PDA

View Full Version : I feel sorry for...



Betazep
11-24-2001, 03:16 PM
204.210.153.72

This person will be receiving a nasty letter from his/her ISP for forbidden activities.

Then again Roadrunner services only warns you once... so it might be bye bye cable modem and back to slow internet.

People just shouldn't **** with me... especially when I am not in the mood.

dirkduck
11-24-2001, 06:26 PM
what'd they do?

Fordy
11-24-2001, 06:47 PM
>>so it might be bye bye cable modem and back to slow internet.


Yeah....smoke dat kiddie!!!.......

Null Shinji
11-24-2001, 06:55 PM
what did he/she do?

Betazep
11-24-2001, 07:52 PM
I had my firewall down to do some stuff, and I got a trojan dropped on my door.

I noticed I had a connection and ran a netstat. Yup connected. Ran my firewall to block access and files came up trying to connect to the internet.

Ran virus scanner and removed trojans (X2). Received over 40 TCP probes to different ports over the course of the day. Reviewed my logs and found over 25 hits from the same person over the past month.

Normally I do not care, especially if they are somewhat sneaky about it and don't do it often. (My logs are full of suspicious activity beyond stray network traffic, but I do not care mostly.) But that ........ed me off. Stumbling in like a drunk bastard without even covering his tracks....

Que sera sera...

/dev/null
11-24-2001, 08:20 PM
bah he might have bounced thru another comp iffected with the trojan...

isp's usually dont give a damn unless you say something like this guy keeps sending me child porn...

lol anywyas damn lammers arround here with their little scripts bah...

oskilian
11-24-2001, 08:27 PM
how can you do that? I mean, execute a program from the other side of a network? Just curious, because I thought that trojans are meant to be ran explicitly by the server("victim") computer.

I think that you just have to be careful, you don't need to have a firewall to prevent hacking into your computer, or do you?

Oskilian

/dev/null
11-24-2001, 08:41 PM
"how can you do that? I mean, execute a program from the other side of a network? Just curious, because I thought that trojans are meant to be ran explicitly by the server("victim") computer."

correct unless your computer has been hacked and the attacker has execution rights on your box...

firewalls are really useless in my opinnion they just make people paranoid and if someone wants in to your box they will get in... no little software firewall is gonna stop them...

Fordy
11-24-2001, 08:45 PM
>>firewalls are really useless in my opinnion they just make people paranoid and if someone wants in to your box they will get in... no little software firewall is gonna stop them...

Yeah...ok if a wise hacker targetted me,he'd get in ...eventually.... but proggiez like zone alarm ect do offer some protection, and most of the time thats sufficient.....

The principal of dismissing something utterly because it isnt 100% foolproof is a joke....

zen
11-24-2001, 08:48 PM
firewalls are really useless in my opinnion they just make people paranoid and if someone wants in to your box they will get in... no little software firewall is gonna stop them...

But, they'll deter casual interest.

oskilian
11-24-2001, 08:51 PM
as far as I know, if you want a hacker to be able to do this you must share a resource with execution permission.. aaand, allow this resource to be shared within the network (internet), you can un-share everything for the internet in Windows. or is there any other way for a hacker to come into your computer (without trojans or tools like trojans)?

Oskilian

Fordy
11-24-2001, 08:55 PM
>>or is there any other way for a hacker to come into your computer

Lots of ways......mostly by trickery...... Your right about difficulties of executing stuff remotely, but often hackers trick people into running the code themselves......

oskilian
11-24-2001, 09:06 PM
tat's what I'm talking about, you have to be careful!. how can a hacker trick you into executing their own code? I don't get it!

Oskilian

Betazep
11-24-2001, 09:06 PM
>>>bah he might have bounced thru another comp iffected with the trojan...

isp's usually dont give a damn unless you say something like this guy keeps sending me child porn...

lol anywyas damn lammers arround here with their little scripts bah...<<<

LOL... yeah never thought of that one (the child porn part).


As far as bouncing... that isn't my concern. I am a firm believer that you are responsible for all actions from your computer whether it is your child, an outside hacker, or you.

And I assure you that Roadrunner looks into it and takes it very seriously.

First they check the validity of the logs. Then they scan both computers in question to check for obvious exploits. Then they send a nice letter... (want me to read mine to you) that states that you are responible for the actions on your computer (like I said... I certainly believe in that) and even though scanning isn't illegal, it does violate the terms of use.

I got a letter while I was tracking down a hacker. I found a nix server that was wide open so I emailed the box owner. He thanked me and said that he thought that Unix was secure right out of the box... which should have made me realize he was dumb. I guess he looked into his logs (I am suprised he could find them...) and he saw my scan and reported ME to my ISP!

Last time I help someone...

Betazep
11-24-2001, 09:11 PM
>>>tat's what I'm talking about, you have to be careful!. how can a hacker trick you into executing their own code? I don't get it!

Oskilian<<<

Easy. Send you a picture of a naked girl. You open it... you get infected. The program writes an entry into the winstartup or Autoexec.bat file so that your computer starts the program for them.

Or use any number of the millions of exploits in computers on people that do not upgrade their software with critical patches.

Run sendmail in unix and not know what you are doing (or set uid with permissions).

It isn't hard. Once you are exploited, you can have a port bleeding into the web....

Run netstat on your computer every now and then. You can tell if you are connected at least (unless netstat is compromised or the trojan is hidden).

Fordy
11-24-2001, 09:20 PM
Well pictures dont execute code... but look at some of the viruses that have made it big in the last 3 years......For instance some emails have managed to run attachments without even being property opened...thanks to the preview pane on outlook Express for instance.......

If they managed to run an executable on your system in such a way then your in trouble...anything could have been done to your system....often they can then take advantage of the run key in the reg to restart a trojan each time the computer boots (assuming windows in this instance)

Betazep
11-24-2001, 09:28 PM
>>>Well pictures dont execute code...

true... but code can execute a picture. To an unwary person that just double-clicks.... display picture.... in background, drop trojan.

oskilian
11-24-2001, 09:28 PM
Originally posted by Betazep

Easy. Send you a picture of a naked girl. You open it... you get infected. The program writes an entry into the winstartup or Autoexec.bat file so that your computer starts the program for them.


Fordy's right, images don't run code, unless they send them as "picture.jpg.exe", and in my opinon, you REALLY need to be dumb to run these


Originally posted by Fordy

thanks to the preview pane on outlook Express


oh, cmon, Outlook is the unsafest tool on the face of the earth, not to mention slow and inflexible. Why should you use it when there are more tools to do what outlook does without compromising your security.


I still think that being careful can do even more than what any software or hardware can

BTW, what does a firewall do?

Oskilian

Betazep
11-24-2001, 09:36 PM
>>>I still think that being careful can do even more than what any software or hardware can


Sure. If you know what you are doing... you may be immune. But whether or not you think that you are capable... it isn't usually the case. You do not need to do anything to get a virus. Just turning your computer on and hooking to the web may be enough.

So how could you be any more careful than that?

Virus software is important. I see too many people crash and burn without it. If you are not running it, there is a strong possibility that you are infected, and the possibility increases the longer you are online and with the speed of your connection.

And as far as firewalls go... the best statement in this entire thread...

"But, they'll deter casual interest." -Zen

You don't take out everyone, but you take out a lot of 'em.

(and see above about the images... a picture can be shown to you from an executable)

/dev/null
11-24-2001, 09:40 PM
"Lots of ways......mostly by trickery...... Your right about difficulties of executing stuff remotely, but often hackers trick people into running the code themselves......"

then they dont qualify as hackers... call them script kiddies...

about ZA

Zone alarm sucks it just cant keep up with the pace of todays software firewalls

there are also many know exploits againt the za firewall... now your right it will keep the lammers out... but firewalls arent the answer... the answer is to run only the services you need and to update often...

now this is up for debate and i congradulate those who use firewalls... you are more concerned about security than most of the fools out there...

Betazep
11-24-2001, 09:42 PM
My friend played a clever trick on me when we were younger. He brought over a game on a floppy disk for me to try.

It looked completely like a little driving game. I inserted the floppy, ran the executable... played the game and then quit and took the disk out.

He left and came back the next day and played the game again and took the disk and left.

Little did I know that he had logged all of my keystrokes for the entire day and conveniently walked away with the log.

So much for my passwords.... he came back the next day and showed me the passwords I use.

Betazep
11-24-2001, 09:47 PM
>>>now this is up for debate and i congradulate those who use firewalls... you are more concerned about security than most of the fools out there...<<<

Ahhh isn't everything up for debate around here! :D

My friend works for American Express as a computer guru. He had to test Black Ice and ZA Pro for implementation onto their personal workstations. Both companies gave them a wide open license to the newest developments.

ZA Pro was actually pretty solid from what he told me when he gave me a copy... but we both know the real world. There is an exploit for everything eventually.

You are so right on the services tho...

Fordy
11-24-2001, 09:48 PM
>>oh, cmon, Outlook is the unsafest tool on the face of the earth

Not arguing.... its just that its so wide used that if a security gap is found its widely exploited.

>>there are also many know exploits againt the za firewall... now your right it will keep the lammers out... but firewalls arent the answer... the answer is to run only the services you need and to update often...

Yeah I know... I wasnt disagreeing that Zone alarm is less than perfect....its jus the idea of dismissing it totally because it isnt 100% is flawed logic. For professionals your right, but for the millios of Win98 desktop users, the idea of checking for listning ports and then securing them is totally out of their ability.

/dev/null
11-24-2001, 09:49 PM
also if you need a firewall you might want to check out neowatch its a great firewall... if you know what your doing... stick with za if your inexperienced :)

oskilian
11-24-2001, 09:50 PM
that's a good idea, I'd never thought of it, but I think that in most of these cases, an antivirii software is useless since most of these people write their own programs and when these programs classify as virii, they write a new one.

As for the program that shows the image, who is stupid enough to run a program which was given to you by a stranger, and that for some reason, when you disassemble it, it makes some calls to the winsock2 library? (I'm talking about people like us, I'm sure that a normal user may fall on this like a... something in a stupid trap)

Oskilian

/dev/null
11-24-2001, 09:55 PM
"As for the program that shows the image, who is stupid enough to run a program which was given to you by a stranger, and that for some reason, when you disassemble it, it makes some calls to the winsock2 library? (I'm talking about people like us, I'm sure that a normal user may fall on this like a... something in a stupid trap) "

well not so long ago they had a file extension that windows removed when it was sent to your computer... i dont remeber the exact extension name but lets say it was "shh"... well the registry told your computer not to display this so... this is what would happen

eg: nakedchick.jpg.shh will apear as nakedchick.jpg and shh is actually an executable file that can contain malicious code

Betazep
11-24-2001, 09:56 PM
>>who is stupid enough to run a program

God you wouldn't believe some of the people that work in my building, man. Once you get one person to trust that it is a cool program or a nice picture or whatever... all the people that he/she gives it to are not strangers. Then it keeps spreading to other friends.

And I am not saying someone with your reasoning abilty would fall for such a thing, but think about this the next time someone sends you something and you open it. (because I find it hard to believe that you never have).

Do you dissassemble all of the software your friends send you? Wow... I would rather run updated virus software.

oskilian
11-24-2001, 09:58 PM
that's precisely why you must deactivate all these annoying extension-hiders that windows has as one of the first things when you install windows

I do it just to be careful (this kind of careful is what I'm talking about)

Oskilian

Betazep
11-24-2001, 09:59 PM
>>>eg: nakedchick.jpg.shh will apear as nakedchick.jpg and shh is actually an executable file that can contain malicious code


Cool. You learn something new every day. You got to hand it to some people.... so many clever ones.

Unregistered
11-24-2001, 10:01 PM
Originally posted by oskilian
that's precisely why you must deactivate all these annoying extension-hiders that windows has as one of the first things when you install windows

I do it just to be careful (this kind of careful is what I'm talking about)

Oskilian

no thats why you run linux :)

Slackware 8 and the 2.4.12 kernel. (mm)

even if there are some nix virri they are fairly rare :)

Betazep
11-24-2001, 10:01 PM
do me a favor osk... run

nestat -a

from a command prompt and see what is established or listening, and let us know.

oskilian
11-24-2001, 10:06 PM
>>Do you dissassemble all of the software your friends send you? Wow... I would rather run updated virus software.

well, yeah, but this is not an everyday process because I normally don't get any software from my friends. What friend send is documents, and I have antivirus for that, and I open the macros just to make sure there's no nasty stuff in there.

But, let me tell you how I got the virus that wiped out my pc 3 days ago: My brother was working on a 60 page document he had to turn in the next day. The computer ****ed up and he reset the computer. Unfortunately for us, the disk had a MBR virus, and it infected the hard drive. when the antivirus software I have told me that we had a virus, I told it to fix it (I first didn't, but Widows didn't start), and the Antivirus erased the MBR!, I can't beleive it, it also screwed up the file system and split the disk in 2!

but that's different because I wasn't the one who was responsible for it.

Oskilian

Betazep
11-24-2001, 10:08 PM
Oh man... that really sucks! Did you try to restore the MBR with fdisk?

Fordy
11-24-2001, 10:10 PM
>>>eg: nakedchick.jpg.shh will apear as nakedchick.jpg and shh is actually an executable file that can contain malicious code


Cool. You learn something new every day. You got to hand it to some people.... so many clever ones.

Here's a good one....I think this applied to a version of OE...but I cant remember.....anyway... some guy realised that if you create a file name with

"Hello.doc ::loads of spaces here:: evilcode.exe"

The last bit would not be visible in the dialog box.... therefore they would see;

"Hello.doc"

Of course, it would often have the bog standard .exe icon in that state, but still.... many ran it....

oskilian
11-24-2001, 10:10 PM
>do me a favor osk... run

nestat -a <

what am I looking for? I have some TCP connections listening, I have 10 connections in ati.com, I have the messenger cennection, two at hotmail.two at cprog, some UDP's, all idle and another TCP which runs some software I made.

Oskilian

Betazep
11-24-2001, 10:11 PM
Hey... that is a good one too.

oskilian
11-24-2001, 10:14 PM
Originally posted by Betazep
Oh man... that really sucks! Did you try to restore the MBR with fdisk?

yeah, but no good, I finished recovering the data with a unix computer and saved all I needed. then I reinstalled Windows. no big harm done. as for my brother's work, I saved it and he was able to turn it in one day later

Oskilian

Betazep
11-24-2001, 10:15 PM
You have 10 ESTABLISHED connections to ati.com? That is interesting.

Watch those listening ports. If any of them say established over the next week and you shouldn't be connected to anything. There you go...

I think that knowing your connections is part of the 'being careful' that you talk of.

I run netstat from time to time just to see what is up.

Betazep
11-24-2001, 10:17 PM
if you do

netstat -a 3

it will keep running over and over with a three second delay in between loops (until you hit CTRL C).

I have mine looping right now. I am on a cable modem. I have no listening ports and two connections to cprogramming.com.

oskilian
11-24-2001, 10:19 PM
10 connections to ati.com, I'm downloading my drivers with Mass Downloader (Very good software)

as for netstat, I run it every once in a while, but I dodn't know you could do netstat -a , I always get bored before it ends!

is there a more graphical version of netstat?

thnks for the advice

Oskilian

/dev/null
11-24-2001, 10:26 PM
you could try a port monitor...

Betazep
11-24-2001, 10:26 PM
If you are familiar with lsof for nix, you might like this for windows... it is similar

http://www.ntsecurity.nu/toolbox/inzider/

You can find out what applications are holding your ports open in the listening state...

nvoigt
11-25-2001, 03:21 AM
Just one thought for all those who rightly claim that firewalls are not good enough to protect from hackers:

I don't have anything on my PC you can't get by hacking my neighbour or connecting to me with a filesharing tool. There is no reason to hack me instead of the next guy. Know the story of the dragon and the halfling ? You and a halfling are out to kill a dragon. He's alot bigger and meaner than you thought. You run. Remember: You don't have to outrun the dragon. You just need to outrun the halfling. ;)

Betazep
11-25-2001, 03:50 AM
>>>Remember: You don't have to outrun the dragon. You just need to outrun the halfling.

Exactly...

I am in the business of security. I design and impement physical electronic security systems for some pretty hefty organizations (government agencies, et al). The one thing that I have learned through the years is that the criminals don't go for the hardest target. They go for the weakest link.

Two convenience stores sitting on the same street. One is decked out with High grade Video Motion Detection Systems, balance magnetic sensors, remote recording, and an armed security guard. The other has nothing. Who gets robbed.

Security in the computer industry is the same... I know you guys have different opinions about that. I have heard the whole, "if you are a harder target, hackers will see you as a challenge." Well that theory is contrary to what I learned in my Unix classes, in my comp security classes, etc etc for which I have a degree in now.

Good system Admins try to secure their boxes to the fullest extent and hope that they will be passed over by the uber hacker for easier meat. That is a general consensus.

My unix teacher was and still is the Chief Computer Security Specialist for goverment agencies in the Pacific. Not once did he tell me that having some measure of security for my computer is a bad thing. On the contrary, he said to do all I can to the best of my ability to protect my computer.

Then again, my home computer isn't at fort knox.... so I really don't care that much at home, but just the same bouncing can cost a lot... especially, for example, with the SYN DOS proggy that attacked all those websites a while back.

My advice... take it or leave it... is to protect yourself where you can. Hopefully, you will do it all in vain and nobody will ever attack you. Just think of the the things you might learn from the experience tho...