• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 188
  • Last Modified:

"420" message sent to my server by 'SFGSOFT' - who what when?????

Domain environment, Window 2000 server SP3, Norton Antivirus 9, PIX firewall.

A messsage appeared on the server that has me concerned.  The fact that it is dated 420, has the time of 420, tells me some "funny" person thought this was amusing.   Could be purely coincidental, but i doubt it.  Nonetheless, this appears to be a security issue.

the message reads as follows (dialog's title bar = Messenger Service):

---------------------
"Message from SFGSOFT to YOU on 01/20/2005 4:20:12pm

Our Company offers a vacancy to
manage your PayPal payments.
You'll have 200-600 $ per week.

Mail:
Sfgsoft@volny.cz"

-------------------

Hmmmm, how did this appear?  What is it? CAN I TRACK THE SENDER IF IT WAS INTERNAL??????    Any suggestions on preventing this besides turnig off windows messaging?????  was there damage done
0
top_rung
Asked:
top_rung
  • 5
  • 4
1 Solution
 
luv2smileCommented:
This is utlizing the windows messenger service.  Windows messenger service can be a big security risk and should be disabled especially on a server (unless you have a real need for it, but usually there isn't).

http://www.microsoft.com/windowsxp/using/security/learnmore/stopspam.mspx (for XP, but same for 2000)
0
 
luv2smileCommented:
If you disable windows messenging then you won't have this security whole open on your system and you'lld be a lot more secure and won't have to worry about these popups. Anyone in the world can send these messenger service messages.....sounds like you had a common attack of messenger spam.

Also see this kb for other precautions to take including how to configure your firewall to prevent this:

http://support.microsoft.com/default.aspx?scid=kb;en-us;330904
0
 
top_rungAuthor Commented:
Yes, you are correct.  I have read this before, but i am not sure of the implications of taking such action.

If it is disabled, what all is affected?  Will server alerts still work? What are the potential pitfuls that i should look for by disabling this service?

Thank yiou
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
top_rungAuthor Commented:
Sounds like i need to modify the PIX config... hmmm .. now to find out how to do that ;)  any suggestions or threads to point me to?

PIX 506e

Thanks!
0
 
luv2smileCommented:
Disabling windows messenger is highly advised as a best practice. Nothing is affected as long as you don't use windows messenger for anything which more than likely you don't....if you used it then you would know it.  Not sure what you mean by server alerts??    

Windows messenger was intended for use by system admins to send alerts to their users....say to tell them that the server would be rebooted in 30 minutes.  But instead, windows messenger has become a huge security risk.  

You sould disable it on your server AND on all of your clients.

Before messing around on your PIX...make sure you know what you are doing. You should have cisco documentation for blocking ports from the firewall....this is a very common firewall task, but be careful if you don't have experience.
0
 
luv2smileCommented:
Remember a firewall is only as good as its configuration. If the firewall is configured to allow everything through it then there is no point in having the firewall :)   So you may want to go over your cisco documentation and read up on best practice of blocking ports.  
0
 
top_rungAuthor Commented:
thank you.   In the MS article (per the article above) it states that

 "Note If the Messenger service is stopped, messages from the Alerter service (notifications from your antivirus software, for example) are not transmitted. ..."

That to me sounds like server messages (i.e. critical system messages) will be stopped.  So, that is what was concering me.   But based on your input, i will stop the service and keep an eye out to see how things go.

Additionally, I am aware of how to block/allow traffic on the PIX for the most part, but I lack the knowledge on what is using certain protocols.  For instance, taking a look at the firewalls currrent config, NETBIOS and UDP traffic are allowed.   My problem is that i do not know what the uses are for these protocols.  If i turn it off, will it affect any remote desktop connections, VPN, etc.

What is difficult is that this is the only device i have to "test" on, and it happens to be the companies production device so i can't go playing around with it :(

Thank you for your help


0
 
luv2smileCommented:
Don't worry about stopping the service. Most (if not all) AV and similar programs do not currently use the windows messenger service to send alerts/notifications. Error messages and critical messages won't be affected as they are system messages and don't use windows messenging.
0
 
top_rungAuthor Commented:
Wonderful.. thanks again!  

Much appreciated.      
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now