Post #68,056
12/11/02 3:54:24 AM
|
Seeking serious opinions - advice
Having gone thru a period of months where increasingly my posts were being blocked to IWE I have been doing some investigation & have the following results. I am seeking any opinions as to how the blocking might be being carried out - am assuming it is a futile exercise to guess who is behind it.
1) I am based in H.K.
2) The blocking began only for posts to War on Terrorism but later extended to News & Security forums - I don't recall being blocked on any other
3) I am convinced the blocking is triggered by certain keywords related to Terrorism & sometimes China (I base this deduction on the fact that particular comments I made about either topic seemed to trigger the block)
4) This happens at both work and at home - in both places I use the same ISP
5) But if I log into a former account I still hold with AT&T, my posts *never* get blocked
6) My usual work around to being blocked is to immediately post thru AT&T account
7) BUT, If I use someone else's computer thru my regular ISP, I can post without block
8) I have Zone Alarm Pro installed & when I get blocked I immediately get a Zone Alarm warning that it has blocked a link to my computer - the explanation says the site I was accessing has either gone down or my posts to it are being filtered
9) I have 8 computers on a LAN at home but it is only my 2 main machines running Win2000 that seem to suffer this block, however at work my Win2000 notebook gets the same blocks
10) Recently - even while Zone Alarm was active, I was on-line & suddenly lost control of keyboard & mouse & at the same time noticed activity on the DSL link & also got a pop-up saying that the file being requested is no longer available - this file was on a memory stick I had removed from my computer & was titled 'Security Polices'. Then the same happened again with another file that had also been mounted on the memstick, called 'Security Practices and Proceedures' (these are two word docs I have written). Because I had no control I hit the computer reset button & rebooted with no net access & re-installed Zone Alarm.
What I am seeking is your opinions on what might be happening - I have my own ideas but I am not an in-depth security expert although I work in aspects of Internet security.
As an example of being blocked - today I had about 8 posts to Terrorism forum blocked & resorted to dialing ATT to get around the blocks.
One other thing I nnotice is that once I get a block, my Wi-Fi access/point Router/UTP box seems to get regular periodic flashes of single activity thru the DSL modem. I can shut all computers down but this periodic flash keeps occuring (perhaps 20-35 secs apart). To kill it I usually switch off both the modem & Wi-Fi/Router box - wait 10 mins & restart them, usually the activity goes until I experience another IWE block or some tyime passes.
Any opinions welcomed
Doug Marker
(Getting really pissed off at the blocks)
HMMMMMMM - this post got blocked, so I reverted to using my Sony UM1 WinXP machine (on same LAN) & it got thru ???
|
Post #68,062
12/11/02 4:48:56 AM
|
Perhaps some separation of duties.
By which I mean, re-arrange your use so that you don't use Windows 2000 for web browsing. I'd then also upgrade your firewall configuration so that it only minimally trusts your PCs - and definitely not the Windows 2000 PCs.
Wade.
"Ah. One of the difficult questions."
|
Post #68,070
12/11/02 7:47:15 AM
|
is the win2k installed locally produced recently?
I know cisco "enhances" for the chicom market. loss of mouse control and the pop message means someone has a vnc like product installed on your pc that can take control. The file they requested was labelled a goodie file so of interest. Your filters sound generic and clumsy based on keywords and win2k. I think an alarm is triggered that increasingly blocks yer posts until someone can look at it. AT&T isnt yet at the point of having certain parties muck around with their stuff yet. Sounds annoying as hell, have you (or can you) disturb water with the local constabulary, if its not them doing it they should get the locals interested and involved.
thanx,
bill
will work for cash and other incentives [link|http://home.tampabay.rr.com/boxley/resume/Resume.html|skill set]
Opera was the television of the nineteenth century:loud, vulgar and garish with plots that could only be called infantile. "Pendergast"
|
Post #68,071
12/11/02 7:54:44 AM
|
Re: iGood point Bill - go head to head
I had thought of a direct approach to my ISP (also happens to be my employer <grin>) - Here I am Principal Technology Architect - but not in the group who play with the Internet (these are a secretive bunch at PCCW (HK Telecom).
But, I will go direct (but based on past dealings with them- think I know where it will lead (Chinese Walls)).
Cheers & thanks
Doug
|
Post #68,328
12/12/02 2:55:31 AM
|
Re: Is it possible to hide programs on someone computer
My Zone Alarm Pro lists two programs that it says I have given the ok to access the Internet. I have my Win2K folder options set to show hidden files & all extensions.
The two programs are named as A and B (just that)
If I look at the file path shown for each of these programs, it appears not to exists ?
A is listed as
D:\\Program Files\\Adobe\\Acrobat 5.0\\A but there is no such file in this location (Zone Alarm says it has a zero size ?
B is listed as being in a Folder that I can't see at all.
Just wondering
Doug Marker
|
Post #68,336
12/12/02 6:05:53 AM
|
Hidden directories?
Hi Doug,
W2K/NT5; dunno about hidden directory rules in that kluge. It hasn't been high on my list to delve any more into M$ internal obfuscation - I just assume there are trapdoors yet to be ID'd. My naive guess would be to find the errant Task; surely a necessary component - by elimination. There may be a perfect Rixtool for that - alas! he has given up on entire M$ platform, re any future devs and is seeking a new OS venue; this despite his many years of effort in creating small bulletproof utils to illuminate Doze errata. (Maybe XP and its direction of final obfuscation -- was the final straw)
Here be present 'Doze related tools at [link|http://www.radsoft.net/| Radsoft]
Here's what may? be his latest venture (if it's the Right Rick) [link|http://rixstep.com/| Rixstep].
Also [link|http://www.sysinternals.com/| Sysinternals] has some compact monitoring utils - which also seem relevant. Filemon.exe is impressive (to me).
re ZA: What happens if you check (programs menu) X X for these listed items, and allow NONE server access. One would likely do packet-sniff things, but you know all that stuff.
With the reproducible effects - obv. you are looking to decide the method being used: no longer 'if'. I'm sure many here would like to know what the wannabe-Big Boys are fielding - thus far. Clearly they plan to get better and better - at pabulum-feeding a billion people ??! The hubris - but Ah... the techno folks like Cisco who WILL pander. Capitalism thy surname is Prostitution.
Why do scenes from The Boys from Brazil keep running through the internal viewer? (If you missed that, you Gotta find a copy!)
Luck with the sleuthing; I be too iggerant to offer even a first approach, though I'd bet there are some freeware utils already - capable of illuminating the process.
Ashton
|
Post #68,340
12/12/02 8:02:16 AM
|
Re: Hidden directories?
[link|http://www.radsoft.net/news/20020905,00.html|Warning re Win2K and installing SP3]
Thanks for the pointers, the above item was of particular interest - esp the bit about the SP3 EULA allowing MS to hack your computer.
Cheers
Doug
|
Post #68,351
12/12/02 8:39:49 AM
|
OT: About your PIC...
I liked the Grand Daughter's picture better... She is a cutie!
Nice to know I *am* the ugliest one here though (on the outside only)... ;)
[link|mailto:curley95@attbi.com|greg] - Grand-Master Artist in IT
[link|http://www.iwethey.org/ed_curry/|REMEMBER ED CURRY!!!]
Your friendly Geheime Staatspolizei reminds:
[link|http://www.wired.com/news/wireless/0,1382,56742,00.html|Wi-Fi enabled device use] comes with an all inclusive
free trip to the (county)Photographer!
Overbooking, is a problem, please be prepared for "room-ies".
Why You ask? Here is the answer to your query:
SELECT * FROM politicians WHERE iq > 40 OR \\
WHERE ego < 1048575;
0 rows found
|
Post #68,495
12/12/02 9:23:02 PM
|
Re: That Pic (grin) Miss HK 2000 - I used it
After mad 'Mike' in "War on Terrorism" accused me of spreading Chinese whispers" - I wanted to feed his paranoia a little more <grin>.
Yup she sure is cute but too old to be my granddaughter :-( - But old enough for me to appreciate.
Cheers
Doug
|
Post #68,350
12/12/02 8:39:26 AM
|
you have been smacked
/winfilepath/a(space)<return> I had links to how to do this on sleazyboard I think but the search functions isnt so good over there but try this as a start point
[link|http://www.xs4all.nl/~liew/startdivx/endofdeleters.txt|http://www.xs4all.nl...endofdeleters.txt]
luck,
bill
will work for cash and other incentives [link|http://home.tampabay.rr.com/boxley/resume/Resume.html|skill set]
I was so poor growing up ... if I wasn't a boy ...I'd have nothing to play with.
--Rodney Dangerfield
|
Post #68,497
12/12/02 9:31:07 PM
|
Re: Hmmm that does it - will reinstall from scratch
I believe it is most likely related to the blocks I *still* keep getting to certain IWE forums (this post is coming from a testing servers).
So my first plan is to go ahead & re-install from scratch.
Interestingly - last week I was in Australia & using my little Sony notebook & I have Norton AntiVirus installed. I had dialled into attglobal.net then when reviewing my email (using netmail via HK) I got a message from Norton that some program had illegally altered its registry settings & advising me to remove the software & re-install from CD. I disabled the program (was in a Sony maint folder) then re-installed Norton then ran a full disk scan but it failed to show up that altered program or any other as being virii
Cheers
Doug
|
Post #68,511
12/12/02 10:07:02 PM
|
Forensics
legacy MS Windows has several ways of hiding files from you, some better known than others. \r\n\r\n I'd very strongly suggest you boot the system with another OS, inventory the drive, and run MD5 checksums on all executables. Particularly, note the ones that change. Debian's going to bypass virtually all of NTFS's security. Being able to compare images at different times would also be useful. \r\n\r\n A friend recommends [link|http://www.sysinternals.com/|sysinternals.com] as a useful site for forensics tools. \r\n --\r\n
Karsten M. Self [link|mailto:kmself@ix.netcom.com|kmself@ix.netcom.com]\r\n
[link|http://kmself.home.netcom.com/|http://kmself.home.netcom.com/]\r\n
What part of "gestalt" don't you understand?\r\n
[link|http://twiki.iwethey.org/twiki/bin/view/Main/|TWikIWETHEY] -- an experiment in collective intelligence. Stupidity. Whatever.\r\n
\r\n
Keep software free. Oppose the CBDTPA. Kill S.2048 dead.\r\n[link|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html]\r\n
|
Post #68,948
12/15/02 3:06:06 AM
|
Re: Is it possible to hide programs on someone computer
Doug - no, I have Acrobat 5.0(.5) on Win2k and there is no file like that. I thought it might be a spool directory for Distiller but unless I missed something in the installation, I doubt it.
Another thing - there are sort of hidden files, and really hidden files. You have to uncheck the box that says "Hide system and settings folders" or some such (sorry on 98 right now). If these are visible, they show up as dimmed folders - really a nice feature.
-drl
|
Post #70,440
12/22/02 9:37:34 PM
|
Hidden files & really hidden files ...
Every win install I do I immediately uncheck the hidden files & suffixes.
The hidden files showing up in my ZA log were truly hidden - they were in the log as having accessed the Internet (with permission) but when I looked for them they were not in those locations.
I had deleted them but a day later they were back & I had *not* given any permission thru ZA to allow them net access.
My educated guess is that theye were trojans modules planted as components of either Netscap MSIE or Win services.
Anyway - I seem to have got rid of them with a clean install & by 'hardening & firewalling' every one of my computers. BUt I am being hit with 2 virus attachments in email, per day. I won't open email from people I don't know esp if they have attachments.
Cheers
Doug
|
Post #70,446
12/22/02 10:10:08 PM
|
could you forward a copy of the virus to me?
I would like to take a look under the hood.
woxley at tampabay dot rr dot com
thanx,
bill
will work for cash and other incentives [link|http://home.tampabay.rr.com/boxley/resume/Resume.html|skill set]
You think that you can trust the government to look after your rights? ask an Indian
|
Post #70,447
12/22/02 10:12:41 PM
12/23/02 12:14:22 AM
|
"Opening" attachments
Doug wrote:
But I am being hit with 2 virus attachments in email, per day. I won't open email from people I don't know esp if they have attachments.
Back when I ran legacy Microsoft OSes, I found a 100% effective way to nullify the virus problem: Never run code you don't have reason to want to trust well enough to run. This, of course, implied ensuring that I knew about all occasions when I (or my machine on my behalf) ran code, and that it never happened without my approval.
Relevant to that, your quotation (above) indicates clearly where part of your problem lies: You talk about "opening" e-mail attachments. In Microsoft-speak, the verb to "open" sometimes mean to execute, and sometimes means to view -- with the implication that the user has no idea which of the two he's doing. The implied mindset is part of what leads Microsoft's captive userbase to put up with misdesigned applications like MS-Outlook and MS-Outlook Express, whose three-pane view (at least in some versions) auto-executes code arriving as attachments without the user even selecting the attachment at all, let alone giving permission to run it.
The first steps to asserting control (aside from probably rebuilding your system from trusted media) is to remove all executables that you don't regard as trustworthy. I.e., if you suspect that MS-Outlook Express runs executables without checking with you first, get rid of it. And does your MS-Word, MS-Excel, MS-Access, or WordPro run AutoOpen or AutoClose macros automatically without checking with you? (Are you sure? Did you create test documents with those macros and see if they ran without checking with you? If not, why not?)
From that point forward, never just "click on" or "open" files without knowing of a certainty whether that's going to run as code or not. And don't just install software without meaningfully checking its identity. (You downloaded it? OK, but are you sure the site you got it from was the real site? Are you trusting some dubious party's DNS?)
Unfortunately, keeping a legacy Microsoft OS non-compromised is always a bit stressful, because you know that a user-level error of judgement can compromise the whole system's security, and not just his own security. (This is largely true even on NT, which at least in theory supports multiple user contexts, although it's not genuinely multiuser.) You have much more of a safety cushion, in that respect, on Unix.
If you use Linux, you get your pick of [link|http://linuxmafia.com/~rick/linux-info/muas|105 e-mail clients], none of which has a "virus attachment" problem. No offence intended, but it's a bit pitiful to have to ignore e-mail from strangers: No competently designed system can be threatened by a mere e-mail.
Rick Moen
rick@linuxmafia.com
If you lived here, you'd be $HOME already.
Edited by rickmoen
Dec. 23, 2002, 12:14:22 AM EST
|
Post #70,449
12/22/02 10:18:09 PM
|
Obvious flaw
Doug wrote:
I won't open email from people I don't know esp if they have attachments.
Afterthought: How do you know which mail is genuinely from people you know? If you simply elect to believe the name in the From: header, then you're immediately at the mercy of malware-carrying SMTP worms like SirCam, which forge SMTP mail to make it appear to come from names and addresses familiar to you.
So, your protective measure not suggests a serious problem with you using untrustworthy mail software, but also is ineffective.
Rick Moen
rick@linuxmafia.com
If you lived here, you'd be $HOME already.
|
Post #70,528
12/23/02 2:42:27 PM
|
Hey Doug,
Your post triggered a very faint light in the cobwebs of my mind. I seem to recall some additional functionality of the NTFS that is not well documented (of course). Each NTFS file has something called an "alternate data stream" (ADS). Here is an excerpt [link|http://patriot.net/~carvdawg/docs/dark_side.html|from one] of the over 9000 articles Alta Vista returned when asked for "NTFS and stream" NTFS is the preferred file system due to its stability, functionality, and the level of security it provides. NTFS alternate data streams (ADSs) are provided for compatibility with the Macintosh Hierarchical File System (HFS), which uses resource forks to maintain information associated with a file, such as icons, etc (RUSS00). While Microsoft provides a means for creating specific ADSs via Windows Explorer, the necessary tools and functionality for detecting the presence of arbitrary ADSs is conspicuously absent. Oddly enough, the operating systems have the necessary native functionality and tools to allow a user to create ADSs and to execute code hidden within those streams. Microsoft KnowledgeBase article Q101353 acknowledges the fact that the Win32 base API supports ADSs inconsistently. [emphasis added] An NTFS file created with a stream other than stream 0 would appear as a file of 0 size to a program, but would (probably) not be visible to the Explorer. It appears to be possible to create a directory containing only ADS's too (but I'm no expert on this). It seems as iF A and B may well be such entities. HTH jb4
"They lead. They don't manage. The carrot always wins over the stick. Ask your horse. You can lead your horse to water, but you can't manage him to drink."
Richard Kerr, United Technologies Corporation, 1990
|
Post #68,527
12/12/02 10:50:35 PM
|
Goal?
What do you want? \r\n\r\n I assume being able to post without block. \r\n\r\n Do you also want to be free of any local monitoring? Is using Win2K a requirement, or could you switch to something else? GNU/Linux is most likely going to be more readily secured and monitored, though it may take some doing to get there. If you want a high level of assurance, you may want to go for nonvolatile media -- Knoppix or a similar distro. Note that Knoppix itself offers pretty good desktop capabilities itself, and may be sufficient. Remotely mounting your home partition from a remote trusted location via an SSH tunnel may also be of interest. \r\n\r\n Do you want to do forensics to find out what's being done, how it's being done, or where it's being reported to? In that case, a GNU/Linux or OpenBSD masquerading proxy (and/or firewall) with packet logging, and/or a packet sniffer, may tell you about stray bits going places. Actually, if you do that, I suspect there are others who'd be interested in the information. See also my prior comments on indexing and MD5 summing your legacy MS Windows install. \r\n\r\n If you want to run W2K, I'd suggest a minimal, installation, hardened, on completely wiped media. Which is going to be a PITA. Image this, index it, and md5sum it, before you connect to the 'Net. Note that this is going to make the system very unfriendly to play with as you're going to have major issues updating, configuring, modifying, adding SW, etc. But it may be relatively secure, and/or give you an idea how the system's being compromised. \r\n\r\n Don't overlook hardware. Keystroke sniffers are now dime-sized or smaller, capable of holding MBs worth of output, or months worth of typing. If you're going to be paranoid, don't stop at half-measures. \r\n\r\n \r\n\r\n --\r\n
Karsten M. Self [link|mailto:kmself@ix.netcom.com|kmself@ix.netcom.com]\r\n
[link|http://kmself.home.netcom.com/|http://kmself.home.netcom.com/]\r\n
What part of "gestalt" don't you understand?\r\n
[link|http://twiki.iwethey.org/twiki/bin/view/Main/|TWikIWETHEY] -- an experiment in collective intelligence. Stupidity. Whatever.\r\n
\r\n
Keep software free. Oppose the CBDTPA. Kill S.2048 dead.\r\n[link|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html]\r\n
|
Post #68,557
12/13/02 12:31:48 AM
|
Re: Goal? - At the moment is to figure out what thyz up 2
I can easily do a wipe & reinstall of Win2K - I can post from another protable computer (it seems the blocks are associated with a particular browser & os install. As time has passed more of my computers are being blocked.
Interestingly there is a big article in this weeks Newsweek on how Microsoft, Sun, Cisco & Oracle have been providing technology to the Chinese govt for filtering & blocking email & postins.
What has surprised me just a little is that this was supposed to only have happened on the mainland but it seems to me it is happening here.
Also as mentioned before, the ISP that must be allowing this to happen is the same coy I work for. Leads me to believe it is a skunk works that is in cooperation with mainland initiatives.
If I boot that same win2k computer using RH8, I don't get blocked. At this time out of 8 computers plus my work computer 5 appear to be subject to blocking & all run Win2K with SP2.
Am hoping that by posting what I find, the penny may drop somewhere & we may learn what these agencies are willing to get up to.
Cheers Doug
|
Post #68,577
12/13/02 5:02:56 AM
12/13/02 2:13:59 PM
|
Why I bought a laptop
Karsten wrote:
Don't overlook hardware. Keystroke sniffers are now dime-sized or smaller, capable of holding MBs worth of output, or months worth of typing. If you're going to be paranoid, don't stop at half-measures.
Reminds me. There was a time when I was chief sysadmin at $FIRM, an outfit in San Francisco. The moment $CTO came aboard, all manner of odd things seemed to be happening on the LAN, leading to the strong justifiable suspicion that he was tapping all e-mail in or out of the company, right at the switch, primarily in order to monitor discussions among other members of the executive staff that might affect his... interests. (I wish we could talk about the $12M in contracts given largely to firms in which he had undisclosed ownership interests. Can we use bad words like "embezzlement"? Hmm, probably not.)
Anyhow, I had a pretty good notion about what the gentleman was doing, without exact confirmation, and found that it, um, didn't meet my needs. I saw no reason I shouldn't have reliable, private communications between my desk at work and my server at home. Given such a channel, I could then reach out from home to any further locations, without $CTO having any access to my affairs.
So, I sat down and considered threat models. My apartment at The CoffeeNet? Not impervious, but good enough. The various wires between my cubicle and my apartment? Assumed hostile and compromised -- but fortunately SSH (properly used) makes that irrelevant to privacy, leaving only DoSing, which didn't seem to be a problem in that case. My workstation on my desk? Oh-oh.
As you said, hardware can be compromised pretty easily. So can unattended software to which the bad guys have physical access -- and I knew that it only seemed like I was at my desk 24 hours a day. If $CTO wanted to bug my Debian workstation, he might be able to do that without my being able to easily tell. Or he could put in a hardware-level keyboard sniffer, with much less effort, and I wouldn't likely find that at all.
The guy probably wouldn't bother, but I realised that there was an easy way to eliminate all those possibilities: I bought a used Sony VAIO PCG-505TX, installed Debian on it, and used it (only) for any computing for which I wanted privacy and assurance of personal control.
These days, a Knoppix CD is about 7/8 of a loaf. The bad guys' options at the level of your workstation's software just about vanish. Others exist, but you've picked most of the low-hanging fruit.
Rick Moen
rick@linuxmafia.com
If you lived here, you'd be $HOME already.
Edited by rickmoen
Dec. 13, 2002, 02:13:59 PM EST
|
Post #68,533
12/12/02 11:07:12 PM
12/12/02 11:09:35 PM
|
Have you tried Spybot Search & Destroy?
It seems to be pretty powerful and has found lots of stuff on a few of my Windows (9x and 2k) machines. It also checks the registry for lots of nasty stuff that can go on behind your back.
I investigated tools like this because I was having trouble with my dial-on-demand internet connection staying off when I hung up...
[link|http://security.kolla.de/|Spybot Search and Destroy]. Freeware with a $5 donation requested.
It may not help your blocking problem, but might help your mysterious access problems.
Good luck!
[Edit - lost replaced by lots]
Cheers,
Scott.
|
Post #68,560
12/13/02 12:43:48 AM
|
Re: Downloaded & will try - looks good
What that site brought to mind is that these A & B programs may be merely spy bots rather than related to the blocking that is happening.
The Internet has become so complex that at times one can think one kind of intrusion is actually something that it isn't.
The computer in question has nothin confidential on it so I am not excessively worried about damage. My deep concern is to be able to figure out what is being done & how it got onboard (assuming athere are intrusive programs operating).
I used to rely on netstat -a -n | more to look for suspicious connections but these aren't showing up (as best as I can tell).
Cheers
Doug
|
Post #68,562
12/13/02 12:58:43 AM
|
Re: Interesting results
Have just run on my work notebook Win2K based & it as expected identified stacks of hit box cookies but it also highlighted
C:\\Program Files\\Adobe\\Acrobat 5.0\\AVGeneral\\cRecentFiles\\c1
and 4 more like it - interestingly this is near to the same dir path that the mysterious A & B programs are listed in my home PC by ZoneAlarmPro.
(D:\\Program Files\\Adobe\\Acrobat 5.0\\A)
Is it possible that Adobe monitors what PDF files we download ?
The A program listed by ZA Pro is listed as having 0 length & as mentioned, is not there when I look. An earlier post here showed how dummy entries can be made & done in a way they can't be seen & can't be deleted. I assume they can be executed though.
Doug Marker
|
Post #68,564
12/13/02 1:14:50 AM
|
Most of the found items are just information.
When I had problems with things sending out information over the internet, SBS&D found them and put them at the top of the list with checkmarks in the boxes.
The Adobe stuff and similar found items are just lists of files that were recently loaded into Acrobat and the like. They're history lists generally. If you're worried about people looking to see what you've been doing on your PC, they're good to remove. But I'm not so I haven't. :-) None of the information is sent back to Adobe (AFAIK).
More information about the files found can be examined by highlighting them (click) then click the "Description of this product" button at the bottom (or alternatively right clicking on it and selecting the same).
HTH.
Cheers,
Scott.
|
Post #68,639
12/13/02 11:21:30 AM
|
Re: Doug's strange new fascination with Re:
*cough* we already know it's the Subject. Can't say I've ever seen someone Re: and then invent a new subject.
Many fears are born of stupidity and ignorance -
Which you should be feeding with rumour and generalisation.
BOfH, 2002 "Episode" 10
|
Post #68,652
12/13/02 12:03:07 PM
|
Not new by any stretch of imagination...
|
Post #68,836
12/14/02 12:05:55 AM
12/14/02 12:07:34 AM
|
Re: Have you tried Spybot Search & Destroy?
Ran the pgm at home but it didn't seem to locate anything nefarious.
It did bring home though how Win + many new prods, all leave easy to access logs of all activity down to wiping your nose. Spybot points out that this is only a problem if someone else has access to it which can be over the net if they can establish a path.
I have decide & am in the midst of a complete rebuild
1) RH8 on SCSI disk using GRUB dual boot
2) Win2K Clean install
3) Virtual PC under Win2K with a base Win2K VPC which I will use to access email & do downloads in the expectation I will have an isolated system & can replace it with a base disk image anytime.
The main machine can then be used for all the other stuff I want to use it for
Cheers
Doug Marker
Just wanted to add that an earlier attempt to post this item was blocked. After my clean re-install this same post was no blocked.
Am hoping I have isolated the way they idenify me.
Edited by dmarker
Dec. 14, 2002, 12:07:34 AM EST
|
Post #68,574
12/13/02 4:37:29 AM
|
Re: Seeking serious opinions - advice
dmarker wrote:
What I am seeking is your opinions on what might be happening - I have my own ideas but I am not an in-depth security expert although I work in aspects of Internet security.
How can I put this delicately? One recurring thread in what you've described is use of your Microsoft-OS client computer on the calling end. You'll probably not be surprised that I'm not optimistic about ability to keep the bad guys out of Microsoft OSes, generally. I've run Microsoft OSes and kept the bad guys out, but it requires a great deal of care. Just installing pointy-clicky geegaws like Zone Alarm really doesn't help. (To be blunt, I can easily imagine your hard drives' installed software being subverted without your being aware of the how, why, when, or by whom.)
Removing that variable (Microsoft OSes) from the picture might not be a sufficient measure. E.g., the bad guys could be ensconced in routers and DNS servers your connections rely upon. However, you could try Karsten's suggestion of burning a Knoppix CD, and seeing if booting that instead of the Microsoft OS on the machine's hard drive makes some or all of those symptoms vanish. Give it a try, and see what happens. Take notes.
Rick Moen
rick@linuxmafia.com
If you lived here, you'd be $HOME already.
|
Post #68,942
12/15/02 12:03:38 AM
|
FYI: XP & Zonealarm - holey shit
Proving to myself that IWE isn't worth reading, I stumbled across [link|http://www.infoworld.com/articles/op/xml/02/12/16/021216opwinman.xml|Putting\r\nXP in the zone], which I could only assume was more laudation about how XP\r\nwas enterprise-ready and the best thing since sliced yoghurt.... \r\n\r\n \r\n[R]eaders are, well, alarmed that the firewall's default\r\nconfiguration allows components of Windows XP to silently connect with\r\nMicrosoft's servers without displaying an alert. One reader installed\r\nZoneAlarm to augment XP's weaker, built-in firewall, removed all named\r\nprograms and components from ZoneAlarm's OK list, and then rebooted. But\r\nXP could still contact the mother ship. \r\n\r\nThis is a concern because Microsoft added numerous features to XP\r\nthat report information about you or your activities to centralized\r\ndatabases. I wrote four months ago that XP contains a dozen or so\r\ncomponents that automatically connect to the Internet (See "[link|http://www.infoworld.com/articles/op/xml/02/08/26/020826opwinman.xml|Sneaky\r\nservice packs]"). Microsoft describes 11 of these programs in a white\r\npaper that's available at [link|http://www.microsoft.com/WindowsXP/pro/techinfo/administration/manageautoupdate|www.microsoft.com/WindowsXP/pro/techinfo/administration/manageautoupdate]. \r\n \r\n\r\n A couple of lessons there, among them that you can't trust Microsoft\r\nor ZoneAlarm. And if XP can phone the mothership, it can\r\ncertainly kick packets to the Forbidden City. IWE may be worth the\r\noccasional perusal though \r\n --\r\n
Karsten M. Self [link|mailto:kmself@ix.netcom.com|kmself@ix.netcom.com]\r\n
[link|http://kmself.home.netcom.com/|http://kmself.home.netcom.com/]\r\n
What part of "gestalt" don't you understand?\r\n
[link|http://twiki.iwethey.org/twiki/bin/view/Main/|TWikIWETHEY] -- an experiment in collective intelligence. Stupidity. Whatever.\r\n
\r\n
Keep software free. Oppose the CBDTPA. Kill S.2048 dead.\r\n[link|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html]\r\n
|
