Go Back   Wireless and Wifi Forums > News > Newsgroups > alt.computer.security
Register FAQ Forum Rules Members List Calendar Search Today's Posts Advertise Mark Forums Read

 
Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 01-28-2007, 09:29 PM
warf
Guest
 
Posts: n/a
Default Win2k Netstat sockets interpretation

I have been trying to learn as much as I can about internet 'security'
to get a better feeling for what data is leaving my home,
cable-connected computer.
Win2Ksp4,ZAint-security7-Highsecurity,cookies expirede immediately,
remote access service disabled, filesharing deleted in 'networkadapter
properties. T-bird, Firefox2.0

BUT, netstat /a indicates netbios ports 137,138,139,445 listening when I
allow ZA to allow T-bird to act as a server to connect to the
mail/news server.

I am confused by netstats output and don't understand the loopback
0.0.0.0 ports, the 255.255.255 gateway significance? I see when i have
established tcp/ip connections to webpages ip addresses, but the other
report outputs are confusing?

For eg; If I allow scvhost to access 0.0.0.0 when firefox2.0 opens i
notice randomly ports assigned to urls or ip addresss. Most are obvious,
but Akamaitech~ is frequently there and firefox always has 4 connections
local and 4 remote open inaddition to the url i am browsing????

The output from Ethereal showed a big download in the background from
google...hex and what looks like certificates or host file additions to
banks .....I no option to control F.F. updates and like to know
when/what is updated since permissions and options have a nasty habit of
being reset to 'lame' when updates happen silently [old M$ trick]

I have checked many netstat resources to no avail...help?
Warf, back in the saddle....but I'm still slippin off!

Reply With Quote
  #2 (permalink)  
Old 01-30-2007, 09:15 PM
warf
Guest
 
Posts: n/a
Default Re: Win2k Netstat sockets interpretation

Sebastian Gottschalk wrote:
> warf wrote:
>
>> I have been trying to learn as much as I can about internet 'security'

snip diatribe and gratuitous snarling....
>> to get a better feeling for what data is leaving my home,


> Eh... is that any serious problem at all?


Yes, if you have, or ever did have, any media on your system, or if you
realize the RIAA and ilk will someday get the legal club to go after
'other' citizens for $750USD/title, or even if you are just fed up with
surreptitious datamining for unstated purposes. or if subversion of your

connection for nepharious purposes is 'problematic: then,YES.

>> BUT, netstat /a indicates netbios ports 137,138,139,445 listening

>
> See, you didn't learn anything. You didn't even disable the SMB binding and
> the NetBIOS bindings. And this even when some clever guys already collected
> an easily understandable overview on websites like
> <http://ntsvcfg.de/ntsvcfg_eng.html>.


I said I was "trying"....never claimed to 'know'. better ishould be like
the rest of the cattle and pretend it is not really going to affect me?
By making an effort to learn I take responsibility...you have been
helpful..even if grumpy.

>
>> when I allow ZA to allow T-bird to act as a server

snip.......
Restated "When I run T-bird ZA tells me T-bird wants to access the
internet and act as a server.
I have deleted "file and print sharing" under "internet connections and
disbled most recognizable "remote access" services under 'services.msc'
but ZA detects a few remote access modules running and gives them
permission if select "OK" to the suggested query.
AND
>> For eg; If I allow scvhost to access 0.0.0.0 when firefox2.0 opens i
>> notice randomly ports assigned to urls or ip addresss.

>
>> and firefox always has 4 connections local and 4 remote open inaddition
>> to the url i am browsing????



> *repeating the thousandth time*
> 'netstat' on Win2K provides a view on the state of the *TDI interface*, not
> the actual TCP/IP sockeets. The TDI interface has different semantics, and
> something appearing as 0.0.0.0 listening means "an outstanding request to
> open a TCP/IP connection", thus no actual TCP/IP socket in LISTENING state.
> If you had just take the simplest measures to actualy verify such bogus
> open ports with a port scan, you'd have found them closed.


Iam using Ethereal and there is traffic...I am 'learning' but it is a
very complex topic ...for non-pro's like me...but that is why i ask.

>> but Akamaitech~ is frequently there

>
> Wow... Windows Automatic Updates... the mysterious of technology aren't to
> be believed !!!11


no, WINUPDATE is manual...I reassembled the TCP/IP strream and saw in
one instance it was a ZA update. This concurrs with the stated utility
of those servers. I read conflicting ideas as to the scope of the AKAMAI
servers and wondered why I would be 'uploading' to them as well...with
optout selected for all products 'satisfaction' reports.

>> I have checked many netstat resources to no avail...help?

>
> MSDN... Ah, might just be better to get a replacement which works like the
> real netstat command, f.e. TcpView from Sysinternals^W Microsoft.


Now I have to spracken ze duetch. That is exactly what i needed but the
launguage for the links is all german!!! Damn.

Breifly: How does one interpret the 'listening', 'waiting',
'established' and all the other port information netstat lists? The only
one I get is one with a 'foreign' ip and 'established'...those are
actual internet connections right?
Eastlink is very coy and stingy with 'what services and ports I require'
info...so I am trying to learn thru you and int-resources.

Thanks for that helpful link...wish I spoke enough german to decipher it!
Warf.

Reply With Quote
  #3 (permalink)  
Old 02-04-2007, 03:32 AM
warf
Guest
 
Posts: n/a
Default Re: Win2k Netstat sockets interpretation

Sebastian Gottschalk wrote:
> warf wrote:
>
>> Sebastian Gottschalk wrote:
>>> warf wrote:
>>>
>>>> I have been trying to learn as much as I can about internet 'security'

snip....
> Ehm... now why don't you grap TcpView?


I have It Sebastian, while useful it appears to yield a subsection of
what Spybot S&D 'processtool' coughs up. And S&D lists modules and
process's. etc...

I am reading the win2k manual and it explains the difference between
application 'ports', sockets[winsock] and the various protocals layered
within. I am getting a 'better' picture of the hiearchy.
I am still confused by 'NETBUI'[not NETBIOS, that I understand is simply
a file/print sharing protocal yes?] Even when I have 'SERVER', FILE
PRINT SHARING, REMOTE ACCESS services disabled I still see NETBUI ports
136,137,138,139,445 'listening in TCPVIEW and S&D Processes???
Then enthereal shows NETBUI "name lookup" traffic...is this the DHCP IP
renewal server contacting my cable ISP to register my IP?

I ask becasue in an effort to disable all 'REmote access' I ineveitably
loose DNS Lookup or something that can't be restored short of an OS
REPAIR install...and that gets tiring..."wipe and rebuild"

>> Eastlink is very coy and stingy with 'what services and ports I require'

>
> As a client you don't require any services at al l.


As a Cable modem customer placed directly on the Inet backbone if I
block ALL servers via ZA I loose DNSlookup, autoupdates and I can't
restore it easilly...

Most of the W2K essential services [services.msc] are hard to ascertain
for HTTP internet browsing, pop/smtp and newsgroups...for eg: REMOTE
ACCESS CONNECTION MGR....seems to imply "I am a server" if allowed to
start automaticly....but DHCP fails because NETBUI is innactivated If I
disable it in SERVices.msc

I'll get it someday.
I sure wish that link you sent me was in English as well as German...se
la gar.
Warf.

Reply With Quote
  #4 (permalink)  
Old 02-04-2007, 09:39 PM
warf
Guest
 
Posts: n/a
Default Re: Clarification-Win2k Netstat sockets interpretation

Sebastian Gottschalk wrote:
> warf wrote:
>
>> Even when I have 'SERVER', FILE
>> PRINT SHARING, REMOTE ACCESS services disabled I still see NETBUI ports
>> 136,137,138,139,445 'listening in TCPVIEW and S&D Processes???

>
> Well, why don't you take a look at <http://ntsvcfg.de/ntsvcfg_eng.html>?


I did...twice, even emailed the admin [very nice guy] who said they only
have Deutsch pages linked for the near future. It is exactly what I
need though.

>
>> I ask becasue in an effort to disable all 'REmote access' I ineveitably
>> loose DNS Lookup or something that can't be restored short of an OS
>> REPAIR install...

>
> Then why don't you read before acting?


Vida Supra...

>
>> and that gets tiring..."wipe and rebuild"

>
> Nonsense. It's trivial to backup and restore the service configuration.


Correct me if I am wrong [like I have to offer...grin]:new versions
mal-executables are very stealthy 'and sticky' visa vi code-melt,MBR
partition hiding, kernal level misdirection of detection...ad naus.

FOR EG...while updating my firwall a newly discovered file infecting
virus [with no known repair method to date] slid in with the update TCP

traffic and settled in the Winnt\internetlogs\ZA as J.S-LAME and was
flagged during the subsequent bit level scan.
So...to what extent, if any, my files were compromised or if it had
even yet been executed is unknown. SO....i take your oft 'suggested'
advice and WIPE then REBUILD.

Are you suggestion you were remiss for that advice?

I accepted you earstwhile advice re rebuiling and:
I acted atavisticly and installed Win2000 on a spare laptop with no
useful data just so I could do a better job of noting changes AND
rebuild in far less time time than with my XP macine.
Then istill have to install,SP4,ZA,Ethereal,TCPview,Spybot,Adaware,
Dlink router setup,all the Ibuddie drivers for NICard THEN...disable a
dozenservices,remove FILE&PRINT SHARING, T-BIRD,FIREFOX and configure
the Dlink WLan [killit!] enable the Dlink WAN, clone the Mac address,
set the lame software defaults to block mobile code, not save any
..DAT,HST...nor cookies web-bugs and like ilk....then fight for an hour
to find which services I accidently disabled with names like "REMOTE
ACCESS...REMOTE DESKTOP...DNS...DHCP...TCP/NETBUI..." and so on and on.

All because i lost my innocense reading how the boys at PHRAK get their
jollies!

SO>>>>>>>maybe it's easy for you but for pleabs like me playing with the
bigleagers in kids gear [actually, irroicly the inverse is more likely!]
it is hard not to add to the problem by naivley being a server for
malcode and redirection and providing safe haven for code that should be
nuked.

>> but DHCP fails because NETBUI is innactivated If I disable it in SERVices.msc

>
> Very strange.


I thought so as well... and that is becasue I am not even sure of what I
don't know yet.[as I grin weakly and apologeticly for inflicting my
carcass on you ...sycophantly groveling for pearls of info.] Most
webpages on the subject say disable DNSlookup [or is it DNSserver?] and
DHCP if acting as a client only. My
inability to connect

My ISP provides no filtering for us...Straight to the pipe [backbone]
with our cable modems. A report on Eastlink.ca indicates a problem with
an "open DNS server" and they require DHCP for IP aquisition...which is
'maybe' why the actions of my service.msc changes are not immediate???

With Ethereal in 'promiscuous mode' it is incredible [to me] how much
broadcasting and icmp traffic there is at any one moment.
Fr,Israel,Cn,Ru,USA...and how much is lost/misdirected and how much is
actively seeking vulerable IP addresses is unknown to me but this is a fact:
Twice, while connecting my computer to the internet via an ethernetcable
and W2k [no firewall] I had a bogus popup before I could even pop in the
ZA CD....as though there is near constant broadcasting seeking open
unprotected servers to compromise.

Help?
Warf.
..

Reply With Quote
  #5 (permalink)  
Old 02-05-2007, 03:35 AM
warf
Guest
 
Posts: n/a
Default Re: Clarification-Win2k Netstat sockets interpretation

Sebastian Gottschalk wrote:
> warf wrote:
>
>> Sebastian Gottschalk wrote:
>>> warf wrote:
>>>
>>>> Even when I have 'SERVER', FILE
>>>> PRINT SHARING, REMOTE ACCESS services disabled I still see NETBUI ports
>>>> 136,137,138,139,445 'listening in TCPVIEW and S&D Processes???
>>> Well, why don't you take a look at <http://ntsvcfg.de/ntsvcfg_eng.html>?

>> I did...twice, even emailed the admin [very nice guy] who said they only
>> have Deutsch pages linked for the near future. It is exactly what I
>> need though.

>
> The one specified page I linked is written in English, so is the script.
> Only the website linking the content of the script to the specific services
> sadly is only in German.
>
> Thus, what about now finally understanding that this script does exactly
> what you want?


Ungh, I took for granted that running someone elses code to accomplish a
task i 'could' do manually was sloppy and invited malware?
I think I also just read that security rule #1 was " If you are running
unknown code you have already lost control" I know very little of ANY of
the code on my machine so...I ask you, "is it safe"
[Marathon man, Dustin Hoffman]

>>>> and that gets tiring..."wipe and rebuild"
>>> Nonsense. It's trivial to backup and restore the service configuration.

>> Correct me if I am wrong [like I have to offer...grin]:new versions
>> mal-executables are very stealthy 'and sticky' visa vi code-melt,MBR
>> partition hiding, kernal level misdirection of detection...ad naus.

>
> I though you just referred to yourself ****ing up the service configuration
> by experimenting.


yes...that is why I seek your help... to allow me to access the internet

somewhat safely whilst edifying myself as to the vagueries of
I-protocal[s]...and M$ weaknesses.

>> and settled in the Winnt\internetlogs\ZA as J.S-LAME

>
> JS-Lame sounds like a JavaScript which does some non-malicious, but
> annoying (thus lame) action. I guess its description will point this out
> exactly.


Well I can't wait for the VBS-blowjob virus to go wild!

snip..
> SP4 should have already been integrated in your Windows 2000 CD. And still
> I sense at least 3 superfluos programs in that list.

no, it is an older OEM disk...It lacks USB2.0, So I take my saved SP4
upgrade I got before M$ made us pull pur pants down and take a shot of
code to make sure we own the OS install.
BTW...I drop the defenses reluctantly and incrementally to enable manual
update [upgrade] from M$ but still don't pass the 'wideopenvulnerable
enough to allow your upgrade' test.

>
>> Dlink router setup,

> ***? Doesn't it have a web configuration interface?


Yes it does. If you understand :MAC address and cloning same, protcols,
SSID, WLAN/WAN/LAN, ad-infinitum...AND don;t allow their farmed out tech
support to mislead you about when the WAN is actually activated, it is
probably a snap to make it secure...AND functional. I now know
192.168.0.1 like I know my birthdate!

>
>> all the Ibuddie drivers for NICard

>
> ***? What a bunch of bloat is your NIC driver?


SIS drivers have a lot of applets.

>> THEN...disable a dozenservices,remove FILE&PRINT SHARING,

>
> Yes, reasonable.


Ok,I'm feelin on track now!

>
>> set the lame software defaults to block mobile code,


ZA, Dlink setup utility requires J-script enabled or it won't update
settings.....it just makes you think it does.

>
> What software and which settings?
>
>> not save any .DAT,HST

>
> What?



I'm just making a point; I dislike all the tracking of everything I
type,save,see,use,start,stop,plugin etc, So Disable password saving,
history,remember lastfile etc.

>> ...nor cookies web-bugs and like ilk....

>
> You're talking nonsense. Cookies aren't malicious. Web-bugs don't exist.


Web-bugs do...scroll your mouse over bug-encoded webpages and watch the
script call in the lower left...OR use DOM editor. A single pixle is
enough..and it can be the same color as the background=> invisible.
Scripted cookies are certainly capable of doing maliscious things, as I
read, AND, every problem [not of my own doing by
disabling useful services] has occurred while temporarilly enabling Java
/Java-Scripting or 'mobile code' to accomplish a download or a device
configuration. I get security levels reset, host file manipulated etc...
I have been reading that the old cookie has been supplanted with a
myriad of ways to get info you or I would likely not volunteer if given
a choice before it happened.

I doubt you are didactically 'out of date' on mal-techniques datamining
and exploits, so what are you getting at? Seriously, I know only
what I read from security dedicated websites...and less from opinion
columns and NGs unless public scrutiny exposes a fake professor.

>> then fight for an hour to find which services I accidently disabled

>
> See? That why you should take a look at the ntsvcfg script.


Well then I ask you; is that not the same as installing utilities from
websites? [like going sans condom, eventually something comes.... alive!

a
>> All because i lost my innocense reading how the boys at PHRAK get their
>> jollies!

>
> Then why aren't you running a Unix flavour?


I bought a MANDRAKE kit and realized that it was only safer because I
'could' get to know the code intimately [unlike M$ code]. In
otherwords, it is only safer if I REALLY understand what I'm doing. I
plan to install it on a separate laptop specifically for learning, and
learing about the free V-OS I have as well.
Until then, I am still working on making windows work for me. [country
song in the works]

>>>> but DHCP fails because NETBUI is innactivated If I disable it in SERVices.msc
>>> Very strange.

>> I thought so as well... and that is becasue I am not even sure of what I
>> don't know yet.

>
> Maybe you might use Regmon to track down this bug?


Does regmon track registry changes? ZA alerts me to ALLOW/DISALLOW every
instance of a program, module or process before it makes a registry
change. There are still many changes that slip by unannounced though;
must be at the kernal level?[ring1?] Even Spybot Teatimer stops
responding to registry changes after a few days.

I have a beef with all commercial security software [to date]; in order
to allow people with even less knowledge than I to get running they
allow some questionable defaults on install. FOR EG; both Mcafee and
Symantic allow every already on your computer 'trusted' status...from
spyware, datamining phonehome-ware to mal-ware. Worse, you can't
unselect many of them either.
Atleast ZA allows manual reconfiguration but who would want to allow
WEBBUGS and a dozen or so clicktracking URLs to have 'trusted' status by
default...unless they paid for that privilege!? At least they can be
removed though in ZA.

>
>> With Ethereal in 'promiscuous mode' it is incredible [to me] how much
>> broadcasting and icmp traffic there is at any one moment.
>> Fr,Israel,Cn,Ru,USA...and how much is lost/misdirected and how much is
>> actively seeking vulerable IP addresses is unknown to me but this is a fact:
>> Twice, while connecting my computer to the internet via an ethernetcable
>> and W2k [no firewall] I had a bogus popup before I could even pop in the
>> ZA CD....as though there is near constant broadcasting seeking open
>> unprotected servers to compromise.
>>
>> Help?

>
> Get the patches installed before you go online. Or at least get the
> vulnerable services deactivated. Or active the TCP/IP filtering or RAS
> firewall.


I saw that applet. Would I enable filtering of TCP,UDP,IP and allow only
port80 I/O, 110 In, 25 Out, 53 I/O[dns lookup]?
There an applet to ENABLE NETBIOS LOOKUP, DISABLE/BLOCK NETBIOS OVER TCP/IP

This is exactly where I eventually disable something and can't recover.
All I want is HTTP browsing, email and newsreader...maybe file download.
Is that so hard to enable without loosing DNS lookup, DHCP IP assignment
and connect ability?

I know your time is valuable.
maybe I'll try the script for now...of course i have to pull down my
pants to download and then run it though.
Warf.

Reply With Quote
  #6 (permalink)  
Old 02-05-2007, 08:03 PM
warf
Guest
 
Posts: n/a
Default Re: Clarification-Win2k Netstat sockets interpretation

Sebastian Gottschalk wrote:
> warf wrote:

Hi Sebastian...through all the chatter I have lost the intent of your
initial
suggestion to use the De script to secure/disable my remote access. Are
you definatively saying "it is safe and contains no uninvited actions?

snip..
> And I can't wait for an RFC for "remote-stabbing over TCP/IP"...


I just realized; if we all had to sit on wet seats holding a wire
connected to line voltage and an ethernet enabled switched so that any
malicious code or commands sent
from your computer would shock the **** out of the sender ...
Remote Stabbing is pretty funny though...unless your loopback adapter
misdirects the command->home.

snip
>> So I take my saved SP4
>> upgrade I got before M$ made us pull pur pants down and take a shot of
>> code to make sure we own the OS install.

>
> Huh?


Metaphor for 'drop my protection'.

>
>> BTW...I drop the defenses reluctantly and incrementally to enable manual
>> update [upgrade] from M$ but still don't pass the 'wideopenvulnerable
>> enough to allow your upgrade' test.

>
> Are you talking about Windows Automatic Updates or the Windows Update
> website?


You make a good point...I was unaware that they are now different.
Before [goodol'days] I could manually download every security upate and
servicepack from MS.com but now...they send you a bit of Cop-code that
fails to run unless ALL defences are down [hence,the allusion to pants down]

snip...
>> I'm just making a point; I dislike all the tracking of everything I
>> type,save,see,use,start,stop,plugin etc,

>
> Even if this is just supposed to assist you?


I would have considered the original intent of cookies to be patently
'assistive'... but those days are long gone. I don't for a second
consider datamining 'assistive'. They have evolved significantly.
Data is now so valuable companies are but a few steps behind the
blackhats in implementing 'choice making software' that runs sans
consent. Cookies are not software but the ability to trigger 'features'
code is evolving rapidly....cookies are no longer benign. Supercookies
....well i am waiting to hear that justification. I don't need a law
degree to know when I've been beaten up or robbed. I don't need a
CompSci degree to know the Int-box is just the vehicle. Follow the money
Sebastien, motive and means almost certainly lead to the purps.

2points about "assitance in choice": I like to make choices and not have
them made for me, it muddys the waters of 'what's good for me'.
Secondly, see 1st point.
A the third of two points, trust has been broken so all websites are
duly bound to establish trust...And since I decide when to trust, I need
to be highly convinced.

Speaking of convincing, Are you sure the script from ntsvcfg is benign
in addition to being useful?

snip...
>> Scripted cookies are certainly capable of doing maliscious things,

>
> So? What specifically?


reset browser features and security levels for one. Grab whatever data
the browser is designed [or inadvertently designed to] hand over or allow.
I defer to your knowledge FTSoA. I am still suspicious of unstated
assitance though.

>> as I read, AND, every problem [not of my own doing by
>> disabling useful services] has occurred while temporarilly enabling Java
>> /Java-Scripting or 'mobile code' to accomplish a download or a device
>> configuration.

>
> Interesting. Could it be that your Java VM and/or your webbrowser is
> totally outdated?


No. Latest Dec 19-06 download of firefox and t-bird. Windoz updates
reluctantly on Auto[persmion] to install required.
Speakingof...Windows claims to be unable to deliver me security updates
from the website [~ms.com] and asks for full trusted status
scripting,cookies,etc activated and sends me the 'validation' exe that
fails to run [or did it,was it "assisting me" in some other
unstatedway"??? BUT, auto updates bypass all security and permissions as
long as the required services are running. So...who owns my computer?

>
>> I get security levels reset, host file manipulated etc...

>
> ***? A non-admin user doesn't even have write access to the HOSTS file.


vidasupra
I realize I am in gray water when trying to limit permissions and
still allow software mods,registry cleaning etc..
I no doubt have vulnerabilities ..... i came here seeking help not
claiming authority.
I do know something of human nature though and needn't be an expert in
all fields to spot funkiness in areas of limited authority.

For all the banter,I am still at you mercy and seeking assitance.
The rest is entertainment and long distance connection...Or, am I
responding to a BOT? Has AI finally made the leap?
You had me going HAL.

>
>> I doubt you are didactically 'out of date' on mal-techniques datamining
>> and exploits, so what are you getting at?

>
> You should learn to differ between non-identifying information,
> computer-identifying information and personal information, as well as who
> can read it under which circumstances.


You are absolutely correct there HAL, er ah, Sebastian. Unfortunately,
the trust has been abused by so many marketers that until I learn enough
about how to distinguish I will be handycapped.

>
> About exploits: The official statistics tell that Mozilla Firefox, if
> always kept up-to-date, was at best vulnerable for 34 days for a
> non-critical problem. Which could already have been worked around by
> pro-active configuration.


True...but I am talking about my INsecurity at an even more basic level;
that of which options to disallow and which services to disable and ...
I have come to accept that a determined and clever hacker will always
have his/her way with my box....that didn't come out right!

....
> A script is a script is a series of commands that you can read in
> cleartext. You can easily read how the script determines the Windows
> version, configures the services and adds registry entries.


ok, I'll give it a go.

....
> I pity you. Mandrake is about the second-worst to start off.


You could probably pity me for more substantial reasons...like my need
to inject humor to gain acceptance, and my unfortunate physical
features, and...

>> ZA alerts me to ALLOW/DISALLOW every instance of a program,
>> module or process before it makes a registry change.

>
> If you're still running ZoneAlarm, you shouldn't wonder about anything
> going wrong in your system. The registry functions filter ****ing it up a
> bit should be your least worries.


Can you give me a "F'r instance"?
Why are you so averse to ZA? of all the commercial FWs it at least
allowed me a modicum of insight into what passes twixt my puty and the
wire. Were it not for that I [most non-experts] would have no idea of
how much undisclosed persons want our data and how much mischief is on
the superhiway.
This much I will admitt, now that I see figures like 605,000 instances
reported of but a single mal-port seek in a month[day?] ...network
admins must be sick of the "ZA just notified me of a blocked attack..."
and i know from my ISP that even they don;t get any response from other
ISPs to shutdown mal~ and attack sites.
So, at least I have progressed to 'empathy' for you.

>
> What about using Windows' security features? Now this allows you to define
> security domains and, in contrast to the addon nonsense, can actually
> enforce this policy.


BINGO! That is what I really really wanted to learn from you...how do I
shut down non-essential services in W2k [or XP] and change permissions
to harden and control what leaves and enters my computer?

The rest is entertaining and I hope you enjoy it as much as I and don't
feel the need to light up after a reply...[that damned injection again!]

Seriously, my attempts have led to 'failure to connect', faliure to
launch', failure to fail... and even with all the reading I have been
doing I suspect many admins seek the same thing ...else there would be
no NG dedicated to this.


>....
>> There an applet to ENABLE NETBIOS LOOKUP, DISABLE/BLOCK NETBIOS OVER TCP/IP


that still perplexesme...
Thanks for the assitance thus far Sebastian.
Warf.

Reply With Quote
  #7 (permalink)  
Old 02-05-2007, 10:45 PM
warf
Guest
 
Posts: n/a
Default Re: Clarification-Win2k Netstat sockets interpretation

Sebastian Gottschalk wrote:
> warf wrote:

....
>>> Are you talking about Windows Automatic Updates or the Windows Update
>>> website?

>> You make a good point...I was unaware that they are now different.
>> Before [goodol'days] I could manually download every security upate and
>> servicepack from MS.com but now...they send you a bit of Cop-code that
>> fails to run unless ALL defences are down [hence,the allusion to pants down]

>
> Now you're getting even more confusing. Every update can be downloaded from
> https://downloads.microsoft.com as well, with any webbrowser. Windows
> Update is an IE-only "website" that checks your installed updates against a
> database and offers the missing ones, either for download-install-throwaway
> or permanent download. And Windows Automatic Updates does the same, just
> fully automatically and without IE involved.


Ok, I certainly did not know that...all the advice I have ever read
indicates IE/OE should be ditched; so I make FF and TB my browser and
popmail apps. I have only had warnings that my security settings
prevented the updates or SW downloads directly never "IE is not your
default browser". Recall, the verification utility fails to work after
downloading and running it. must read more.


> Which aren't identifying data. Anyway, you can limit this behaviour if you
> don't like it.


k'. I don't, and I do. Just making the point again.

>> (WGA validation tool)
>> [or did it,was it "assisting me" in some other unstatedway"???

>
> Was is the GenuineCheck.exe or WGAPluginInstall.exe?


Genuinecheck.exe 1.40 MB (1,475,376 bytes)

>
>> BUT, auto updates bypass all security and permissions as
>> long as the required services are running. So...who owns my computer?

>
> In case of doubt: Microsoft ;-D


I relent.

>
>> Why are you so averse to ZA?

>
> Because it's totally broken? It's just the users who have a problem with
> accepting that fact, and usually just after they finally uninstalled it
> they're going to believe that it's actually totally broken.
>
>> of all the commercial FWs it at least
>> allowed me a modicum of insight into what passes twixt my puty and the
>> wire.

>
> So does Ethereal. Without installing any crap.

.....

again, k'....I guess??? the specifics of the crap still escapes me though.

>
>> and change permissions to harden

>
> Trivial: create a "Restricted User" account.


B' b' but...OK...this approach isn't working, I'll learn what I can
about 'that' approach.
Hey, what about Thinstalls jitit ? the nifty little registry utility
that can be surreptitiously installed on your puter even on a locked
desktop? Read about how the CIA bought in so they could remotely access
every bodies 'locked-down' computers at work or home.
If it is now public knowledge you can be certain it is being utilized by

many other 'ilk'.
http://www.thinstall.com/

what hope is there?
Seriously though, I will run the script and watch traffic for a
while....we live next to the highway. [can't stay serious]
Thanks for your insight Seb~
warf.


>> and control what leaves and enters my computer?

>
> You can't. For the simple reason that malicious programs can communicate
> with legitimate programs.


Reply With Quote
Reply


« Application Impacts of Real-Time anti virus scanning and guidance for its use within an intranet | Thinstall installs sans registry entries..subversion? »
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
ANNOUNCE: Syngress E-Book - Sockets, Shellcode, Porting & Coding erg alt.computer.security 1 09-08-2006 04:36 AM
ANNOUNCE: Syngress E-Book - Sockets, Shellcode, Porting & Coding Steven Köppel comp.security.misc 0 09-02-2006 02:05 AM
[SSL-Talk List FAQ] Secure Sockets Layer Discussion List FAQ v1.1.1 Shannon Appel comp.security.misc 0 10-19-2005 05:37 AM
[SSL-Talk List FAQ] Secure Sockets Layer Discussion List FAQ v1.1.1 Shannon Appel comp.security.misc 0 08-30-2005 05:26 AM
[SSL-Talk List FAQ] Secure Sockets Layer Discussion List FAQ v1.1.1 Shannon Appel comp.security.misc 0 07-31-2005 05:25 AM


All times are GMT. The time now is 07:16 AM.



Powered by vBulletin® Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.6.0 PL2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45