OT-Re: test post

Gerald Combs gerald at ethereal.com
Wed Dec 26 14:48:31 CST 2001 

Sometimes a dynamic address can be a good and useful thing:

----
>From daniel at pressure.net.nz Tue Dec 25 11:34:35 2001
From: Daniel Swarbrick <daniel at pressure.net.nz>
To: bugtraq at securityfocus.com
Subject: Possible hole in Win XP MS Client networking

Hi, I hope this is the correct contact for this kind of thing.

I've just had somebody drop Nimda viruses on my Windows XP Pro
workstation from Korea. Here's how it happened.

I had a Windows share on a FAT32 drive, which granted read/write to
Everybody (I know, bad practice, but it was just a temporary "Incoming"
directory from a file swap session with a friend a few nights ago). I
noticed my modem lights going, even though I was not downloading
anything at the time. At that moment, Norton Antivirus started popping
up warnings about Nimda viruses in .EML files in the shared directory. I
suspected my friend's files had come with a little extra bonus, so went
to check the directory myself. I couldn't find more than one .EML file
at a time (as NAV kept moving them to quarantine), but new ones kept
arriving. That's when I clicked as to what was happening, and ran
netstat from a DOS window.

Netstat revealed an ESTABLISHED connection from a host in Korea to the
microsoft-ds service on my machine. It also showed a TIME_WAIT
connection to windowsupdate.microsoft.com, although I had not been to
that site - possibly unrelated, as Windows does tend to phone home a
bit. Anyway, I promptly stopped sharing the directory, and disconnected
from the Internet, reconnecting in order to get a new IP.

I then checked my network configuration, and double checked that Client
for Microsoft Networks was not bound to my modem, which indeed it
wasn't. Now I don't run the XP firewall for my dialup connection, but
how is it that a connection can be made to a service that is not bound
to the dialup adapter?

Is this a hole? Can you guys perhaps replicate the condition and see if
it is? My machine has all the current critical updates applied from
Windows update.

Any other information you might need, I will try to supply.
----

On Wed, 26 Dec 2001, Marvin Bellamy wrote:

> Too bad that wouldn't stop spammers from using mail servers to relay. 
>  Anyone notice how tons of spam seems to be relayed through msn.com or 
> that IE allows pop-ups that take over your desktop and can't be closed? 
>  I'm wondering if this is an oversight or if M$ is selling these 
> "features"...
> 
> Duane Attaway wrote:
> 
> >They ought to give everyone a non-changing IP address.  That ought to
> >clean up much nonsense on the net and let disturbed people like me track
> >who's computer is messing up spreading viruses.  I don't know, it just
> >seems like the way dynamic IP's are being pushed is the source of much
> >evil in the world.  Tattoo a static IP to each house and I feel that the
> >internet would be more like a community, rather than strangers on a
> >connection that quickly vanishes.
> >
> 
> 
> 
> 
>

More information about the Kclug mailing list