Just spent the last 30 mins racing some cracker script loser

[Vympel]

Some cunt was executing Remote Procedure Call hacks on my computer, telling my computer to shut itself down- through some incredibly quick google work I downloaded the security exploit fix from micosoft I should've gotten a month ago, though it took several times to beat the cracker, if that's even how the damn thing works *shrug*. Tho I swear if I see another one of those messages I'll freak!

[Vympel]

It's time I got a firewall. My computer is wide open, and with cable, that's just not smart. I'm ignorant, where do I start?

[phongn]

Windows 2000 and Windows XP have built-in firewalls. The 2000 one is basic IPSEC and requires some knowledge to use. The XP one includes a 'frontend' to the 2K firewall interface which is a bit easier to use.

To protect against outgoing connections (trojans, spyware) or if you aren't using 2K or XP, try Kerio Personal Firewall.

[Vendetta]

www.zonelabs.com

Good place to start without paying any money.

BlackIce Defender is also apparently good stuff, but I've not used it personally

[Vendetta]

Oh yeah, anddo remember that Microsoft security patches are no good to you sitting on a server somewhere.

If you have cable it should be the work of seconds to check Windows Update every week or so.

[phongn]

I don't particularly like ZoneAlarm, not being a fan of 'dumbed-down' interfaces. Kerio is much more powerful.

I've not had experience with BlackICE since it was an IDS-only product.

[MKSheppard]

Christ, what a fucking cunt....why do people do that?

[Vendetta]

Christ, what a fucking cunt....why do people do that?

Count five words in to your post.

They aren't getting any.

[Lucius Licinius Lucullus]

It seems like a lot of people are having this problem, I´ve read about this problem on two other boards.

[lukexcom]

I just had a series some 30 minutes ago on one of my comps on my network that wasn't properly configured for this sort of stuff. What those script-kiddie losers don't realize is in order to defeat their puny attacks that all you have to do is go to:

admin tools>>services

then select "remote procedure call", right click, select properties, goto the "recovery" tab, and select "restart service" or "do nothing" for all 3 faliure recovery attempt options. Problem solved.

Although if I start getting hacked through other means, and if it'll piss me off, I'll start conducting some serious counter-offensive operations.

Hell, I'll probably start running an incoming access log through my router, just to see what loser is trying to screw around with my fortress.

[Rye]

I just had this. What a fucking loser mother fucker cum guzzling dickless whore of an open wound of necrotic flesh slimebagging puswhelp.

FUCK

<updates>

Fucking 56 k, fuckin script kiddies. I think it has something to do with "msblast.exe" which i found ran when my computer loaded up, and when it ran again it caused the countdown. Do a search, just in case, and FUCK SCRIPT KIDDIES IN THEIR SLASHED BLEEDING HOLES.

[Crayz9000]

*basks in the glory that is Linux*

Sorry

But yeah, a firewall definitely helps. When I use Windows, I still use the older version of Tiny Personal Firewall (it's now Kerio, right?)

The best kind of firewall, of course, is an external one, but those take work to set up.

[Pu-239]

I got shitloads of scans when I had SNORT running on my Linux computer. Got rid of it after getting tired of reading logs. My computer needs a firewall since I'm running lots of daemons (masqmail, xinetd(for running swat(web based samba configuration)), samba, and cups).

EDIT: Using iptables, and SNORT is an IDS. Sorry for confusion

Windows computer does not have firewall. It's not mine, why should I care? crap, remembers it has access to my shared partition through samba... runs off to get firewall

[Crayz9000]

I got shitloads of scans when I had SNORT running on my computer. Got rid of it after getting tired of reading logs. My computer needs a firewall since I'm running lots of daemons (masqmail, xinetd(for running swat(web based samba configuration)), samba, and cups).

Have you tried using iptables?

[Pu-239]

Oh yeah, forgot to mention that I'm using iptables. Spent hours fixing it yesterday since I typed in 192.162.0.2 instead of 192.168.0.2. Here's my iptables script. Had to rewrite much of it since I'm using win98 ICS for NAT instead of iptables, since my sister refuses to be dependent on my dialing out.

Code: Select all

#/bin/bash

# Sets up default route for using ICS from win98 box
route add default gw up metric 3 &>/dev/null


# Very loosely based on stuff from the iptables tutorial and the IP-Masq HOWTO
# More complexity is better ;)


# Designed for only 2 computers on LAN
# 
# 192.168.0.1 		 	- this computer, hostname is 'down'
# 192.168.0.2 		   	- computer upstairs, hostname is 'up'
# 66.44.0.0/16	   		- IP addresses assigned anywhere between this range for dialup connection
# 00:40:05:81:77:97 		- MAC address for 'up'. Can they be spoofed?
# 00:00:00:00:00:00		- loopback mac address, is there such thing? Seems to match local computer when 
#				  testing loopback interface. Someone explain this to me. 


# Is it a bad idea to put any of this information on a public forum??




# Initial setup
#---------------------------------------------------------------------

# Sets path
#---------------------------------
PATH="/sbin"
export PATH
#---------------------------------

# Loads modules
#---------------------------------
modprobe ip_conntrack_ftp
#modprobe ip_nat_ftp
modprobe ip_conntrack_irc
#modprobe ip_nat_irc
# rest autoloaded
#---------------------------------

# Resets firewall rules 
#---------------------------------
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -F 
iptables -X	
#---------------------------------

#---------------------------------------------------------------------










# Creates chain for dropping and logging packets
#---------------------------------------------------------------------
iptables -N DROPLOG
iptables -A DROPLOG -j ULOG 
iptables -A DROPLOG -j DROP
#---------------------------------------------------------------------

# Creates chain for rejecting and logging packets
#---------------------------------------------------------------------
iptables -N REJECTLOG
iptables -A REJECTLOG -j ULOG 
iptables -A REJECTLOG -j REJECT
#---------------------------------------------------------------------









iptables -N TCPFILTIN
iptables -A TCPFILTIN -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROPLOG
iptables -A TCPFILTIN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A TCPFILTIN -p tcp --sport 6346 -j ACCEPT
iptables -A TCPFILTIN -i eth0 -s 192.168.0.2 -m mac --mac-source 00:40:05:81:77:97 -j ACCEPT
iptables -A TCPFILTIN -i lo  -j ACCEPT
iptables -A TCPFILTIN -j DROPLOG





iptables -N UDPFILTIN
iptables -A UDPFILTIN -i eth0 -s 192.168.0.2 -m mac --mac-source 00:40:05:81:77:97 -j ACCEPT

iptables -A UDPFILTIN -m state --state ESTABLISHED,RELATED -p UDP -s 207.172.3.0/24 -j ACCEPT 
# Allows access to my ISP's DNS servers
# Allows access to my computers services from upstairs
iptables -A UDPFILTIN -j DROPLOG






iptables -N ICMPFILTIN 
#iptables -A ICMPFILTIN -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A ICMPFILTIN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A ICMPFILTIN -i eth0 -s 192.168.0.2 -m mac --mac-source 00:40:05:81:77:97 -j ACCEPT
iptables -A ICMPFILTIN -j DROPLOG






iptables -A INPUT -p tcp -j TCPFILTIN
iptables -A INPUT -p udp -j UDPFILTIN
iptables -A INPUT -p icmp -j ICMPFILTIN

iptables -A OUTPUT -j ACCEPT
# Allow all outgoing traffic

# iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Sets up NAT

[Thunderfire]

This happend to me to and Zonealarm doesn't protect against this shit...

[Dalton]

This happend to me to and Zonealarm doesn't protect against this shit...

Nope, because it pushes it through to a Windows protocol that probably already has free access through the firewall (like the Messenger spam).

[Rye]

Ok, after changing those settings i've run across some bizarre results. Namely, now links on websites don't work (sorta)and i can't connect/disconnect at will, it just sorta locks up, MSN chatrooms now don't have the main chat box and text box parts...or have i fucked something else up on the way to the services?

EDIT: oh yeah and the list of the forums at the bottom right now needs me to press "go" too.

[phongn]

This happend to me to and Zonealarm doesn't protect against this shit...

You need to use a decent firewall, like the built-in IPSEC or Kerio to protect yourself, IIRC.

[phongn]

Ok, after changing those settings i've run across some bizarre results. Namely, now links on websites don't work (sorta)and i can't connect/disconnect at will, it just sorta locks up, MSN chatrooms now don't have the main chat box and text box parts...or have i fucked something else up on the way to the services?

Don't screw with the RPC settings, bad things can happen. After you've implemente the patch switch back to the old RPC settings.

[phongn]

*basks in the glory that is Linux*

Sorry

A properly secured Windows box would not have had this problem, patch or no patch.

But yeah, a firewall definitely helps. When I use Windows, I still use the older version of Tiny Personal Firewall (it's now Kerio, right?)

Yeah, the older version of TPF is now KPF.

The best kind of firewall, of course, is an external one, but those take work to set up.

Some guy on a board I lurk on managed to score a nice Cisco PIX as his home NAT/PAT/firewall box

[lukexcom]

Everyone that had this program, goto:
start>>run
type: msconfig
go to the startup tab, and check if "msblast" is there. I just found it too, and it appears to be the root of the problem. I'm guessing that it opens a series of ports up for grabs for the script kiddies. Further analysis of the program will be made if I find the time.

Also, for you XP/2000 users, hit ctrl-alt-del, and under the task manager, processes tab, kick out msblast.exe and any other suspicious programs that you see running.

[Rye]

Everyone that had this program, goto:
start>>run
type: msconfig
go to the startup tab, and check if "msblast" is there. I just found it too, and it appears to be the root of the problem. I'm guessing that it opens a series of ports up for grabs for the script kiddies. Further analysis of the program will be made if I find the time.

Also, for you XP/2000 users, hit ctrl-alt-del, and under the task manager, processes tab, kick out msblast.exe and any other suspicious programs that you see running.

Where the fuck does it come from originally? It comes back if you delete it. It's located in windows/system32 iirc, and has an accompanying .pn file. there's also a weird file called "wowpost.exe" in system. It didn't say it was made by microsoft so i deleted that too.

[phongn]

Where the fuck does it come from originally? It comes back if you delete it. It's located in windows/system32 iirc, and has an accompanying .pn file. there's also a weird file called "wowpost.exe" in system. It didn't say it was made by microsoft so i deleted that too.

It's a worm that automatically replicates itself.

WOWPOST is an ASPI driver. If you experience things like CD burning or ripping applications failing, figure out a way to get it back in.

[lukexcom]

HERE is the SOURCE to ALL of our problems:
http://www.msnbc.com/news/951168.asp?0dm=B12PT