Security Basics mailing list archives
Re: Windows 98 box is 'owned'
From: GuidoZ <uberguidoz () gmail com>
Date: Mon, 4 Oct 2004 23:11:00 -0700
*NOTE* This was sent directly to Glen off list, however I believe it applies to some current topics on-list. Therefore, I'm sending it here as well. --------------------- Hello again. =)
I don't expect home users to have to invest a few hundred dollars (in some cases, per year) to be able to use their cablemodem/DSL connections... However, whenever I help friends set up their home networks, I do suggest (nowadays) the Netgear WGR614, which gives SPI, allows IPSEC outbound for connection to their work VPNs, and lets them use their laptops via wireless (with a key, etc., of course). It's all based on need--home users don't need content filtering, VPN support (except for being able to get to their work connections) or PKI in general. Power users like those of us who are sysadmins, sure... but Ma and Pa Kettle? Nah. Frankly, there is such a thing as "too much" complexity for end users--in my experience, if they can't plug it in and use it (or have me over for dinner and make sure it's all plugged in and useable), they aren't going to use it. It'll end up gathering dust next to their trash can.
Completely agree, 100%. I'd never expect a home user to have a need for a true hardware firewall. (I also noted in my original reply to the list that a router like those mentioned would be plenty for his mother.) The NetGear is a good choice. I'm usually one to recommend a LinkSys, however NetGear is my 2nd choice. =) My argument wasn't that home users needed a true hardware firewall. It was that LinkSys, NetGear and D-link don't make true hardware firewalls. Terminology, nothing more. ;) I've been in this industry far to long to let something like that get by. Too many people already have it confused. I would also like to emphasize a point you made - if it's not possible for them to use correctly (even if it is just a router), then having it is a waste. You could have the best tools in the world at your disposal, but if you have no clue how to use them, it's meaningless. Very good point.
I also generally advise they get a copy of ZoneAlarm or BlackIce to complement the hardware, and to make sure they have an anti-virus program on their machines.
Don't get me started on BlackICE! =) It's an IDS, not a true software firewall. (Google it for more info - Steve Gibson has a good write up on it.) ZoneAlarm is a good choice. So is Kerio. Both are free, easy to use, and work. Aside from the freebie class, I'm a big fan of Sygate. I do NOT like Norton Internet Security and McAfee anything. Both are resource hogs and frankly are unnecessary. Why pay so much for something you can get for free?
I also try and preach the wonders of Firefox/Mozilla and Thunderbird--unfortunately, most people fear lots of change--and they're comfortable with Outcrack (as I call it) and Internet Exploder. Why? "They just work" is usually the answer they give me. I can configure Firefox to look scarily like IE and Thunderbird to have 90% of the functionality of Outcrack (generally features in that 10% are stuff they never would use anyway), and yet they'll still go back to IE & OE. It's the old "lead a horse to water, but can't make them drink" bit :-/
Amen. I swear by FireFox/Mozilla products and have since the old Netscape days. Luckily, I started converting those whom I had influence over years before IE started having all the recent problems. (Just back when it was having the other problems. =P ) When the time came that it simply wasn't safe to use IE anymore, they switched without much fuss. The only thing missing when it comes to functionality is something no one should of started relying on in the first place - ActiveX. One of the organizations I support based an application on the .NET framework and was using an ActiveX applet to do some client side scripting. Unfortunately nothing but IE will work for them. If you have any suggestions, I'm quite willing to listen. ;)
Yes I've run PIXs and Nokia firewalls in the past. However, I see them (and their peers) as "enterprise-grade" and *way* overkill for Ma and Pa Kettle.
Again, see my first paragraph. I wasn't trying to convince Tom, Dick, and Harry to go out and get a SonicWall. I was only stating that there is a big difference between NAT and a hardware firewall. Not only would it be way overkill, but it would also be a waste as they coudl never figure out how to use it properly. A poorly configured firewall is worse then none at all - it gives a false sense of security. A problem often overlooked by too many that should know better! One firewall that could be considered both a hardware and software firewall (and even an enterprise class one at that) is the Linux based Smoothwall. It's free to download and only needs two NICs (minimum) and a old PC to be fully functional. In case you aren't familiar with it, It serves as router as well as a firewall. (Providing NAT/DHCP if required, but also utilizing IP chains and such for complex rules.) I've been using it successfully at my shop for a few years. It also offers a web cache feature that saved us hours of update downloads. On top of all that, it has a simple web-based interface for the n00b user PLUS a telnet/ssh command line for the advanced. Updating is a snap, simple configuration can be done by anyone that would have a need for Smoothwall, and you can't beat the price. Many people have a computer in a closet somewhere that has plenty of power. The one running a 12 system network on a 3mb sDSL line at the shop is a Pentium 200 with 128MB RAM. We popped in an old 1.2GB hard drive and 2 new 3COM 3C905-TX NICs. (The networking parts are important so we didn't skimp.) It has multiple levels of security and can be used in a multitude of ways. It also has all the features of the big boys (though I've hardly scratched the surface of it) and works like a charm. Defanitely check it out if you haven't already: http://www.smoothwall.org (Google it for myraids of configuration tips, scripts and tweaks.)
Thanks for the reply :)
Likewise. =) I always appreciate intelligent conversation. -- Peace. ~G On Mon, 4 Oct 2004 13:07:39 -0500, dana () dtn com <dana () dtn com> wrote:
Well, now you both are wrong... Many of the low end "NAT boxes" are "proper" firewalls. Routers often can be configured as firewalls, indeed, the first firewalls were routers. Servers are also often configured as firewalls. VPN and PKI, while often incorporated into firewalls (including these "NAT boxes") is not a requirement for something to be a firewall. Here's something for you to read: http://www.ora.de/catalog/fire/chapter/ch04.html http://media-server.amazon.com/media/mole/MANUAL000000672.pdf Dan Anderson, CISSP, SCSA "Randy Williams" <randyw () techsource com> 10/01/2004 09:31 AM To "'GuidoZ'" <uberguidoz () gmail com> cc <bulliver () badcomputer no-ip com>, <security-basics () securityfocus com> Subject RE: Windows 98 box is 'owned' Greetings, I stand corrected! Yes, GuidoZ is quite right; the products that I was mentioning were simple NAT boxes, and NOT proper firewalls. I have fallen prey to my own attempt to convey complex ideas to the uninitiated with broad terms, please accept my apology. RandyW -----Original Message----- From: GuidoZ [mailto:uberguidoz () gmail com] Sent: Friday, October 01, 2004 1:15 AM To: Randy Williams Cc: bulliver () badcomputer no-ip com; security-basics () securityfocus com Subject: Re: Windows 98 box is 'owned' While these are all good points, I'd like to make a clarification on one thing. > 1) Complete re-install of the OS with the addition of both a software > firewall (ZoneAlarm) and a Hardware Firewall (Linksys, Dlink, etc). Linksys, Dlink, etc are routers, not firewalls. While they function similar to a hardware firewall (providing NAT and blocking the systems behind them from direct access), they are NOT a substitute for a real hardware firewall (SonicWall, AlphaShield, etc) when required. Although, I believe a router would be plenty for your mother. =) People frequently toss around the term "hardware firewall" (including vendors), applying it to ANY device that provides NAT translation. In my eyes, it takes a lot more then NAT to make a firewall. Additional protection such as SPI, Content filtering, VPN, PKI, etc make up a true hardware firewall. -- Peace. ~G On Thu, 30 Sep 2004 16:51:32 -0400, Randy Williams <randyw () techsource com> wrote: > Greetings Darren, > > This is a common problem to say the least; there are a couple of things that > you could do that could help out your Mother. > > 1) Complete re-install of the OS with the addition of both a software > firewall (ZoneAlarm) and a Hardware Firewall (Linksys, Dlink, etc). > > 2) Clean the system with Adaware, Spybot - Search & Destroy, the A/V of > your choice, fully patch the OS, install a good software firewall, and spend > some time showing your Mom some basic computing tips. Then, if that fails, > install the hardware firewall for her and see how it goes. > > Without constant monitoring though, the PC WILL become infected again, it's > just a matter of time. > > RandyW > > > > -----Original Message----- > From: Darren Kirby [mailto:bulliver () badcomputer no-ip com] > Sent: Wednesday, September 29, 2004 11:04 PM > To: security-basics () securityfocus com > Subject: Windows 98 box is 'owned' > > Hello all, > > I am writing this on behalf of my Mom. She was complaining that her computer > > was sluggish, and that her HD space was getting used up faster than it > should. So I went over and fired up my trusty Linux live cd and had a look. > > Anyway, I found a directory right in C: named 'Downloads', and inside were > about 50 or so files, which were all warez, porn, windows exploits and > cracker 'howto's. Quite obviously this computer is owned, and is being used > as a warez server. I deleted the files, booted win, but they reappeared > after > about 10 minutes. The strange thing is that these files are ALL 29k, and all > > have filenames like: > > Adobe Photoshop crack.exe > Smashing the Stack.txt.exe > Eminem - full album.mp3.exe > Office 2003 full.exe > ... > On further inspection I found an identical directory at > C:/windows/Downloaded > Program Files/. God only knows how many trojans and other nasties are > sprinkled around... > > So I yanked the power cord out of her adsl modem, and told her not to plug > it > back in unless she was checking her mail. Bad advice for sure, but try > telling your mom that her computer is rooted by punk kids and it is too > cracked to have safe internet access at all. Seems that a complete OS > reinstall is in order, but it seems to me that if they can own her box once > they can own it again just as easy, which leads me to this list...I would > like to try some investigating, and try to figure out where the backdoor is, > > what exactly they are doing...and of course how to prevent it. > > Some background on myself...I am a Linux sysadmin, and have a great deal of > experience with UNIX operating systems...however, I have never run a windows > > box, and have only used one in the 'point-and-drool' sort of way. So I > really > know nothing of how the underlying OS works (or doesn't...). > > So I guess I am just asking for some opinions of the situation, and perhaps > some links to docs about this type of attack, and how to prevent it. Also, > any software along the lines of chkrootkit or other forensic tools, but for > windows would be a big help. > > TIA > -d > -- > Part of the problem since 1976 > http://badcomputer.no-ip.com > Get my public key from > http://keyserver.linux.it/pks/lookup?op=index&search=bulliver > "...the number of UNIX installations has grown to 10, with more expected..." > - Dennis Ritchie and Ken Thompson, June 1972
Current thread:
- RE: Windows 98 box is 'owned' Bermingham, Bob (Sep 30)
- <Possible follow-ups>
- RE: Windows 98 box is 'owned' Akins, Keith A (EM, ITS) (Sep 30)
- Re: Windows 98 box is 'owned' GuidoZ (Sep 30)
- Re: Windows 98 box is 'owned' Nazeeh ElDirghami (Sep 30)
- RE: Windows 98 box is 'owned' OTTO, DOUGLAS P. (Sep 30)
- RE: Windows 98 box is 'owned' Randy Williams (Sep 30)
- Re: Windows 98 box is 'owned' GuidoZ (Oct 04)
- RE: Windows 98 box is 'owned' Randy Williams (Oct 04)
- Re: Windows 98 box is 'owned' GuidoZ (Oct 04)
- Message not available
- Re: Windows 98 box is 'owned' GuidoZ (Oct 05)
- Re: Windows 98 box is 'owned' GuidoZ (Oct 04)
- Re: Windows 98 box is 'owned' Glenn Sieb (Oct 04)
- Re: Windows 98 box is 'owned' GuidoZ (Oct 05)
- Re: Windows 98 box is 'owned' GuidoZ (Oct 05)
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Windows 98 box is 'owned'; Re: GuidoZ (Oct 06)
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Windows 98 box is 'owned'; Re: Glenn Sieb (Oct 06)
- Message not available
- Message not available
- Re: Windows 98 box is 'owned'; Re: Glenn Sieb (Oct 06)
- Re: Windows 98 box is 'owned'; Re: GuidoZ (Oct 07)
- Re: Windows 98 box is 'owned'; Re: Glenn Sieb (Oct 08)
- Re: Windows 98 box is 'owned'; Re: GuidoZ (Oct 08)
- Re: Windows 98 box is 'owned'; Re: xyberpix (Oct 08)