Re: suspicious firewall rules in WinXP firewall

[Harry Hoffman <hhoffman () ip-solutions net>]

Check the Settings for the browsers, perhaps they were forced to use a
proxy that was listening on the loopback?

Check your DNS settings with ipconfig /all as well.

Look at what is set to run at startup via the registry. Chances are that
the exe's will resides in C:\Windows\system32 and may look innocent.
Grab a list of the names and google to find out more info.

You could spend a lot more time looking through the system but all in
all you should assume that the machine needs to be wiped and reloaded.

Does the user *need* admin rights?

HTH,
Harry


-- 
Harry Hoffman
Integrated Portable Solutions, LLC
877.846.5927 ext 1000
http://www.ip-solutions.net/


belka () att net wrote:
> While setting a port for Symantec to query XP Pro workstations for virus updates, I noticed two machines that had 
> firewall rules (exceptions in WinXP firewall parlance) that were in unreadable charcaters, such as an asian font set 
> that couldn't be displayed. The rule name was in blocks or in other unreadable characters.  The user of these two 
> workstations is notorious for downloading asian TV shows over bit torrent, and visiting anime and other asian sites.
>
> I deleted the two firewall rules (DOH! I should have just disabled them) and now IE and Mozilla browsers do not work 
> at all.  I can ping out of these two machines, and as long as I use an IP address, these machines can ping anywhere 
> in the Internet.  However, if any call to DNS is requires, either with a browser or ICMP, it fails.
>
> Has anyone had a similar experience or seen this kind of behavior.  My fear is that one of the "special Korean 
> download programs" that this user admits installing has altered the browser or -- even worse - the XP TCP/IP stack 
> with hooks into a trojan or spyware product.  I tried disabling the firewall to allow all traffic in and out, but to 
> no effect.  No DNS functionality.  My packet traces are inconclusive and my IDS is not alerting on anything in or out 
> of these two work stations.
>
> Any ideas?  At this point I know I am going to have to reload, but from a forensic stand point, I am curious if any 
> one else has seen this kind of beavior before.
>
> Thanks.
>
> ------------------------------------------------------------------------------
> This List Sponsored by: Black Hat
>
> Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. 
> World renowned security experts reveal tomorrow's threats today. Free of 
> vendor pitches, the Briefings are designed to be pragmatic regardless of your 
> security environment. Featuring 36 hands-on training courses and 10 conference 
> tracks, networking opportunities with over 2,500 delegates from 40+ nations. 
>
> http://www.blackhat.com
> ------------------------------------------------------------------------------

------------------------------------------------------------------------------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. 
World renowned security experts reveal tomorrow's threats today. Free of 
vendor pitches, the Briefings are designed to be pragmatic regardless of your 
security environment. Featuring 36 hands-on training courses and 10 conference 
tracks, networking opportunities with over 2,500 delegates from 40+ nations. 

http://www.blackhat.com
------------------------------------------------------------------------------