Slashdot Mirror
Stopping NetBIOS Spam?
MoonFacedAssassin asks: "I woke up this morning to find that my computer had a Windows messaging pop-up window with an advertisement about getting diplomas and degrees. I was quite shocked to find that my Bellsouth DSL IP address had been spammed. Has this happened to anyone else? Other than closing off the port which this can come through, are there any other ways to block this spam? And, how responsible is Bellsouth (or any ISP for that matter) in handling issues like this?"
Are you new?
Seems to me that restricting the port would be the sane method of preventing outside persons from exploiting your system. The same as any other service on any other port.
i hate pansy republicans
I got one of these just the other day.
I believe shutting down the messenger service will stop them.
On Windows NT/2000/XP, stop the messaging service and enjoy ;-)
TechTV covered this earlier this year so you might want to read their breif article for more information.
Basically, they're port scanning for open port 139s and spam IP that comes up positive. Either turn off the messenger service in services or install a firewall/router and block incoming tcp connections on port 139 (NetBIOS).
While you're at it, turn off the remote registry service...
Block the port. To be honest, I can't understand why you would leave any ports open, when on an always-on connection, with a static IP address. Unless you have a service running on a port, that you want it to be public accessible, all other ports should be blocked and stealth. Experience says this is especially true for netbios ports...
As for the second part, you cannot count on an ISP's usage terms to protect you from malicious acts. For good or for bad, they sell access services, not security services.
Especially not if you don't know how to configure it. There's even a GUI for disabling NETBIOS.
Jilles
I assume that you don't want to block the port because you want to have fully functional file sharing with people you know in your vicinity.
I think that what you probably want is to block the port to all IP addresses that are not in your subnet (local network). Therefore, if anyone spams you in the future, they have to be inside BellSouth, and you can (probably) get their account closed. But chances are, there's not gonna be anyone spamming like that from inside BellSouth.
That happend to me around Midnight on Monday. I shut off the "Messenger" service in WinXP (although 2k has the same service) and I still had NetBIOS running without getting network popups (who uses them anyways?)
Hope this helps.
P.S. The "Messenger" service in the Services list has nothing to do with Windows/MSN Messenger, so please don't confuse the two. ^_^
"Black holes are where God divided by zero." - Steve Wright
Dear Slashdot,
When I go to work, I leave my front door unlocked and slightly ajar. The other day when I got back, I found vagrants sleeping on my sofa and defecating in my sink. Other than closing and locking my door when I leave, how can I get rid of them? Has this ever happened to you? Also, can I sue my landlord over this? Thanks.
Yours,
Confused in Cleveland
I have 2 Windows computers at home that have public static IPs. Instead of using my DSL router on the windows machines, I've given them local IP addresses (192.168.*.*) and route them through my Linux server. There I've put up an iptables firewall with DNAT and SNAT, so that when the windows computers are routed through the firewall, they get their public IPs assigned to them, and you can access the computers from the outside with the public IPs. On the Linux router I've added tons of rules, and one of the most important rule is the one that blocks ports 0-1024 on all windows machines. All important ports are usually below 1024, so I can basically run filesharing, etc. without having to worry about users accessing the files from the Internet (or accessing windows messaging). However, since all ports above 1024 are unblocked, and have a public IP due to the SNAT, the users on the windows machines can use P2P apps, play games online, etc. since their machines are accessible from the outside. This has worked extremely well for a long time, no need for firewalls on the windows boxes (like Norton Internet Security). I haven't experienced any viruses, hackers or unwanted pr0n sent to the printers because of open ports. :-)
Spam Takes New Form
Most decent DSL/CABLE Modem providers block the netbios ports these days...thats just sad that they have those ports open and avialable for traffic on thier network.
Hint: Get a linksys router and those ports will no longer be available for spam...
Hint2: Don't leave windows machine hanging on the wire like that unless they are memebers of NT domain. It will stepup the security of the Netbios connections.
Hint3: Not ever leave an improperly secured NT machine hanging on the wire like that....
Hint4: see hint 1
Power Corrupts,Absolute Power Corrupts Absolutely, leaving one person(group)in charge is absolutely corrupt.
NET STOP MESSENGER
To make sure it doesn't restart next time you reboot, go into Control Panel, find the Services applet. Set the Messenger service to startup settings of "Manual" or "Disabled" (as opposed to "Automatic" which restarts it at every boot).
That works for NT, 2000 and XP. If you are still running 95/98/Me, then may god have mercy on your soul.
We're getting into topic creep, but I guess nobody will mind because the original topic was so silly....;-)
That is a different kind of RPC's, that pre-date Windows. It does not use 135. Microsoft usually screws things up the first time, and reinvents it several times after. This is one of them.
The RPC stuff in SAMBA dates from the old LAN Manager days, and ran over the same port the file and print sharing did (139). This stuff existed in the days of DOS and Win16, long before COM and DCOM ever existed. It worked well enough to add a few functions to this subsystem. It had lots of problems: it was not easily extensible, couldn't be run on top of other protocols, and was not object oriented, etc.
Later, when Microsoft was building what became COM and DCOM (and what was then called OLE), they realized they needed a more robust RPC mechanism. They decided to use DCE RPC, theoretically an open standard. It is what DCOM is built on top of.
SAMBA continues to use the "old" RPC mechanism (for compatibility), and therefore does not use this port. If you look into the API documentation for the API's exposed on top of these RPC's, you'll see Microsoft deprecates many of them.
BTW: I didn't write it, I copied and pasted from their site.
THERE IS NO DATA. THERE IS O
This stupid question (block the port, be done with it) has given me a potentially useful idea.
How hard would it be to send a message back to the boxes that have some code red or similar virus. Basically you ask my web server for c:/scripts/something, you get a Windows message back informing you in no uncertain terms that your box is infected and the OS needs to be reinstalled.
This isn't an attack, but if enough people did it (just one message per infection attempt) people would soon be forced to do something because of the barrage of messages. And the people who let their boxes REMAIN infected with a virus that's been out in the wild for over a year are hardly the type of people to have locked down port 139.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
OK, please do not regard this as bashing. It's just the correct answer to anyone with this problem - if you don't like it, the problem is not in the answer.
NETBIOS CANNOT BE SECURED. If you leave your netbios ports open, you can be cracked to such a degree that it will be impossible for anyone other than a forensic analyst (who will boot from a linux or BSD boot disk) to detect. Netbios is only a viable solution on TRUSTED networks, which the Internet isn't, by definition.
YOU ARE PROBABLY OWNED. Your machine is most likely already completely compromised, and is happily working on cracking RC5 ciphers for somebody you've never met. See the honeynet project for more information (incidentally, one of the founders of honeynet reportedly got cracked by el8; everybody can make mistakes).
YOUR BEST OPTION IS TO FORMAT YOUR HARD DRIVE. The fastest, most reliable way to remove any possibility of a problem is to reload your system from a read-only media - i.e. your windows distribution disk. You must scrub the hard drive first, though; there are programs that can survive windows reinstallation unless this step is taken. You must also disconnect your Internet connection until you have a firewall running, to be absolutely safe; you should buy the firewall or get a friend with a more secure system to download one for you, since anything you download with your machine is suspect.
Hope this helped!
(You will have to graduate from newbie status in order to take advantage of my advice. This means that you will have to climb the learning curve and actually go read some stuff. You can spend a chunk of cash on products to avoid doing just that, but that's much less fun.)
a d_license.htm. You will occasionally find that it interferese with pages that make heavy use of Javascript, but you can turn it off when needed. The added protection from annoying web sites is worth the small inconvenience it may sometimes cause.
If you're doing things like turning on file sharing or sharing printers, it's (supposedly) very easy to hack you. I say supposedly only because I haven't actually tried this. It's such an infamous hole though that I do believe it. To turn this off, unbind the NetBIOS protocol from the modem/network card that connects you to the Internet. In Windows 2000, that you means you go to the Properties for your network connection (in the Control Panel) and uncheck the 'File and Printer Sharing for Microsoft Networks' option. (It's very easy to fix this in Win9x too using roughly the same technique.) You may have to reboot, I don't recall. That problem will then be solved.
Now to protect yourself from other intrusions and threats.
If you're just running a dial-up connection and don't leave your machine on the network for extended periods of time, then a product like ZoneAlarm (www.zonelabs.com - look for the free version) will serve you well. Actually, it serves you well in two ways: 1) it protects your machine from the outside world coming into your machine in an unauthorized fashion and 2) it protects adware on your machine from phoning home without your permission (actually it prevents everything from using the Internet until you grant permission, not just adware). This is sufficient for dialup.
For broadband users and users who want to leave their machine on the Internet for extended periods of time (more than a couple hours at a time), I recommend using an honest to goodness separate firewall. There is a lot that can be said about this, far more than I know really, but I well give you a couple pointers.
First of all, one of your options is to use a second PC as the firewall. It will need to have 2 network cards, you will need a router or hub for your home LAN, and you will have to get the cable modem (or DSL for that matter; with which I have no experience - shouldn't be too hard) working with that extra PC (via Windows would be easiest to start with). Once that's setup, go grab a Linux distribution like IPCop (or SmoothWall - they're very similar, in fact they were the same product at one time), and install it on that PC. It will require that you reformat the hard drive, so don't plan on storing any files on it. A small hard drive is sufficient. There are FAQs and forums on the IPCop and SmoothWall sites that will help get you setup.
Your second option in the category of 'real protection' (for home users anyway) is to just go buy a hardware firewall. So instead of a second PC, you just go buy a device that does essentially the same thing. I won't go into detail on these as I have no experience with them. I just thought you should know about them.
Two last points:
-PLEASE keep a current anti-virus product actively running on your machine and keep it up to date. If you need a free one, go to http://www.grisoft.com to get the free personal version of the AVG anti-virus product. This one has saved my butt several times from several infections. It may or may not be the best product out there, but it works for me.
-To protect yourself from browser window popups and other shenanigans, go grab WebWasher at http://www.webwasher.com/en/products/wwash/downlo
As always, this advice is just a starting point. Today's perfect security solution may be an open door tomorrow. It's up to you to keep yourself informed and to take action when problems arise.
Good luck and have fun!
Please mod this post only if you think others should/n't read this. I have enough ego^H^H^Hkarma. Thanks!
Yes and he can use zonealarm or blackice to block the ports and be done with it. I cannot believe crap like this is showing up on slashdot these days. They must be hard pressed for news or something. In the unix world these messages don't happen cause any smart unix admin has a firewall and / or proxy set up to block and log this crap.
Only 'flamers' flame!
Give me a break. Install Redhat 7.2 on PC, then plug that straight into the internet and tell me how long it takes to get r00ted. It took me all of 2 minutes at my last job.
A good start would be a decent software firewall. Tiny Software used to offer theirs for free for personal use, but seem to have taken it down from their website =(. If you scour the net, you might be able to find it for download from one of those shareware sites.
A reinstall also would be prudent. When I'm doing a fresh install I try to keep the machine behind a device doing NAT until I have proper firewall software installed and my box patched.
This firewall distro works great. I know everyone likes Freesco, and I use that too on occasion, but I've had the NetBSD firewall running at one of my client's offices for about a year and a half, and it's given me absolutely no trouble at all. Several people in our LUG use it as well.
:-)
Great product
Need a Linux consultant in New Orleans?
I see a lot of posts like, I got one last night, ect.
Also I first just noticed it on my girlfriend's familly computer, zone alarm kept popping up, someone is trying to access net bios services. I did a tracert and it was from a NY ISP.
I wrote down the addresses of the attempted accesser (don;t want to offend any good hackers here) for later exploration (the deafault win98 install doesn't have the tools I wanted). Anyway is all this activity recently because of some as of yet undiscovered worm?, is it a worm that has been around that is starting to do this? have lots of attempted uninvited resource accessing people just decided it would be fun to try out (perhaps rotting flesh 1337 krew just posted a file or tool to do this?). Or is this something that has always happened a lot?
BTW, this was a dynamic dial-up account, not an always on DSL/cable.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
It is as simple as that, just unbind the netbios protocol from the tcp/ip stack that is linked to the internetet.
NT4: control panel -> network -> services -> services, just make sure under your internet ip (dail up adpater) nothing else then tcp/ip is checked.
win2000: network -> make sure only tcp/ip is checked.
Stopping the messager services will stop the spam, an leaves your PC open to the internet. But it helps against BOFH.