[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: IDS: Computer Security - Long message
FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
NOTE: You MUST remove this line from reply messages as it will be filtered.
SPAM: DO NOT send unsolicted mail to this list.
USUB: email "unsubscribe ids" to majordomo@uow.edu.au
---------------------------------------------------------------------------
Hi,
ConSeal Firewall 1.35 for Windows 9x, imho, its the best option for a firewall. You can use it with NukeNabber (www.dynamsol.com/puppet) and @Guard (www.atguard.com), for best protection (not just IP filtering). In NT ConSeal works fine too.
The 30 days trial version (1.04 and not 1.35) you can get on www.signal9.com can disapoint you, because if can be crashed/killed by some script kiddie using known exploits. Test it, and then buy it, because 1.04 as many known ways to crash (and no, there is no crack for 1.35 version, as far as i know, if i'm wrong please let me know).
The "pop-up message advising" is when the firewall is on "learning mode" ... it's one of the things you must disable if you dont want to be flooded out the net ... turn on "warn safe" too, for the logs just log each 2 secs (or for example a smurf can easy crash you in a slow connection).
About trojan ports like 12345 and 31337, its better monitor and protect them in NukeNabber too, like some more other ports.
I'm a Signal9 helper (but i'm not from Signal9) in Undernet at #firewall, where you can get help (see also http://www.betatesters.com/firewall/) and where sometimes James Grant or Sam Curry from Signal9 Support use to be.
It's my pleasure if i can help about logs or firewall configuration. At Betatesters page about ConSeal you can get a ruleset for easy configure the firewall. You just have to change some rules with the primary and secundary DNS of your(s) ISP.
Fell free to mail me about this to this mail (fmartins@pt.imshealth.com) or to my home mail (bacano@esoterica.pt).
Just a little example ... i allready send logs for analisys at Signal 9, with 13Mb long for just 1 single attack ... and i didnt crash, just got a little slow ;-)
In other hand ... a bad configuration just take 2/3 "log lines" to put you down ...
Good luck
Kind Regards,
Fernando Martins
> -----Original Message-----
> From: Guy Bruneau [SMTP:bruneau@ottawa.com]
> Sent: domingo, 9 de maio de 1999 22:55
> To: Luiz da Camara Leme
> Cc: ids@uow.edu.au
> Subject: Re: IDS: Computer Security - Long message
>
> FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
> IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
> NOTE: You MUST remove this line from reply messages as it will be filtered.
> SPAM: DO NOT send unsolicted mail to this list.
> USUB: email "unsubscribe ids" to majordomo@uow.edu.au
> ---------------------------------------------------------------------------
>
> The Conceal firewall will let you know if there is any unusual activity coming in
> or going our of your workstation with a pop-up message advising you if you want to
> allow traffic on a port such as 12345 or 31337 or any other ports.
>
> As Philip suggested, a laptop is the only way to definitely insure the integrity
> of your data.
>
> Guy
>
>
> "Philip S Holt, Security Engineer / Network Engineer" wrote:
>
> > FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
> > IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> > HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
> > NOTE: You MUST remove this line from reply messages as it will be filtered.
> > SPAM: DO NOT send unsolicted mail to this list.
> > USUB: email "unsubscribe ids" to majordomo@uow.edu.au
> > ---------------------------------------------------------------------------
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Luiz da Camara Leme wrote:
> >
> > > FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
> > > IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> > > HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
> > > NOTE: You MUST remove this line from reply messages as it will be filtered.
> > > SPAM: DO NOT send unsolicted mail to this list.>
> > > USUB: email "unsubscribe ids" to majordomo@uow.edu.au
> > > ---------------------------------------------------------------------------
> > >
> > > Hello Everyone,
> >
> > Good morning.
> >
> > > Sorry to disturb you with somewhat off topic subject,
> >
> > None of this is 'off' the subject - this is definitely germane and bad news.
> > You have an intrusion and an obvious penetration. You came to the right place.
> >
> > > but I just run out of ideas to cope with a very bad situation, and need
> > > someone with a suggestion
> > > to keep on going with this misery.
> >
> > Well - its up to each and everyone of us to help, where we can, when we can.
> > Its part of the 'job description'.
> >
> > > I must tell you that I am responsible for supervising the Company's hardware
> > > and software but I am not a system administrator,
> >
> > "Lucky you."
> >
> > > and I lack a lot of knowledge I which I did have.
> >
> > This listing is full of qualified and and willing professionals to help where
> > appropriate.
> >
> > > I am loosing somewhere between 30 or 50 percent of my time with this problems.
> >
> > Understood.
> >
> > > I will try to be as short as possible, making short a very long story, only
> > > with a few major facts, enough only to put some questions in the end.
> >
> > Cool.
> >
> > > For a few years I am battling a war against someone in the Company I work
> > > for, that has access to my computer (and I can't do nothing about it) and
> > > this fellow with the help of *technicians* of some sort, (outsiders) started
> > > stealing whatever I did have in my computer.
> >
> > I'll pass here.
> >
> > > This was probably going on for years without having noticed it. The people
> > > that was doing this, started being careless,
> >
> > Yes, through time and arrogance - once in a while we get a lead of this type.
> >
> > > and revealed they were knowing things they were not supposed to, they were
> > > anticipating whatever I was doing, up to the point that I started to image
> > > someone was reading my
> > > thinking !!!
> >
> > System logs, application, processess logs, traffic analysis.
> >
> > > ZIP drives carried in my pocket all the time was the first solution, with
> > > some strong encryption. The 6 an 7 January 1998 they were stolen, but with a
> > > lot of the files that
> > > could not be opened outside my own computer. This was a very bad thing but
> > > revealed, for sure, WHO was doing this, a person I imagined above all
> > > suspicions (its always the same isn't it ?). So a break in at the Company
> > > followed one day that I was sufficiently careless to leave the Company with my
> > > computer ON (I know I should know
> > > better !) and they opened some of the files, because the most sensitive ones
> > > had double encryption with different programs, and they lack the second and
> > > third keys.
> >
> > I'll pass.
> >
> > > Some months before connected my computer to the NET, something I can't give
> > > up, and one good day I started noticing that the computer was tremendously
> > > slow.
> >
> > Yes, from below. If successfully downloaded and installed, both Back Orifice
> > & Netbus turn your machine (client) into a server machine. Your notes and
> > thoughts following support this option. So do your ports (port 31337 = ~ 80% of
> > the time for BO & port 53 also fits in with that 80%. As reported by Robert
> > Graham - 15% of the time {intrusions logged that is) BO goes to other ports.
> >
> > > Suggestions and software from the Net and I realized that a virus of some
> > > kind was introduced in my HD's and everything I was writing was being sent
> > > over the net. First copies of my files were being made and then sent over
> > > the lines...
> >
> > Part of the notorius functioinality of BO is its ability to really nuke your
> > machine and take over everything: run & kill processes, change registry settings>
> > and whatnot, stop and start services - essentially a nightmare come alive. The
> > later part of your report / commentary shows some of this type of behaviour to
> > be true.
> >
> > > Again people showed that they even new when I was supposed to go to the post
> > > office ! This kind of virus (I think a kind of Trojan),
> >
> > Very good. Both BO and Netbus are trojans. BO can come in as a remote
> > adminisrtation tool (Win '95, '98), a game, or an attachment. I am not as
> > experienced with Netbus, though it effects both '95 & '98 as well as NT. It does
> > all the great stuff that BO does - plus it can even allow the client (can be
> > anywhere on the Net - and your commentary below concerning the firewall gives
> > off some pointers that things are definitely not kosher) machine the ability to
> > open and close your CDRom. "Lucky you!"
> >
> > > resist detection with all software I could throw at it (I am a registered
> > > user of all Symantec
> > > software) and also resisted formatting. I had to have a technician to format
> > > the MBR but I am not sure I got rid of the *animal*
> >
> > Though some vendors report (and I am not sure whether CERT has updated there
> > testing of this entity) there AV packages will catch this as a 'virus' - I am
> > not sure if this is the case or not. Further investigate with a machine away
> > from the business that is seperate from all the problem individuals and those
> > that seem to be on a different frequency than yourself.CERT vulnerability
> > http://www.cert.org/vul_notes/VN-98.07.backorifice.html
> >
> > > This *animal* made copies of all files I was making or manipulating in
> > > virtual folders.
> >
> > Well - think of this attack. Its running services, its copying files, its
> > copying directory trees and everything else.
> >
> > > In a 100 MB Zip drive I was able to detect 32 MB of my own
> > > files. They were made apparent by defragmenting all disks and then deleting
> > > everything they had (apparently) just to find out what was left. The bigger
> > > the use, the bigger the virtual folder.
> >
> > I'll pass.
> >
> > > So the hard drives were put in drawers and I started carrying them all the
> > > time. Well, they just contaminate some disquetes I also used and I got to
> > > start all over again.
> >
> > I'll pass.
> >
> > > When I circumvent this, they somehow started tampering the BIOS, and it now
> > > prevents defragmentation of HD's and Zip disks with whatever program I try
> > > to do this. Windows, Norton Utilities etc. They *defragment* the hard drives
> > > say everything is ok and the HD wasn't defragmented even 1 per cent. I redo
> > > everything and its the same.
> >
> > Pass.
> >
> > > ALL Company computers are in this situation.
> >
> > BO & Netbus. Once exploited, and we'll assume there are significant trust
> > relatioinships within your LAN architecture = ing problems ...
> >
> > > I reported the incidents in writing, but, because this can be undone by the
> > > person who did it,
> >
> > Hard copies for everything. Get an 'outside' source for witnessing of your
> > hard copy procedures and possibly think of having these documents notarized and
> > or the equivalent procedures implemented. Whatever is available in your country
> > I'm not sure ... I'm sure there's something equivalent to a notary public
> > ...
> >
> > > I am even afraid of being called a liar if one good they a test is done and
> > > everything appears ok ! (We all know what they will do nest !)
> >
> > See above, and I'll pass.
> >
> > > TODAY, Saturday I was at the company and had to go out for lunch just for
> > > less then an hour, but carrying my HD's with me. Big mistake. Just 10
> > > minutes after I left the *animal* owner came in. I restarted my computer and
> > > looking and hearing at some anomalies at the start I immediately sensed
> > > danger. I was right, the Firewall does not work properly anymore. All ports
> > > but one at a > time are not monitored, and only
> > > the outbound ports. No inbound ports are controlled.
> >
> > Pass.
> >
> > > Here I go again...
> > >
> > > The logs are full of 12345,
> >
> > SYN packets for connection requests for Netbus (Most of the time coming from
> > either the US and or Canada)
> >
> > > 31337/31338,
> >
> > Back Orifice UDP packets (Majority of the time coming from Europe and
> > periphery countries)
> >
> > > and dozens others I do not know its meaning
> >
> > Both can be configured to listen and run on other ports ...
> >
> > > and the Firewall states as Unknown, ports 53,
> >
> > Quite possibly BO - as reported and researched by Robert Graham.
> >
> > > 54 you name it. The logs have more warnings than traffic !
> >
> > Pass.
> >
> > > Most of this files are already lost with the first formatting but a few days
> > > of *work* and I have hundreds of pages of *warnings* again.
> >
> > Pass.
> >
> > > I ordered some 32 pin ZIF Sockets for Flash EPROM's, and I will buy some new
> > > BIOS and will carry them with me also.
> >
> > Pass.
> >
> > > The HD is almost constantly *working* for no reason at all.
> >
> > Well - outside (everything other than the particular machine at this point)
> > your LAN and all compromised machines, the client (mal contents) machine has
> > free and total (potentially) reign of your machines ...
> >
> > > The loss of ours and of personal files, over 2.8 GB of it, is preventing me
> > > of doing my job as I should, and I am being attacked for this reason (by the
> > > *animal* owner, who else ?)
> >
> > Pass.
> >
> > > I simply run out of ideas, so I have some questions.
> > >
> > > 1. Is it possible to buy non flashable BIOS that could be tampered proof ?
> > > 2. Is there a way of preventing the use of the BIOS reserved memory for
> > > other purpose ?
> > > 3. Does anyone know any program that I could use to see whatever is inside
> > > of the BIOS ? I heard about one *Get BIOS* but its a very old DOS program.
> > > Anything else. (This would be really nice).
> > > 4. Apart from the BIOS and the BIOS reserved memory at the EPROM inside of a
> > > normal computer is there any other possibility of interfering with its work
> > > ?
> > > 5. I was told that the keyboard could also be tampered for password
> > > stealing. Is this correct ?
> >
> > Pass on all.
> >
> > > Please also note that I was somehow intentionally vague because I don't want
> > > to help this people, just in case that my mail goes to more places than I
> > > intend to (it's not impossible to do with this kind of *animals*).
> >
> > You given enough - important thing is, you initiated this thread.
> >
> > > Hope there is someone that could give some idea on how to cope with this
> > > fellows!
> >
> > CERT - get to their site, mentioned above, and go through the paces in the order
> > they outline. That's a good start.AusCERT - get to their site.
> > You will need to document.
> > You will need to take copius notes.
> > You will need as much as possible to CYA
> > You way a lot of work to do ... Not envious in the least ...
> > Philip.
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGPfreeware 5.5.5 for non-commercial use <http://www.nai.com>
> >
> > iQA/AwUBNzU7MxialBIhIMlEEQIPXACcDuxnQMSWmxwPhwbIpU+0Bi2w0FwAoO4G
> > nX4uZPA5YupTvd6Rwhxb7zvC
> > =4jW8
> > -----END PGP SIGNATURE-----