IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Security Forum / Re: Some answers.
Post #247,551
by Ashton
3/11/06 2:03:07 AM
Reply
New Re: Some answers.
Thanks, Scott - once again.

(I've installed XP via Restore - a couple times; working next on XP-Pro, with variant partition-sizes. She has - a half-dozen times - but not generic.)

Continuation of previous, yes. I'm taking it-all as Comedy though; am willing to kinda kibitz and guide "a dedicated party's" doing most of the tedious on-line sleuthing, assimilating, note-taking.

Meanwhile - I'm experimenting on the notebook (now undergoing a second repartitioning - to see if.. once merely partitioned -still NTFS- but Not reformatted via fdisk: my assigned Extended Partition space (for dual-boot, natch) shall not be auto-wiped by the single-minded Restore set / on This try.

Having seen the log printouts, I see the script Kiddie's methodical creation of groups, permissions, then closing off possible avenues of rectification: by setting Their PWs and accessibility (like 'Guest', for ex.). Lots of typing to create all those HKEYS - there simply has to be a comparable script for fixing a Wide-Open new install - - as follows a similar drill: for Defense.

(The world of computer users and fixers is an even more stupid-stupid place, if this obvious ploy re XP Hasn't been accomplished) - I must assume I just haven't found one yet, in whatever cockamamie Doze script-language is used for Corp mass-installs -- and then The TEMPLATE for this purpose.

And yes, I grok that every bug is an ap, is somewhere an .exe (starts with MZ) and is a sequence therefore, of bytes. Alex's link confirms that at least one BIOS bug reached circulation: that answers one of my queries. I'd have thought that such a virus would manifest during boot, alter MBR content (or at least interpretation) - but would need some stub hidden in Registry.?. or something like that.

A DOD-wiped, repartitioned HD Cannot contain disk-editor-accessible code for pattern-recognition by say, a subsequent (Part-II for Second Attack?) piece of nastiness -- that is what I supposed and still do.

(She can do an RR in sleep now - and my only denying force is waiting for #$^*%# fdisk to insist on a Diosk Test at every single step of repartitioning.)

Appreciate that a disk inventory via *nix would evade the interference with APIs that mask display of any file manager trying to operate in a diseased, well.. further-diseased than normal - Doze box. Not that agile yet w/ Linux.
I think if you're depending on being able to run update scripts before an unpatched, networked XP box gets infected or compromised, I think you're fighting a losing battle. The way to update a new XP install is to install the OS, install updates from a CD, and install an antivirus and antispyware package before it's hooked up to the Internet. At that point, you can turn off services, etc., before your friends start browsing the virus sites. :-)
Nope, we're following that sequence commencing with DL'd fixpacks, via Apple, yet! (surprised Beast would talk to an Apple..) - finding out next how to get cumulative patches (for all-at-once install.)

She was smart - paid real$ to get router setup properly and XP sanitized = 3 house calls; two after the invasion. They did none of the things right, even after two tries at unnecessary bug-fixing: it was already RRR'd! They wasted her time and $ (there was no data to be 'recovered'.) The evidence is there / documented. Court will be coming up unless reimbursement, also for a % of the pain/suffering. I wouldn't miss that show for anything - may post the terse opening allegation, excerpts from the appendix, rebuttal and evidence to be presented.

The 'script' I'm looking for is simply for lock-down;
this tedious task can use some automation (at least as efficiently as do the Kiddies - while undoing your barriers.) As for whether the gaggle of SpyBot clones find most-all .?. remember Post 198346 - Andrew's pretty detailed bug-hunt saga on a Vaio?

Then too, after this worm/trapdoor/whatever finished its methodical reconfig: SpyBot, AdAware would take all of a second to return "finished scan: OK". AVG flailed and died. I saw that on my infected notebook, before I wiped it. (I've also - earlier, elsewhere - seen ZA True Vector trashed.)

These are the reasons she is not relying on anything less than a careful litany of turn-offs AND all the usual nostrums AND double-firewall: ZA-Pro + Linksys buttoned down - with attacks, at each phase:

(ie. turn off router firewall! and hammer poor paraplegic XP, with only ZA to intervene. Pass that? Router back on. Test for "phoning-out" from within: is ZA doing its job of Alerts re inner activity? There are test-virii for this; are we having fun yet?)

Just maybe it will then run unscathed until the next New bug makes the rounds - gets in before the patches arrive: always days later. Wash, rinse. See? that's Why a script is needed:

When you expect this suppurating POS to go belly-up periodically - RRR is trivial compared with time for manually FIXING the out-of-box Experience. One More Time. That will be my attitude too, as I run Ex Pee on mine - (until I can find the 98 drivers.) But then, I'm on dialup: clearly less hazardous than her fire-hose hi-speed.

Anyway - it's fun so far, though it takes time away from the *nix Project and those other things in Real life.. Just a variant on NY Times Saturday Crossword :-)


Cheers,
moi
Post #247,558
by Another Scott
3/11/06 8:46:00 AM
Reply
New I understand now. What a nightmare.
I'm glad I haven't had to go through anything like that. Yet.

It sounds like there's a market for Aaxnet's Fort Knox - A collection of tools to disinfect, lock-down and guard your Winders so nasties can't break in and steal your gold.

I'll keep looking around - I agree that someone should have come up with some scripts on how to do these things in a reasonably automated way. I'll let you know if I find anything. Otherwise, pick Andrew's brain. :-)

Oh, before I go:
Meanwhile - I'm experimenting on the notebook (now undergoing a second repartitioning - to see if.. once merely partitioned -still NTFS- but Not reformatted via fdisk: my assigned Extended Partition space (for dual-boot, natch) shall not be auto-wiped by the single-minded Restore set / on This try.


I don't think you'll be successful.

I have a T41 that has XP restore disks. When it was shipped, it came with a FAT32 partition. When the laptop is started for the first time [link|http://www.linuxquestions.org/linux/answers/Hardware/Installing_SuSE_9_0_to_dual_boot_on_an_IBM_ThinkPad_T41_with_XP|it runs a script] that converts the partition to NTFS, installs XP, creates the system "pre-desktop" restore partition, etc. It's a pain for people who want to run Linux on it because you need to figure out a way to keep that script from running if you want to keep the Win partition FAT32 (so it can be resized by most Linux distros without incident) and keep the pre-desktop partition (if you don't have the restore CDs - though they can be requested from IBM). If you ever run the XP system restore stuff from the pre-desktop partition on the disk, it'll restore everything to the state after that first boot - meaning all of the partitions will be reset to the original configuration, wiping out Linux, etc., in the process. At least that's my understanding - I've never done it. If it works differently for you, please report back. :-)

Cheers,
Scott.
Post #247,601
by Another Scott
3/11/06 9:15:29 PM
Reply
New A good checklist for securing XP.
[link|http://www.techbargains.com/hottips/hottip13/index.cfm|TechBargains] has a good hyperlinked list of things to do to secure XP. Microsoft has some articles on doing a "lockdown" of user accounts, but it doesn't seem to have anything comparable for limiting internet access (other than XP's limited firewall, of course).

HTH.

Cheers,
Scott.
Post #247,605
by Ashton
3/11/06 9:50:44 PM
Reply
New Interim report..
I had partitioned a 60 GB (Notebook! HD) with
Primary 20 GB "C:"
Extended Partition: 20 GB (Assigned one logical drive for now, D:)
..this left ~18 GB of free space at end.

I thought Restore disk - in worst case, anticipating presentation of a blank new HD - could complete the format choice, not needing Any format applied within partitions (as would, of course be converted to HPFS in due course.)

Nope.

Brain-dead Restore disk had No Idea what to do with such a disk (as would be the case had I indeed a merely low-level formatted new HD..)

Formatted C: and D: - FAT-32 as is fdisk's only repertoire (Jeez that's OLD)

Nope; can't find a disk (!! cretin)

Remove Swiss-army-knife XP-boot disk; add mine with sys.com
Sys the sucker - yup, transferred; *IT* could find a drive.
fdisk / mbr just because - exits with no error.

ie a Home User had best have a toolkit, know basic DOS - to replace that hP hard drive.

NOW ... Ex Pee 'Restore' notices a disk and the partitions.
Wants me to select Something to do with the free space; figure it can't hurt (?) to tell it to go ahead and assign it a partition/logical drive.
[Hah.. some of us never learn]

Reinstall completes with the tedious necessary evasions of "Unknown User" and "no thanks, don't start that Wizard"

Runs; replace the Garish with 'Classic' face and go to put a Shortcut to file manager on desktop.

W.T.F. - Not. Much. *There* on C:

The Artificial Dumbth Algortithm - decided to put most-all of the install on F:
(ALL those bloated files with an F:\\ in their absolute address!)

[Space reserved for any foreign epithets naming syphilitic camels, their ancestors and coprophilic activities]


So then, a couple things emerge re THIS Restore disk (not quite as you described re IBM)

1) Yes you Can force it to recognize a Primary Active Partition.
(Am not sure that above would apply to prior -Home Restore disks on a second try with more details in other partitions.. Hope not to learn this piece of trivia the hard way, either.)

I am using [\ufffd] ""Professional"" on this RRR, from the later notebook: it's all for Science, natch.

2) And yes, I presumed from previous sagas - not only Must Doze be installed first, recognizing as it does: no other software exists. Implict was that, with the in-bed Corporate Marketing relationships of mfg. - so would the Restore faux-OS versions insure that, if your Doze stuff dies beyond even zIWE-grade resurrection:

you buy a Retail package / or prepare to reinstall the entire HD.
Am I right sir, am I right?
Breakfast with crocodiles.. when you put this stuff on innocent magnetic materials.



[\ufffd] As likely all here know - while ""Prof"" contains yet more layers of Enterprise, AD-ready Group management gobbledygook, all mixed in with the Useful pieces: there are at least a few more things you Can turn off, that demand Registry hacks in the intentionally crippled -Home.

ie
[Give the people needing the Most protection: The Least
/ Pure Redmond (or, pure Cheney?)
And leave them fewer security tools, even after they find out w2hat the out-of-box Experience: just cost them.]

I shall rely upon modularization of the AD-related infestation by XP-Lite\ufffd tp greatly assist in the vacuum cleaning of this Monstrous kluge.

So then next:

Wipe, leave the F: drive in that partition. See if I can get the sucker to leave F alone, as it did D (CDROM == E, as would have been changed)


Geronimo . . .
     Some Qs + Any suggested lock-down templates for Ex Pee? - (Ashton) - (16) - March 9, 2006, 07:32:28 PM EST
         Some answers. - (Another Scott) - (4) - March 9, 2006, 08:55:25 PM EST
             Re: Some answers. - (Ashton) - (3) - March 11, 2006, 02:03:07 AM EST
                 I understand now. What a nightmare. - (Another Scott) - (2) - March 11, 2006, 08:46:00 AM EST
                     A good checklist for securing XP. - (Another Scott) - March 11, 2006, 09:15:29 PM EST
                     Interim report.. - (Ashton) - March 11, 2006, 09:50:44 PM EST
         I had some success with the Ewido product. - (a6l6e6x) - (1) - March 9, 2006, 11:34:24 PM EST
             Gracias! Alex - - (Ashton) - March 11, 2006, 12:32:23 AM EST
         NTFS->FAT32 conversion - (pwhysall) - (6) - March 10, 2006, 07:22:30 AM EST
             Embedded Devices usually use FAT. -NT - (folkert) - March 10, 2006, 08:52:29 AM EST
             Was thinking of compatibility, not excellence - (Ashton) - (4) - March 10, 2006, 03:47:48 PM EST
                 Forget about FAT except for USB thumb drives. -NT - (folkert) - (3) - March 10, 2006, 09:32:33 PM EST
                     Ouch - so those are useless re HPFS? - (Ashton) - (2) - March 11, 2006, 12:40:21 AM EST
                         No. The format on the flash drives is FAT. - (Another Scott) - (1) - March 11, 2006, 12:55:00 AM EST
                             Ah, that makes more sense - (Ashton) - March 11, 2006, 02:10:41 AM EST
         'Process Guard' - Beastware nanny from Oz - (Ashton) - (1) - March 19, 2006, 03:50:35 AM EST
             ICLRPD. (new thread) - (Another Scott) - March 19, 2006, 07:21:31 AM EST

UNAPOTHEGMATIC MAN
139 ms