PeterHammer Posted May 22, 2003 Share Posted May 22, 2003 i'm curious how these trojans get on someone's pc? Usually by port scanning your PC, looking for open ports and vulnerable software. On Windows PC's most scanners are looking for the NetBIOS port 139, though unpatched IIS (or PWS) and SQL Servers (or MDAC) are also a favorite target. IIS and SQL server trojans and worms are well documented and demonstrated (Code Red, Code Red II, Slammer etc....) Windows XP has fixed most of the issues with NetBIOS, and I am not sure if hackers have found a way of cracking it on an XP PC. But Windows 2000 and Windows NT 4 will give up all sorts of goodies, like the name of the admin aco****, the security groups, the shares available. It is then a simple matter to run a dictionary attack on the Administrator account which is not subject to the lockout policies. Anyway, a whole lot of morons out there have Windows 2000 with an empty Administrator password, or something simple like 'password' or 'admin'. Once you crack the password, it is a simple matter of opening the admin share (\\IPADRESS\c$) drop an exe, and a shortcut to it in the All Users > Programs > Startup directory, wait for someone to logon and voil?...Trojan installed. There are also other exploits, but I am not going to get into it. On Linux the attackers are often looking for well-known vulnerabilities in unpatched software. Older versions of SSH (3.3 and below) are full of them. Link to comment Share on other sites More sharing options...
dougkinzinger Posted May 22, 2003 Share Posted May 22, 2003 Heh, no, actually thats the dumb sh*ts who dont run decent AntiVirus software. right on Link to comment Share on other sites More sharing options...
PeterHammer Posted May 22, 2003 Share Posted May 22, 2003 Oh one more thing: with the NetBIOS exploits and dictionary attacks, there is even commercial and freeware software out there that will help you out. They are sold under the auspices of security software for network administrators, but they are just as useful, if not more so, if you are trying to break into a system. Go figure. http://www.gfi.com/lannetscan/ Link to comment Share on other sites More sharing options...
PeterHammer Posted May 22, 2003 Share Posted May 22, 2003 A firewall is NOT necessary to be secure... :no: If you are running no server software, and you have locked down NetBIOS on your WAN you are 99% correct. But that assumes: a) That disabling NetBIOS on a network adapter is not subject to any exploits (buffer overflows etc...). Truth be told there are none that have been discovered, but that does not mean they don't exist. b) Your email client is not infected by a new virus that Nav2003 is not aware of yet, and you do not download some trojan disguised as shareware. Link to comment Share on other sites More sharing options...
Malechai Veteran Posted May 22, 2003 Veteran Share Posted May 22, 2003 i guess i'm 99% secure then. i can deal with the other 1%. livin on the edge baby!! Link to comment Share on other sites More sharing options...
PeterHammer Posted May 22, 2003 Share Posted May 22, 2003 That's your prerrogative Megatron. :D Link to comment Share on other sites More sharing options...
MxxCon Posted May 22, 2003 Author Share Posted May 22, 2003 Spider_Man, send me that fancy trojan of yours that i'll show you that my antivirus detects it. Link to comment Share on other sites More sharing options...
Jon Posted May 23, 2003 Share Posted May 23, 2003 (edited) this post was made whilst I was drunk, I've removed the contents because it was complete b*llocks that served no purpose. Have a nice day! (little yoda dude avatar person, you've said some clever stuff, but I think you're missing a few points as well) Edited May 23, 2003 by Jon Link to comment Share on other sites More sharing options...
Spider_Man Posted May 23, 2003 Share Posted May 23, 2003 Look, all I know is what I've noticed while sitting at my workstation at work and also when we've pulled some of the servers that we've found IRC attack Bots, zombies, trojans, whatever. Most still connect throgh port 6667 because your basic home user would look at that and not know what to think. Those of us that have an understanding of the Internet and it's protocols would see it an red flags would go up. MxxConPosted: May 22 2003, 17:15 Spider_Man, send me that fancy trojan of yours that i'll show you that my antivirus detects it. I did not say I had the Trojans, I have a database of them at work. As we have encountered them or found the Server side version running on a Server that we've pulled we've disected it and cataloged it so that we can protect ourselves and our customers. What I meant was that I could show you a list of them. Almost all new Trojans seem (from what I've seen) to have code built in to avoid being detected. Yes Norton and all the rest try and keep up to date. But as we all know, that's tough. Spyder, concerning ActiveX controls, bad example. Sorry. There is code available for websites thought that will automatically DL files to your system. I'm sure some people on here may actually know how to code it into a website. Concerning troans through the e-mail, mass e-mail worms. Easy enough to defeat, but I found here recently when cleaning an infected workstation here at work of Klezz. when Norton went through it found Klezz so I started the fix Klezz and al of a sudden the machine locked up 30 secs later the scan continued. After reboot I noticed something trying to ake an outbound connection. I immiediatly said WTF?! Turns out, this version of Klezz had been packed with another little program that was set to when an anti Virus program cleaned it off it unpcked this little bugger. So we decided to see what it did. we plugged it in to the phone and dialed up to the net and it went to a remote server (which is coincidentally now offline) and dl'ed Klezz again!We disconnected and Scanned the box and found Klezz but that was it. So our CTO contacted Norton and they investigated it. Lastly, let me clarify this, because you guys sat here and poked holes in my post, What I meant by Anti-Viri software not picking up most Trojans is correct. There are alot of them. Yes it will generally pick up older Trojans but there are new ones made all the time. Now I have found a particular little program that seems to work awesome, it's called "The Cleaner." I don't have a link for it but if I can find it aain I'll post it here. Back to the original post, to be safe, run a FW. At least do it so that you can't be used. Link to comment Share on other sites More sharing options...
ahodes1 Posted May 23, 2003 Share Posted May 23, 2003 There's nothing wrong with being more protected, but its not a necessity! With NAT I don't use a firewall, though I would never know if a program is accessing the internet without my permission. Personally, I can live with that. Link to comment Share on other sites More sharing options...
+John Teacake MVC Posted May 24, 2003 MVC Share Posted May 24, 2003 Software firewalls are useless, they only filter stuff, a hardware filewall works much better as it works on the physical layer. Although a software firewall is better than no firewall at all. Some peoples home PCs do have important personal stuff on them. My mate got hacked once while he was uploading files to an FTP server. The hackers stole some usless files off his PC. i think all they stole were a DVD player EXE and a windows system file. Link to comment Share on other sites More sharing options...
nims Posted May 24, 2003 Share Posted May 24, 2003 i've heard that hardware ones are better than software firewalls, but anyhow, i juss use the builtin one in xp. Link to comment Share on other sites More sharing options...
whipper25 Posted May 24, 2003 Share Posted May 24, 2003 i rely on my NAT router for any suspicious activity, if there are any...couldn't be bothered to install a software firewall and set permissions all the time...although, i don't think i would go without an antivirus...and i'm not worried of people hacking into my system to take stuff from me (cuz i don't have anything to 'take')..but i do worry about them putting some stuff IN my system... Link to comment Share on other sites More sharing options...
username Posted May 24, 2003 Share Posted May 24, 2003 so everyone is anti software firewall here now (good too hear).... i wait for the next "what is the best firewall" thread and the same people start making suggestions :laugh: Link to comment Share on other sites More sharing options...
Wolvereen Posted May 24, 2003 Share Posted May 24, 2003 I use to beleive the same thing (and I am SO not the paranoid type). I would have debates with my friend who is a securities expert at an online company about how a $4.50 an hour bus boy was WAY more likely to steal my credit card number than a "hacker" would. I still basically believe that, however my head has been turned. I found GIGABYTES of files in the form of a 0 DAY SERVER hiddden under my Recycle Bin (this was back in the 2000 days, not XP). ANyways, I guess they saw a fat internet connection, and tons of space so viola! I do have a hardware firewall now with port forwarding that I use pretty much all the time. No problems since! Link to comment Share on other sites More sharing options...
JodyWatts Posted May 24, 2003 Share Posted May 24, 2003 (edited) I have heard alot of talk in the thread (and others) about which is better ... a hardware firewall or a software firewall .... Well, the REALLY funny thing is that a "hardware" firewall still RUNS software .... see the irony? I do think a "box" that is seperate from your computer is the better answer rather than loading software ON your computer. Like most in this thread, I have a NAT router/Firewall and a good avti-virus software and have had no "problems". Edited May 24, 2003 by Big_Daddy Link to comment Share on other sites More sharing options...
username Posted May 24, 2003 Share Posted May 24, 2003 ahh screw antivirus too, i give myself enough credit in knowing how not to get a virus Link to comment Share on other sites More sharing options...
ToastGodSupreme Posted May 24, 2003 Share Posted May 24, 2003 You know, here's my setup: DSL ---> Linksys Router ---> My PC/My Server/My GF's PC Now, I have NETBIOS turned ON, mostly due to the fact, that, with it on, everything works. It's reliable for small networks, and SECURE IF YOU KNOW WHAT YOU'RE DOING. In my router, I forward all EXTERNAL connections (ie. anything that goes from DSL to router to network is external) to ports 137-139 to a ghost computer (192.168.1.x "x being a number of a machine that is not on my network"). This protects my LAN from outside NETBIOS attacks. I do this for a few other essential ports as well. Forwarding certain ports to a "ghost" computer that doesn't exist. A note to those who think they're so smart: Do not tell me to just close those ports. Can't, my router's software doesn't support it. Don't tell me not to use NETBIOS, I like it, it works for me, and with my setup, it IS secure. I've been monitoring my firewall logs on my server (which is the most public computer in my LAN) and NO connection attempts on NETBIOS ports have been made from external sources in the past 7 months (which is how long I've been logging this stuff). My method works for me. My server runs Kerio PF v.2.1.5. This is only to prevent certain apps from connecting out, and also, to keep a log of any FTP connections (as my server is a FTP among other things). My server and my gf's PC run NAV 2003/2002. I have it on my server so it can scan incomming files (it uh, likes P2P networks ;) ). My gf, like most guys' wives/fiances/girlfriends/mothers/women are click happy and will download just about anything that pops up in front of them. Hence my installing NAV on her comp. :D Now to those who say, "Oh poop on your router-forwarding-ports-to-ghostcomputer", well, let me put it like this: To those who might say, "What about overhead? You're wasting bandwidth by doing that." Not really. My router supports up to 100Mbps. I think it can handle all the probe packets sent from external sources and route them without any degredation to my 80Kb\s bandwidth offered by my ISP. To those who might say, "But you're also wasting your ISP based bandwidth!" No I'm not. If my router didn't catch those packets and stop them then my computers would have gotten them and probably responded. Let's assume that I have NETBIOS off, well, the packets would still hit my computers and then it would either generate a response which would have to be sent out, or it would die at my computer (generating the equivalent of my router forwarding the packet to a "ghost"). The forwarding method just saves my comps the trouble of even dealing with those packets. They are oblivious and quite happy. To those who might say, "But now you're making your router work harder." So?!? What do I care that it has to process packets, that (ARE YOU READY FOR THIS?) IT WOULD HAVE TO PROCESS ANYWAY (yes, because it still has to process the packets and send them out to my machines). Where is it working harder? Heh. This is more a pre-emptive strike post against those who want to tell me that my setup is insecure. :D :ninja: Link to comment Share on other sites More sharing options...
MxxCon Posted May 24, 2003 Author Share Posted May 24, 2003 your setup IS insecure. i don't feel like going into all the points right now. i'll do it tomorow Link to comment Share on other sites More sharing options...
[XS] Posted July 16, 2003 Share Posted July 16, 2003 firstly: dont take this as an insult. secondly: whats with the high amount of paranoia shown on the internet, i mean when someone checks their firewall logs and they see stuff like port scan, finger etc then they immediatly presume someone has/is attacking them... come on, what kinda stuff is worth hacking home pcs for...? that college assignment due in last week? that home video of your last holiday? i think not... ok now thats off my chest i feel better Link to comment Share on other sites More sharing options...
MxxCon Posted July 18, 2003 Author Share Posted July 18, 2003 your not the only one https://www.neowin.net/forum/index.php?act=...1&hl=you+pinged Link to comment Share on other sites More sharing options...
[XS] Posted July 19, 2003 Share Posted July 19, 2003 oh lol, didnt realise someone beat me to it! Link to comment Share on other sites More sharing options...
Keldyn Posted July 19, 2003 Share Posted July 19, 2003 threads merged Link to comment Share on other sites More sharing options...
[XS] Posted July 19, 2003 Share Posted July 19, 2003 cheers keldyn, Link to comment Share on other sites More sharing options...
Recommended Posts