Is there a NetSend logfile ?

kill2003
kill2003 used Ask the Experts™
on
Hi there,

I am hoping someone here maybe able to help me...

A lot of employees at my company abuse the netsend command. I would like to know if there is a logfile on the server that lists all of the netsend text, information etc.

I do not mind a few messages here and there, but some people are abusing this and I would like to have sufficient evidence to be able to stop this.

Thanks in advance for any replies to this question...
Happy New Year !
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Support Escalation Engineer
Commented:
It is logged, however, it is only logged on the systems that send and the systems that receive the messages. It will be in the system event log for all the systems involved as an Event ID: 26 and Source: Application Popup. In the description it will tell you which system it came from, who the target is, and the date/time sent. Then below that it will have the message sent. Hope this information is useful for you. Have a good day and a happy New Year.

Author

Commented:
Thanks for your information, that will be a real help !

Kind Regards

James
Hi kill2003,

Happy new year to you, too.

By far, the easiest way to prevent NET SEND abuse is disabling the messenger service locally, e.g. by denying execute permissions to NET.EXE in a logon script.

Reading your post, however, I don't think that this is what you want.

Unfortunately, there's no logfile of NET SEND on the server.
You can see what messages people have received in Event Viewer on their local PC, as all incoming messages are logged in the system log (Event Viewer, System Log, Application Popup, event ID 26).

If you really want to do centralized logging, I think the best approach would be using some kind of sniffer that is able to log NET SEND traffic. One thing you have to take into account is the different implementations of NET SEND throughout the different Windows versions.

"[...] messages are making it past the usual NetBIOS filters (ports 137-139, port 445) because in Windows 2000 and XP, the Messenger Service now works using RPC. [...]"
(Source: Trojan TCP/IP ports, http://www.chebucto.ns.ca/~rakerman/trojan-port-table.html#netsend )

Read more about the differences in implementation at:
http://www.mynetwatchman.com/kb/security/articles/popupspam/netsend.htm

Some of these articles show Ethereal, a network sniffer, to sniff this kind of network traffic, and that would probably be your best bet. You'd typically set up filters to capture only netbios/rpc traffic. Ethereal allows you to see the contents of the messages, including sender and recipient.

Hope this helps,

Lars

BTW: NET SENDs originating from outside your local LAN is a hot issue at the moment, as people are using it for spamming purposes.

There's an on-line test available to see if you're vulnerable for NET SENDs from outside your LAN at http://www.mynetwatchman.com/winpopuptester.asp

You can find much more info on NET SEND spam by searching Google.com for "net send spam".

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial