Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stopping NetBIOS Spam?

Posted by Cliff on from the nothing-is-sacred dept.

MoonFacedAssassin asks: "I woke up this morning to find that my computer had a Windows messaging pop-up window with an advertisement about getting diplomas and degrees. I was quite shocked to find that my Bellsouth DSL IP address had been spammed. Has this happened to anyone else? Other than closing off the port which this can come through, are there any other ways to block this spam? And, how responsible is Bellsouth (or any ISP for that matter) in handling issues like this?"

18 of 97 comments (clear)

  1. um. by danielrose · · Score: 4, Insightful

    Are you new?
    Seems to me that restricting the port would be the sane method of preventing outside persons from exploiting your system. The same as any other service on any other port.

    --
    i hate pansy republicans
    1. Re:um. by pruneau · · Score: 5, Informative

      I concur with you danielrose.

      <RANT> Without denying MoonFacedAssassin the right to a response to a very pertinent question, I think that posting that on Ask SlashJeeves shows a suprising level of ignorance from Cliff. Or he is at the end of some coding spree? Because this question does dot belong here, but rather on some newsgroup like comp.security.firewall (someone help me there).

      Anyway, let me end my RANT section by saying that the level of interest of ask slashdot has regularly reached new lows every day.

      I'm worried, to say the least

      </RANT>

      But let's drop the political/marketing aspect of that and take car of some real technical stuff:

      (Yeah you guessed it, I'm getting pedantic during insomnias (it's 3:00 here)).
      1. Get over it: an IP does not get spammed, because scannig block of addresses does not require any kind of disclosure from your ISP. They only have to have a router advertising their block of IP to the internet for those block of addresses to be scanned. Because having such a setup is one of the primary requirements to be an ISP. Sorry. Even residing into some secret whois database won't change anything there.

        Believe me, I've got firsthand experiences of having systems simply plug onto the internet, not even having some DNS record, and beeing scanned after one days of routable IP presence.

        And no, you don't want them to "protect" you from that, because if they start going big brother on you, you will notice a real drop on the number of things you can do online. Unless you really want only to surf and e-mail a bit, that will be perfectly understandable.

        But that's another debate: since internet is a jungle now, do we want to see some new kind of ISP that babysits theyr not-so-technical users ?

      2. The second thing that worries me is that if you got a window messaging message, this means that you probably have a whole slew of netbios services exposed to the internet. Now listen carefully: if you ever have a shared printer or worst, drive, your machine is already hacked. Even not having shares might no be sufficient to protect you.

        I'm not trying to scare you there, it`s just a fact.

        In this case, please unplug from the network and reinstall from scratch. Do not backup any executablte. And the first time you re-plug you machine on the internet, please go immediately shopping for a personnal firewall, like ZoneAlarm and such. Once this one is done, either make sure your anti-virus software is up to date, or get you one. This will give you a reasonnable amount of security.

      3. If you followed me this far, well thank you !!!
      Now, welcome to a brave new world !
      --
      [Pruneau /\o^O/\ warranty void if this .sig is removed]
    2. Re:um. by biglig2 · · Score: 4, Insightful

      Netbios exposed to the internet? Ouchies. If your set-up has security that bad then the ISP isn't the peroson to ask for help - because who knows what else you've left lying open?

      --
      ~~~~~ BigLig2? You mean there's another one of me?
  2. stop the service by Sam+Lowry · · Score: 3, Informative

    On Windows NT/2000/XP, stop the messaging service and enjoy ;-)

  3. Firewall yourself... by earthdark · · Score: 5, Informative

    TechTV covered this earlier this year so you might want to read their breif article for more information.

    Basically, they're port scanning for open port 139s and spam IP that comes up positive. Either turn off the messenger service in services or install a firewall/router and block incoming tcp connections on port 139 (NetBIOS).

    While you're at it, turn off the remote registry service...

  4. You said it yourself... by xt · · Score: 5, Insightful

    Block the port. To be honest, I can't understand why you would leave any ports open, when on an always-on connection, with a static IP address. Unless you have a service running on a port, that you want it to be public accessible, all other ports should be blocked and stealth. Experience says this is especially true for netbios ports...

    As for the second part, you cannot count on an ISP's usage terms to protect you from malicious acts. For good or for bad, they sell access services, not security services.

    1. Re:You said it yourself... by Basje · · Score: 3, Funny

      Many of these probes are probably open windows machines on your subnet. Note their IP, and from within run or a commandbox on windows type:
      net send ipnumber "your message"

      It's implemented in samba too. Eiter in smbsend or smbclient. Look it up if you need it.

      --
      the pun is mightier than the sword
    2. Re:You said it yourself... by diesel_jackass · · Score: 5, Interesting
      >I wish I could pop up a message on their
      >screens. Something polite and respectful
      >like 'piss off you little bastard'.

      I don't know about popping a message, but you could have fun with Slap:

      Slap - If you're like me you run firewall software that tells you when someone tries to access your system. Sometimes I respond with a few packets of my own just to let them know that I am paying attention. I wrote Slap to make responding to these access attempts easier and more entertaining. Just enter the IP address of the person you wish to slap and click on the Slap button. The program will attempt to access all the ports in the list and send them a packet with a personal message. (The default message is 'Leave Me Alone!') Slap integrates with Black Ice and Zone Alarm and can use information received from these software firewalls to "Auto Slap" intruders and add their attacks to your list of responses. --Here is a cool Wav file to use with this.

      --
      THERE IS NO DATA. THERE IS O
  5. Re:Overlooking the obvious by jilles · · Score: 5, Insightful

    Especially not if you don't know how to configure it. There's even a GUI for disabling NETBIOS.

    --

    Jilles
  6. Dear Slashdot, by crapulent · · Score: 5, Funny

    Dear Slashdot,

    When I go to work, I leave my front door unlocked and slightly ajar. The other day when I got back, I found vagrants sleeping on my sofa and defecating in my sink. Other than closing and locking my door when I leave, how can I get rid of them? Has this ever happened to you? Also, can I sue my landlord over this? Thanks.

    Yours,
    Confused in Cleveland

  7. Make a little firewall... by mnordstr · · Score: 4, Informative

    I have 2 Windows computers at home that have public static IPs. Instead of using my DSL router on the windows machines, I've given them local IP addresses (192.168.*.*) and route them through my Linux server. There I've put up an iptables firewall with DNAT and SNAT, so that when the windows computers are routed through the firewall, they get their public IPs assigned to them, and you can access the computers from the outside with the public IPs. On the Linux router I've added tons of rules, and one of the most important rule is the one that blocks ports 0-1024 on all windows machines. All important ports are usually below 1024, so I can basically run filesharing, etc. without having to worry about users accessing the files from the Internet (or accessing windows messaging). However, since all ports above 1024 are unblocked, and have a public IP due to the SNAT, the users on the windows machines can use P2P apps, play games online, etc. since their machines are accessible from the outside. This has worked extremely well for a long time, no need for firewalls on the windows boxes (like Norton Internet Security). I haven't experienced any viruses, hackers or unwanted pr0n sent to the printers because of open ports. :-)

  8. read by rakerman · · Score: 3, Informative

    Spam Takes New Form

  9. Crappy ISP! by haplo21112 · · Score: 3, Interesting

    Most decent DSL/CABLE Modem providers block the netbios ports these days...thats just sad that they have those ports open and avialable for traffic on thier network.

    Hint: Get a linksys router and those ports will no longer be available for spam...

    Hint2: Don't leave windows machine hanging on the wire like that unless they are memebers of NT domain. It will stepup the security of the Netbios connections.

    Hint3: Not ever leave an improperly secured NT machine hanging on the wire like that....

    Hint4: see hint 1

    --
    Power Corrupts,Absolute Power Corrupts Absolutely, leaving one person(group)in charge is absolutely corrupt.
    1. Re:Crappy ISP! by Blkdeath · · Score: 3, Insightful
      I was on www.foxnews.com and if you leave it up for 5 min or so with javascript turned on it pops up. I think its just an add that looks like a windows message.
      Gee, I'd forgotten how annoying those popups were since I installed a browser that blocks popups. Alternatively, I could have installed another browser that showcases the same functionality. It's like a whole different WWW without popups. :)

      But seriously, this NetBIOS messenger problem is quite real, and is (almost) entirely the fault of the end-user. Putting a Windows machine on the Internet without some form of firewall (software or hardware) is an invitation to get violated in some way or another. All I have to say is, these people are already once lucky - their file and print shares are exposed to the world, so with a bit of password trickery (or exposing one of the many NETBIOS vulnerabilities that exist at various patch levels of each of the Windows OS variants) one can easily access the data and/or send malicious print jobs (hint: MS Paint, black background, 100 copies. Else, SPAM)

      There are also cases of people who actually run/administer a firewall that's obviously mis-configured to the point of being futile, so don't expect the mere presence of such a thing to protect you. One individual on the Security Focus Incidents mailing list is reporting this very same 'problem' on his network running Microsoft ISA firewall.

      If you're unable (for whatever reason) to install a software firewall, obtain and configure an Internet router. There are dozens (hundreds) on the market, and the vast majority of them (that we've dealt with/sold) come with port forwarding to the internal machines disabled per default. For single-computer owners, SMC makes a one-port Internet router that could simply be installed inline with the users' cable/DSL 'modem' for security and peace of mind. Moreover, it saves the user from having to install annoying PPPoE client software on their machines.

      Like the poster before alluded (rather amusingly) to; if you leave your door ajar, don't be surprised when you come home to find people roosting in your house, or that some of your things are missing. Sure, the person may have broken the law, but putting out the welcome mat is just asking for trouble.

      --
      BD Phone Home!

      Shameless plug. Like you weren't expecting it.

  10. Re:Happening at colleges too by Krelnik · · Score: 3, Informative
    I think that port 135 might be common here. But that's gonna hurt...

    Your so-called "Senior Security Engineer" needs to get a little more training. Port 135 has absolutely nothing to do with the Windows Messenger service.

    Port 135 is the RPC/DCOM portmapper in Windows. It performs the exact same service that port 111 does on a Unix box offering RPC services. It allows remote RPC calls to "find" the dynamically assigned port that their target service is running on.

    Windows Messenger does not use RPC or DCOM. It uses part of the same protocol that SAMBA uses.

  11. Two dumb birds for the price of one.... by coyote-san · · Score: 3, Insightful

    This stupid question (block the port, be done with it) has given me a potentially useful idea.

    How hard would it be to send a message back to the boxes that have some code red or similar virus. Basically you ask my web server for c:/scripts/something, you get a Windows message back informing you in no uncertain terms that your box is infected and the OS needs to be reinstalled.

    This isn't an attack, but if enough people did it (just one message per infection attempt) people would soon be forced to do something because of the barrage of messages. And the people who let their boxes REMAIN infected with a virus that's been out in the wild for over a year are hardly the type of people to have locked down port 139.

    --
    For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
  12. FORMAT YOUR HARD DRIVE and reinstall. by Ashurbanipal · · Score: 3, Informative

    OK, please do not regard this as bashing. It's just the correct answer to anyone with this problem - if you don't like it, the problem is not in the answer.

    NETBIOS CANNOT BE SECURED. If you leave your netbios ports open, you can be cracked to such a degree that it will be impossible for anyone other than a forensic analyst (who will boot from a linux or BSD boot disk) to detect. Netbios is only a viable solution on TRUSTED networks, which the Internet isn't, by definition.

    YOU ARE PROBABLY OWNED. Your machine is most likely already completely compromised, and is happily working on cracking RC5 ciphers for somebody you've never met. See the honeynet project for more information (incidentally, one of the founders of honeynet reportedly got cracked by el8; everybody can make mistakes).

    YOUR BEST OPTION IS TO FORMAT YOUR HARD DRIVE. The fastest, most reliable way to remove any possibility of a problem is to reload your system from a read-only media - i.e. your windows distribution disk. You must scrub the hard drive first, though; there are programs that can survive windows reinstallation unless this step is taken. You must also disconnect your Internet connection until you have a firewall running, to be absolutely safe; you should buy the firewall or get a friend with a more secure system to download one for you, since anything you download with your machine is suspect.

    Hope this helped!

  13. Re:Overlooking the obvious by kableh · · Score: 3, Insightful

    Give me a break. Install Redhat 7.2 on PC, then plug that straight into the internet and tell me how long it takes to get r00ted. It took me all of 2 minutes at my last job.

    A good start would be a decent software firewall. Tiny Software used to offer theirs for free for personal use, but seem to have taken it down from their website =(. If you scour the net, you might be able to find it for download from one of those shareware sites.

    A reinstall also would be prudent. When I'm doing a fresh install I try to keep the machine behind a device doing NAT until I have proper firewall software installed and my box patched.