RE: Help, some one's hacked into my home computer

[David LeBlanc <dleblanc () mindspring com>]

At 09:46 PM 1/2/00 -0600, Michael J. Ballard wrote:
> Okay....first of all, you don't need to be running a web server to provide
> access to your file system. All someone needs to do is run a port scan to
> find that you are doing NetBIOS file sharing on an interface with a legal IP
> address. Then it is just a matter of adding your IP address and machine name
> to the LMHOSTS file on their PC and using "net use G:
> \\machinename\sharename" to map a drive directly to your file system.

This isn't exactly correct (mostly has the general idea).  A port scan
reveals that 139 is listening, which is a good indicator it is a machine
with NetBIOS functionality.  A Win9x machine with no shares still listens
on 139, and an NT machine may not have any accessible shares.

Determining whether there are any shares is normally done by:

net view \\server

where server might be a NetBIOS name that can be resolved via broadcast,
WINS or the LMHOSTS file, a DNS name, or even a dotted IP string.  There
are a few differences between Win9x, NT 4.0 or higher and old versions of
NT and WfW, but those OS's are so old I'm not going to go into it.

Whether or not the machine responds to the net view command depends on a
number of factors.  If it is Win9x, it is going to respond if it has
shares, but won't show any 'hidden' shares (name ends in '$').  To get the
'hidden' shares, write a thin wrapper over NetShareEnum(), so 'hidden'
shares aren't very hidden, and nearly anyone can see them.

If it is an NT machine, it may refuse to show you the shares because you
can't authenticate to the machine - but

net use \\server /user:"" "" 

works quite nicely to make a null (anonymous) session to the machine.
Win2k has the capability if RestrictAnonymous = 2 to refuse null sessions
entirely. Assuming you have a null session, a default machine will show you
the shares unless RestrictAnonymous is > 0.

Samba machines behave a little differently, and will vary with version.
Some versions of Samba refuse null sessions, but allow you to do
essentially the same thing with your own credentials, so:

net use \\server /user:"" "" 

is refused, but

net use \\server

is accepted, even though you're not really allowed to _do_ anything.
Whether it shows you the shares depends on version and the whim of the
operator.

BTW, it isn't really required to map a share to a drive letter anymore.  If
you use the 4NT shell, you can even change directories into \\foo\bar.

Bottom line is that if you have Win9x, and shares, the world is going to
see them, and they need to be protected.  IMNSHO, Win9x isn't a good choice
if you're going to put shares on the machine and be connected to the internet.

Another gotcha with Win9x is that you can brute force passwords very, very
quickly - at about 10x the rate of an NT machine, and given that you don't
even have to obtain a user name, this is all by itself a problem.  I can
hit you with a 500k entry dictionary attack overnight given bandwidth.  And
there is no way to log that this is happening (unlike NT).

> You need to think about using a firewall device or proxy server between your
> PCs and the DSL modem that does NAT (address translation) to prevent the IP
> address of your PC from being seen by the outside world. Netwatch, BlackIce
> and the likes are nice for reporting attacks, but it is often too late at
> that point. With read/write access to your shares, someone could have easily
> wiped out every file on your PC. Consider yourself lucky!

BlackIce can also be set up to block connections, so it might be a good way
to go.

> Last but not least, you think about using a more robust OS besides Windows
> 98 if you plan to share files. Windows NT Workstation, Windows 2000, OS/2
> Warp, Linux, etc. all allow you to set user-based security on your file
> system. Windows 95 and 98 only give you the option of read-only or
> read/write and anyone can access them.

What he said.  However, all of these more capable OS's also have a lot more
ways to shoot yourself in the foot than just shares, so plan on spending
some time learning a bit about network security.


David LeBlanc
dleblanc () mindspring com