure your anti-virus software is up to date, or get you one. This will give you a reasonnable amount of security.
That happened to me... (Score:2, Informative)
Hope this helps.
P.S. The "Messenger" service in the Services list has nothing to do with Windows/MSN Messenger, so please don't confuse the two. ^_^
Make a little firewall... (Score:4, Informative)
read (Score:3, Informative)
Re:Happening at colleges too (Score:3, Informative)
Your so-called "Senior Security Engineer" needs to get a little more training. Port 135 has absolutely nothing to do with the Windows Messenger service.
Port 135 is the RPC/DCOM portmapper in Windows. It performs the exact same service that port 111 does on a Unix box offering RPC services. It allows remote RPC calls to "find" the dynamically assigned port that their target service is running on.
Windows Messenger does not use RPC or DCOM. It uses part of the same protocol that SAMBA uses.
FORMAT YOUR HARD DRIVE and reinstall. (Score:3, Informative)
NETBIOS CANNOT BE SECURED. If you leave your netbios ports open, you can be cracked to such a degree that it will be impossible for anyone other than a forensic analyst (who will boot from a linux or BSD boot disk) to detect. Netbios is only a viable solution on TRUSTED networks, which the Internet isn't, by definition.
YOU ARE PROBABLY OWNED. Your machine is most likely already completely compromised, and is happily working on cracking RC5 ciphers for somebody you've never met. See the honeynet project [honeynet.org] for more information (incidentally, one of the founders of honeynet reportedly got cracked by el8; everybody can make mistakes).
YOUR BEST OPTION IS TO FORMAT YOUR HARD DRIVE. The fastest, most reliable way to remove any possibility of a problem is to reload your system from a read-only media - i.e. your windows distribution disk. You must scrub the hard drive first, though; there are programs that can survive windows reinstallation unless this step is taken. You must also disconnect your Internet connection until you have a firewall running, to be absolutely safe; you should buy the firewall or get a friend with a more secure system to download one for you, since anything you download with your machine is suspect.
Hope this helped!
Re:um. (Score:2, Informative)