Home Theater Forum and Systems banner
1 - 1 of 1 Posts

·
Registered
Joined
·
636 Posts
"Attempting connection to your computer"'s description sounds like a basic attempt at port 80, but that's an incredibly stupid test. If there was a bad web server running on your server, it wouldn't run on port 80.

Port 139 is the Windows SMB port. So this port would be open if you have file sharing turned on in Windows, or are running Samba on other platforms. This by itself can be bad because there are exploits against SMB for Windows, and people don't usually realize that file sharing by itself shares with everyone unless you do port filtering.

NetBIOS is an old network protocol which is used for Windows SMB, and maybe today for compatibility with legacy network applications.

"Messenger Spam" I would guess to be a check against the Windows service that lets administrators pop up messages on remote computers. This is a lot like the UNIX wall command, except there wasn't any authentication required. So spammers used this approach for a while.

Regardless, those tests are **** and really won't tell you much except that your front door is wide open. If you want to know if someone's made a copy of your house keys or climbed in through a window, none of this will help.

For example, I recently discovered a backdoor in explorer.exe on someone's machine, which wrote all keystrokes using a simple substitution cypher into a file on disk, which would then get uploaded for later analysis. Since explorer.exe is the Windows process, you can't get rid of this without blowing away your Windows installation and the processes appear to be valid. cmd.exe was also replaced to hide some of the operation.

But they didn't do a good enough job because the log file was still visible from explorer.exe (it should have been hidden) and they didn't rewrite the system APIs (a tougher job, sure) to prevent discovery of the DLL their explorer.exe was using.
 
1 - 1 of 1 Posts
Top