|
I'm really pissed off this week! My computer has been invaded by SpyWare! I won't get into details, but I had to turn off my firewall to run some tests to find out what is hidden inside my computer... ...and my assumptions were right. Something was hidden! Some kind of SpyWare. And guess what folks, it can happen to anyone of us. Though the doors are now under lock and key, it's kind of like sleeping with the enemy. The enemy woke up and did some damage. Nothing serious, but it makes you kind of think why would somebody do this? Why would these scanners to this? I'm no big shot (believe me). I'm not trying to alarm anybody... but there are more reports of immature hackers (real hackers probably don't go for small fries like us) doing damage to anybody... ANYBODY! This is not right. And don't think a Virus Scanner helps... because this is totally different from a Virus.... it's more like a Trojan? Or a Back Orfice (I think that's the name of it). Anyways, I'm just pissed off. I still have to do some more work in fixing this problem... and even then I'm not really sure if I'm 100% protected (nobody is). I'll keep all of you updated. Danziger :^) |
I've got some friends that even coded a trojan and do some hacking too (i tried it a few times but it simply was no fun). I can guarantee you that no real hacker will try to fry you, it's those small damn freaks that download a trojan somewhere and toy around with it. There will always be some of those suckers. Get Lockdown2000(.com) it's a very good internet protection tool you can really trust. TNT Tciny |
Get OptOut ( http://grc.com/optout.htm ). It detects (and optionally removes) Spyware and all that crap Aureate puts on your computer / in your registry. But be carefull, some freeware / shareware (Go!zilla, unregistered CuteFTP) won't work anymore after you've removed the Aureate crap. Even if you're not going to download OptOut, it's a really REALLY good idea to have your ports scanned on http://www.grc.com/ . You'd be suprised... Anyways, Danziger... what firewall do you use ? I use ZoneAlarm and am quite happy with it. Krusty |
ZoneAlarm is great! No regrets. But, you should close your NetBios port (Port 139). All Windows9x computers have everything binded to everything. That is just bad! The details are at grc.com's ShieldsUp site. Danziger :^) |
http://grc.com/su-bondage.htm Network Bondage... it's no short read... please read everything thoroughly and carefully. Danziger :^) |
Get Black ICE. It's a very good tool to give you highly advanced security. http://www.networkice.com/Products/BlackICE/default.htm |
BlackICE is a really great way to get paranoid fast. Getting 10 (mostly useless) warnings a day is no exception. ZoneAlarm just puts all your ports on STEALTH so they appear none-existant to the outside world. I've tried both, but ZoneAlarm is waaay better. Krusty |
I recommend EVERYBODY to close Port 139 (NetBios Port, I believe). Go to that site I recommend above. Yes, it's a long read... but if you really want to feel safe (you never know if you may get a program crash)... then what is 30 minutes reading compared to 8 hours of getting rid of parasites! Danziger :^) |
http://grc.com/su-rebinding9x.htm Get right to the chase if you are using Windows9x. There's one for Windows NT... go to my link above about Network Bondage... scroll down the page... and click on WinNT. I hope this helps everybody. Oh yeah, make sure you do the ShieldsUp test! And check your probes! Danziger :^) |
Well, I did a test at Shields Up, here're my results (with Black ICE): Your Internet port 139 does not appear to exist! One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion. Unable to connect with NetBIOS to your computer. All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet. Port probe test: Port Service Status Security Implications 21 FTP Stealth! There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 23 Telnet Stealth! There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 25 SMTP Stealth! There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 79 Finger Stealth! There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 80 HTTP Stealth! There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 110 POP3 Stealth! There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 113 IDENT Closed Your computer has responded that this port exists but is currently closed to connections. 139 Net BIOS Stealth! There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 143 IMAP Stealth! There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 443 HTTPS Stealth! There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! |
Awhile back a friend of mine thought he was going to be real cool and send my a little trojan. It was some program that allows him to control my computers funcitons remotly from his computer, so basicly he used me a server and (i unknowingly) installed alittle remote program. This thing was pretty clever and didnt show up as running at all untill i was running a shell program and it showed this window running that was just titled with a bunch of random seeming numbers. I tried to close it and it crashed my computer. So when i rebooted i ran Spy++ (heh : )) and found where the source of that window was. It was a file called MSREXE.exe or sumthin and i had to unclick some stuff in properties, reboot to dos, delete it, reboot to windows, rem out the command in my win.ini that loaded it. Well i told my friend all this and he found out that the remote was on his computer, and consequntly he had to tell like 20 other people how to remove that and no one else had figured it out but me i guess. oh well |
Moosoft... makers of The Cleaner... finds and cleans Trojans Well, I tried that one, and Trojan Defense Suite... and nothing came up. No Trojans found... whoo-hoo! I think it's gone, but my system will never feel the same again (it feels a bit faster, though, when I'm online... that's because of the Network tweaking, though, and upgrading to Netscape 4.72). Danziger :^) [This message has been edited by Danziger (edited 03-26-2000).] |
Oh yeah... sleep would be nice. Danziger :^) |
No,no,no BEWARE of Sub7. Its one bad ass trogan that can alter between ports each time you connect. Its raked to be the worse case, due to its easy use. I have Sub7 right now. I just use it on friends http://www.voodooextreme.com/forums/smile.gif |
http://www.nohack.net/sub7.html This link supposedly removes the Sub7 trojan. I tried going to Moosoft's website, but it seems to be down. Danziger :^) P.S. Is it just me, or has Voodoo Extreme's server been slow lately... to connect, not to download all the gif's, jpegs, html... etc. [This message has been edited by Danziger (edited 03-27-2000).] |
That hack will only get rid of a reg setup Sub7 server. I use non-standered setup which makes it a bitch to find. It all depends on if the hacker is a Lamer or more advanced http://www.voodooextreme.com/forums/smile.gif |
|
ZoneAlarm is the ONLY firewall you need!!!! |
Your NETBios port 139 is a very touchy matter indeed. Even if an attacker can't share your resources directly through your shares, there is a little thing Micro$oft forgets to tell people thats in Windows NT called your Interprocesses Share (IPC). Its a hidden share, but I'm not going into detail into how to connect to it. An attacker can connect to this share directly most times bypassing any NETBios protection you have. Once connected a simple netstat easily confirms whether or not your on. At this point all of the "target"'s shares can be viewed and consequently mapped to, allowing access to your machine. There are two things I would do to help prevent this. 1) Password protect ALL your shares, even if your only on home network. This can make the difference on whether your attacked or you just piss of the attacker and they leave. 2) Open regedt32 and goto the following: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA Choose edit | Add Value and enter the following data: Value Name: RestrictAnonymous Data Type: REG_DWORD Value: 1 Exit the Registry Editors and restart the computer for the change to take effect. Believe it or not this key doesn't actually block anonymous connections, but it should prevent most of the information leaks that are inherent with a null connection, such as the viewing of share names. Remember no one is ever 100% safe, but this should protect you from majority of c0de kiddies out there. If though you have something on your machine that someone wants, with time and patience you could break into anything. Hope this helps all. Later! -nyt |
Here's more network discipline for WinNT. http://grc.com/su-rebindingnt.htm This *should* close all your NetBIOS ports on WinNT. Danziger :^) |
| All times are GMT -7. |
Powered by vBulletin®
Copyright ©2000 - 2016, vBulletin Solutions, Inc.
SEO by vBSEO 3.6.0 ©2011, Crawlability, Inc.