Comments on: Spammers Attempted MSRPC Popup Annoyances http://www.liquidmatrix.org/blog/2007/08/30/spammers-attempted-msrpc-popup-annoyances/ Bringing Fire To The Village: Your Source For Computer, Network & Information Security News from Dave Lewis, Security Blogger Sun, 07 Sep 2008 10:44:45 +0000 http://wordpress.org/?v=2.6.1 By: steve http://www.liquidmatrix.org/blog/2007/08/30/spammers-attempted-msrpc-popup-annoyances/#comment-69860 steve Sun, 10 Aug 2008 19:01:19 +0000 http://www.liquidmatrix.org/blog/2007/08/30/spammers-attempted-msrpc-popup-annoyances/#comment-69860 Hi dave.. Just letting you know,you are not alone.I have had "shaw cable" battering my firewall for 4 years now,every 3 minutes of the day,every day of the year. Hi dave..
Just letting you know,you are not alone.I have had “shaw cable” battering my firewall for 4 years now,every 3 minutes of the day,every day of the year.

]]> By: Dave Lewis http://www.liquidmatrix.org/blog/2007/08/30/spammers-attempted-msrpc-popup-annoyances/#comment-52790 Dave Lewis Sun, 02 Sep 2007 02:42:10 +0000 http://www.liquidmatrix.org/blog/2007/08/30/spammers-attempted-msrpc-popup-annoyances/#comment-52790 Nope the traffic isn't getting through. It's my IDS that recorded the traffic. Nope the traffic isn’t getting through. It’s my IDS that recorded the traffic.

]]> By: joat http://www.liquidmatrix.org/blog/2007/08/30/spammers-attempted-msrpc-popup-annoyances/#comment-52734 joat Sat, 01 Sep 2007 15:22:26 +0000 http://www.liquidmatrix.org/blog/2007/08/30/spammers-attempted-msrpc-popup-annoyances/#comment-52734 Also, given the content you described, the source is probably one or more infected boxes, within your service provider's network. - joat Also, given the content you described, the source is probably one or more infected boxes, within your service provider’s network.

- joat

]]> By: joat http://www.liquidmatrix.org/blog/2007/08/30/spammers-attempted-msrpc-popup-annoyances/#comment-52732 joat Sat, 01 Sep 2007 15:21:06 +0000 http://www.liquidmatrix.org/blog/2007/08/30/spammers-attempted-msrpc-popup-annoyances/#comment-52732 The Shaw connections are probably not what's being used as the source of the attack. MSRPC is UDP-based, meaning that there's not connection built to deliver the message. Because of this, the attacker can spoof the source address and make it look like whatever source IP he/she wants. My question to you would be: how is inbound UDP getting through your firewall? http://www.mynetwatchman.com/kb/security/articles/popupspam/netsend.htm has a basic analysis of the problem. - joat The Shaw connections are probably not what’s being used as the source of the attack. MSRPC is UDP-based, meaning that there’s not connection built to deliver the message. Because of this, the attacker can spoof the source address and make it look like whatever source IP he/she wants.

My question to you would be: how is inbound UDP getting through your firewall?

http://www.mynetwatchman.com/kb/security/articles/popupspam/netsend.htm has a basic analysis of the problem.

- joat

]]>