RE: Windows 98 box is 'owned'

["Randy Williams" <randyw () techsource com>]

Greetings,

I stand corrected!  Yes, GuidoZ is quite right; the products that I was
mentioning were simple NAT boxes, and NOT proper firewalls.  I have fallen
prey to my own attempt to convey complex ideas to the uninitiated with broad
terms, please accept my apology.

RandyW

-----Original Message-----
From: GuidoZ [mailto:uberguidoz () gmail com]
Sent: Friday, October 01, 2004 1:15 AM
To: Randy Williams
Cc: bulliver () badcomputer no-ip com; security-basics () securityfocus com
Subject: Re: Windows 98 box is 'owned'

While these are all good points, I'd like to make a clarification on one
thing.

> 1)  Complete re-install of the OS with the addition of both a software
> firewall (ZoneAlarm) and a Hardware Firewall (Linksys, Dlink, etc).

Linksys, Dlink, etc are routers, not firewalls. While they function
similar to a hardware firewall (providing NAT and blocking the systems
behind them from direct access), they are NOT a substitute for a real
hardware firewall (SonicWall, AlphaShield, etc) when required.
Although, I believe a router would be plenty for your mother. =)

People frequently toss around the term "hardware firewall" (including
vendors), applying it to ANY device that provides NAT translation. In
my eyes, it takes a lot more then NAT to make a firewall. Additional
protection such as SPI, Content filtering, VPN, PKI, etc make up a
true hardware firewall.

--
Peace. ~G


On Thu, 30 Sep 2004 16:51:32 -0400, Randy Williams
<randyw () techsource com> wrote:
> Greetings Darren,
>
> This is a common problem to say the least; there are a couple of things
that
> you could do that could help out your Mother.
>
> 1)  Complete re-install of the OS with the addition of both a software
> firewall (ZoneAlarm) and a Hardware Firewall (Linksys, Dlink, etc).
>
> 2)  Clean the system with Adaware, Spybot - Search & Destroy, the A/V of
> your choice, fully patch the OS, install a good software firewall, and
spend
> some time showing your Mom some basic computing tips.  Then, if that
fails,
> install the hardware firewall for her and see how it goes.
>
> Without constant monitoring though, the PC WILL become infected again,
it's
> just a matter of time.
>
> RandyW
>
>
>
> -----Original Message-----
> From: Darren Kirby [mailto:bulliver () badcomputer no-ip com]
> Sent: Wednesday, September 29, 2004 11:04 PM
> To: security-basics () securityfocus com
> Subject: Windows 98 box is 'owned'
>
> Hello all,
>
> I am writing this on behalf of my Mom. She was complaining that her
computer
> was sluggish, and that her HD space was getting used up faster than it
> should. So I went over and fired up my trusty Linux live cd and had a
look.
> Anyway, I found a directory right in C: named 'Downloads', and inside were
> about 50 or so files, which were all warez, porn, windows exploits and
> cracker 'howto's. Quite obviously this computer is owned, and is being
used
> as a warez server. I deleted the files, booted win, but they reappeared
> after
> about 10 minutes. The strange thing is that these files are ALL 29k, and
all
> have filenames like:
>
> Adobe Photoshop crack.exe
> Smashing the Stack.txt.exe
> Eminem - full album.mp3.exe
> Office 2003 full.exe
> ...
> On further inspection I found an identical directory at
> C:/windows/Downloaded
> Program Files/. God only knows how many trojans and other nasties are
> sprinkled around...
>
> So I yanked the power cord out of her adsl modem, and told her not to plug
> it
> back in unless she was checking her mail. Bad advice for sure, but try
> telling your mom that her computer is rooted by punk kids and it is too
> cracked to have safe internet access at all. Seems that a complete OS
> reinstall is in order, but it seems to me that if they can own her box
once
> they can own it again just as easy, which leads me to this list...I would
> like to try some investigating, and try to figure out where the backdoor
is,
> what exactly they are doing...and of course how to prevent it.
>
> Some background on myself...I am a Linux sysadmin, and have a great deal
of
> experience with UNIX operating systems...however, I have never run a
windows
> box, and have only used one in the 'point-and-drool' sort of way. So I
> really
> know nothing of how the underlying OS works (or doesn't...).
>
> So I guess I am just asking for some opinions of the situation, and
perhaps
> some links to docs about this type of attack, and how to prevent it. Also,
> any software along the lines of chkrootkit or other forensic tools, but
for
> windows would be a big help.
>
> TIA
> -d
> --
> Part of the problem since 1976
> http://badcomputer.no-ip.com
> Get my public key from
> http://keyserver.linux.it/pks/lookup?op=index&search=bulliver
> "...the number of UNIX installations has grown to 10, with more
expected..."
> - Dennis Ritchie and Ken Thompson, June 1972