Re: Re: HELP ! was Ack, I been hacked!

[Guest guest]

This may be presumptious, but I take it you don't like IE.

[Guest guest]

Clay wrote:

> Oh yeah, I don't even know what a DNS server is, what is it?

First, I need to explain what an IP address is, I think.

Each computer on the internet has an IP address. An IP address consists

of four numbers 0-255, separated by periods (dots), such as:

12.83.265.1

(I just made that one up.)

My IP address changes from time to time; my internet provider lets my

computer know what the new one will be. It has a " pool " of available IP

addresses that it can choose from when it is time to assign one to me.

This is called a dynamic IP address. Since my IP address changes, it

would be a " moving target " if I decided to set up a web server or

something like that-- it wouldn't be workable. That's ok, though, as

running a web server is against the terms of service for my personal

account.

If I wanted to set up a web server, I would need a static IP address.

That means that my IP address would always be the same. If some other

person across the net wanted to connect to my computer (so that my

computer could serve up a web page), they would be able to do so, since

my IP address would never change.

In order to do that, though, they would have to remember my IP address,

and type that into the address bar (once it was bookmarked, it would be

possible to just use that). That's cumbersome, to say the least. It

would be a lot more convenient if people could type in something like

www.frank.com instead (that's not mine; I just made that up). In order

to get my web page, though, the specific IP address has to be known.

That is what a DNS (domain name service) server does. Whenever your web

browser, email client, etc., requests a connection to, say, yahoo.com,

your browser submits a query to your ISP's domain name server. The

domain name server sends back a datagram indicating the IP address for

yahoo.com, so that your browser will know what IP from which to request

data.

Unless a program is specifically trying to go to one IP (like if you

typed in http://12.83.265.1 into your browser address bar), it is going

to need to query the DNS server (for all intents and purposes; I will

ignore DNS caching here) first.

Internet security can be a complex thing, and I started to go into the

relative safety of DNS requests, but I don't want to overwhelm you.

Norton is actually not a bad firewall (although the whole Norton

Internet Security suite is heavy on resource use). I tested its

capabilities, and it is pretty good. My complaint is that it tries

really hard to make internet security easy, but there's only so far that

goes. Norton's recommendations are not always right, and you really do

need to know about the programs that are trying to access the net. Some

of my trusted progrsms have been falsely reported as " high risk, " where

Norton suggested blocking access.

I think you have understood this, because you asked about this program

rather than just following Norton's advice. Don't get in the habit of

ignoring the popups and just selecting " allow " for all of them, because

one of these days, one of the alerts could be a piece of malware

(malicious software-- a virus, trojan, or other no-good program) trying

to send your personal data out to someone. If you are careful (don't

run attachments you get in email, etc), the chances of getting such a

trojan are reduced. Your antivirus program will detect most of them,

but I have had several (3 or 4) that were sent to me in email or that I

downloaded to test which were not detected. (I reported them all to

McAfee's AVERT labs, after which they were added to the database, and is

shared with other antivirus companies.)

Do you use Service Pack 2 on Windows XP? I tested the built-in XP

firewall with SP2 and with previous versions, and SP2 had some holes

(incoming ports where unsolicited packets from the outside would not be

dropped) to allow various XP things to work more efficiently.

Also-- does anyone else have physical access to your computer, where

this rogue user account could have been something simple like that?

Finally-- be sure to keep your computer updated with Windows Update. As

security holes are discovered, Microsoft releases fixes.

[Guest guest]

At 02:05 AM 6/22/2005, Clay intoned:

>Oh yeah, I don't even know what a DNS server is, what is it?

's information is of course first rate, but I think it's a bit too

technical, no offense to .

DNS server stands for domain name server.

First of all, let me clear up something that might be a bit confusing. A

server is simply a computer that " serves " information. Any computer can be

set up as a server, but obviously, if all the machine does is serve web

pages, it only makes sense to use the operating system and programs

best-suited to the job, and that's exactly what companies do.

When you visit a site, you put in the name of the domain. If you visited my

site, you would type in " www.zolaweb.com " (or you could visit jane at

mjane.zolaweb.com )

The name, however, is not sufficient. It doesn't tell you where the site

is. Zolaweb, for example, is on a machine in California. So they worked out

a system that would tell your machine where to go to connect to the machine

that has the site.

Those numbers are the IP, or internet protocol, numbers you hear about.

Without going into too much technical detail, what happens is that there

are seven machines in the world that keep track of this (at least I think

it's seven, techheads out there feel free to update me). These machines

keep a master list that matches the domain names to the DNS servers, and

they send out the new list to all the companies that provide internet

service. This happens several times a day, but every company has its own

policy for updates. Some companies update every time the master list gets

sent, others do it once a day or even once every three days.

The master list is created by all the companies that have servers. They

update at least once a day saying " Our DNS server has these domains " .

The IP's don't say EXACTLY where your site is, though. What they do is

identify the DNS, or domain name server where your site is located.

It might make it clearer if you think of it as a set of directions. You

want to visit my site. The " backbone " servers have the list that says

" Zola's site is located on a server located in San Francisco, California.

So you get routed (yes, that's why they are called " routers " , because they

send you to specific places) to that DNS server. So a DNS server could be

pictured as a town on the map. You're on your way to a specific place, so

first you go to the town.

Once you have arrived at the server in San Francisco, my web company's

routers take over. They have also have a network and DNS servers with IP's

that further direct the traffic first to a specific machine, then to a

specific folder on that machine, namely, mine! This would be the same thing

as going from the town to the neighborhood, then to the specific place.

If you want to see this in action, you can. It's really interesting.

Go to the start menu and choose run. Type in cmd.exe and a DOS window will

pop up.

At the DOS prompt, type in tracert www.google.com

You will see every router your browser goes to between you and Google,

starting from your home.

If you are curious as to where each place is located, you can try looking

up the IP's at www.arin.net

Put the IP into the whois lookup box, and if Arin has the record, it will

tell you who the IP belongs to and where it is.

This can be very entertaining when there is real trouble on the internet.

One time, a major cable was severed by a bulldozer in the midwest, and my

computer's signal actually went to servers in Japan before finally arriving

in California.

That is, in fact, why they call it the Web or the Internet. Networks are

connected to networks are connected to networks, so if you could see a

visual representation of it, it would indeed look just like points on a

spiderweb.

I hope this explanation helps.

Z

http://www.livejournal.com/users/mszola/

" What are we going to do tonight, Brain? "

" The same thing we do every night, Pinky. We're going to try to take over

the world!! " ---Pinky and the Brain

[Guest guest]

Good comments.

A hardware firewall is a necessity, but not sufficient. It does not

prevent anything you have downloaded from going out again. That is why

I use a software firewall as well.

You can test your software firewall with GRC's leaktest at grc.com.

Zonealarm passes, but XP and Blackice fail.

wrote:

>

>>

>>

>>

>>>Do you use Service Pack 2 on Windows XP? I tested the built-in

>>>

>>>

>XP

>

>

>>>firewall with SP2 and with previous versions, and SP2 had some

>>>

>>>

>holes

>

>

>>>(incoming ports where unsolicited packets from the outside would

>>>

>>>

>not

>

>

>>>be dropped) to allow various XP things to work more efficiently.

>>>

>>>

>>Hi, thanks for the information. Ummm, I think I recall something

>>about Service Pack 2 on here, and it is XP.

>>

>>

>>

>>>Also-- does anyone else have physical access to your computer,

>>>

>>>

>where

>

>

>>>this rogue user account could have been something simple like

>>>

>>>

>that?

>

>

>>No, no one except maintenance personnel, or guards. They rarely

>>

>>

>come

>

>

>>in, and never without notice, (that I know of), and there wasn't

>>anyone else here Saturday morning when I first noticed there was a

>> " whizbang " logged onto my computer. " Whizbang " sounds threatening,

>>doesn't it? But then, so does " backweb " to my mind. Like

>>

>>

>something

>

>

>>sinister.

>>

>>

>

>Just some of my thoughts on the whole thing.

>

>I thought your original post indicated your computer was booted up

>remotely. You found your pc running but the monitor was off. You

>couldn't shut it down without it restarting until you pulled the

>plug. I wouldn't assume your maintenance crew is innocent either.

>You just never kno these days.

>

> " Whizbang " is another name for a firecracker. There was also a

>company that went by that name, who was aquired by Inxight Software,

>Inc. None of this pertains to your problem but it's not necessarily

>a threatening sort of name, although it would be to me too had I

>found that name logged in to my computer.

>

>The strange behavior you report the night after your original

>incident strikes me as being memory or CPU usage related, such as

>the type of behavior you would see if your computer's sytem

>resources were maxed... a very likely possibility when being hacked.

>

>I would've wiped that computer out and reinstalled immediately, but

>I am like that. I am known to format and reinstall over less issues

>than you report, and religiously keep backups organized by date so I

>can have everything up and running again in less than two hours.

>

>My network is behind a hardware firewall. I prefer it to a software

>firewall but to each his own.

>

>Have you disabled Remote Desktop and Remote Assistance in your

>computer's System Properties? I would also look in your computer's

>BIOS for any options enabled to allow remote start and remote wakeup

>on a LAN.

>

>I also would've disabled that backweb update a long time ago, but I

>am particular about updates. I let nothing update automatically in

>my computer. I prefer to update manually so I am aware of whats

>being done and can pinpoint any problems that may arise as the

>result of one.

>

>I agree and do the same, as far as the post that came in by the

>person (I forget who) who ran two virus scans and two spyware

>programs, as well as the hardware firewall. I also prefer Mozilla.

>Internet explorer has security issues they have yet to patch.

>

>Just my two cents.

>

>

>

>

>

>

>

>

>

>

>

[Guest guest]

Colin Wessels wrote:

> Good comments.

>

> A hardware firewall is a necessity, but not sufficient. It does not

> prevent anything you have downloaded from going out again. That is

> why I use a software firewall as well.

>

> You can test your software firewall with GRC's leaktest at grc.com.

> Zonealarm passes, but XP and Blackice fail.

Try Atelier Web Firewall Tester-- it is a really tough one to pass.

That, CopyCat, and Thermite, are the hardest ones I have seen so far. I

uze Agnitum Outpost 2.7 Pro, which passes them all-- and it has the

granularity I want, to be able to finitely control everything.

I don't like how ZoneAlarm does not have the global settings take

precedence over the application settings. I tried to set it up with the

control I like, but it just did not work with the global and the

application rules being parsed in series.

[Guest guest]

wrote:

> > A hardware firewall is a necessity, but not sufficient. It does

> not

> > prevent anything you have downloaded from going out again. That

> is why

> > I use a software firewall as well.

>

> As I have just now discovered after spending some time playing with

> my hardware firewall. It's a Netgear firewall/print server. It can

> block outbound but by default it allows all. Ack. I was stealth in

> every other test but outbound connections. Obviously I have some work

> to do here. <sigh>

The outbound filtering that a hardware firewall can do is rather

limited. You can block certain IPs or ports, or combinations thereof,

but you can't achieve the selectivity that you can with a software

firewall. A software firewall can allow Mozilla to connect to any IP on

remote port 80, but deny that to Internet Explorer (which I do on my

computer, except for specific IPs associated with Windows Update). A

hardware firewall can only enforce global policy; it cannot tell which

program sent a given packet. And when it comes to protecting your

computer against trojans and other malware, that is precisely what you need.

A software firewall will block any process (whether it be a program you

intended to install or a trojan) from accessing the network, unless you

have given that process explicit permission to do so. The better ones

can also detect attempts by malware to use an allowed process (like

mozilla.exe) to transmit data for them. A hardware firewall can't do

this. As such, they are not useful in protecting against data leaks.

I use Agnitum Outpost Pro 2.7, which IMO is the best software firewall

(that's why I use it). My computer is behind a NAT router/hardware

firewall as well. Neither one is a panacea; a multilayered approach is

the most secure.

>

> >

> > You can test your software firewall with GRC's leaktest at grc.com.

> > Zonealarm passes, but XP and Blackice fail.

>

> This may sound petty but I didn't care for Zonealarm as it was so

> visually disturbing. It's been quite a few years since I've used that

> firewall. Does it come with less bells and whistles now? I would

> prefer a firewall that does it's job, allows the user to modify it's

> settings but without all of the fanfare.

[Guest guest]

> a software firewall. A software firewall can allow Mozilla to

> connect to any IP on remote port 80, but deny that to Internet

> Explorer (which I do on my computer, except for specific IPs

> associated with Windows Update).

Presuming the computer hasn't been cracked, wouldn't the

windows/IE

<Internet Options> --> <Security> tab

accomplish pretty much the same thing?

i.e., on IE, selected domains (microsoft.com and the few other

sites tied to IE) are in the " trusted zone " ; in the ordinary

zone, most of the crap (Active X, Java, Javascript) is turned

off or at most " prompt " . The " restricted zone " is for email

(which I used when I was at an office which ran Outhouse). The

disadvantage is that theoretically someone could get into IE and

change things; the advantage is that www domains are easier to

define.

The only " trick " is to uncheck the " Require server verification

(https) " box for the list of trusted sites; otherwise ordinary

http sites won't go on the list.

(To explain, the ones I have in the " trusted sites " are

http://*.windowsupdate.com

http://*.windowsupdate.microsoft.com

and in the past, on-line banking and the US Patent Office.

in this way, IE is limited to particular functions, but the

default browser is Firefox. (Firefox and Mozilla describe the

same thing.)

Incidentally, if you're in the " internet options " , uncheck the

" IE should check to see if it's the default browser " box. It

shouldn't check.

- s

[Guest guest]

Stan's Computer wrote:

>

>

> > a software firewall. A software firewall can allow Mozilla to

> > connect to any IP on remote port 80, but deny that to Internet

> > Explorer (which I do on my computer, except for specific IPs

> > associated with Windows Update).

>

> Presuming the computer hasn't been cracked, wouldn't the windows/IE

> <Internet Options> --> <Security> tab accomplish pretty much the same

> thing?

That would presume I trusted IE to adhere to its own security

settings... and for a product that has so many security holes, I don't

trust that it can't easily be hijacked (or have a piece of malware

change the settings). I don't want it to be able to connect to *any*

site besides windows update anyway, even if all of the active content

options are OFF. For what it's worth, I have it set up that way-- I

have only Windows Update in the trusted zone, and all else in the custom

zone-- and I have everything turned off in that custom zone. And then I

block IE except for windowsupdate domains on top of that, using my

firewall (with password protection for its settings... and if the

firewall process is terminated, I lose all network connectivity anyway).

It also sets IE up as a sort of tarpit (as good a use for it as I can

imagine)-- if a trojan is going to be hardcoded to hijack an app that

would be most likely to have outbound access, and which it is reasonably

certain is on the system, it would pick IE. This can be shown even in

the number of leaktests that launch/hijack IE as a proof of concept.

Hmm-- that gave me an idea... I wonder if I should set IE as the default

browser, but set Mozilla to handle all browser work anyway, as part of

that concept. The problem with that that occurrs to me would be that

various applications that wish to launch web pages would launch the

wrong browser.

I really despise IE, and I despise how Microsoft has buried it so deeply

into the OS. I would like to get it off of my computer altogether-- I

can patch my system by means other than Windows Update if it will give

me the ability to eject IE from my computer (like an emetic expulsion of

a rotten food item that one has inadvertently and foolishly eaten).

When I used Win 98 SE, I ran Revenge of Mozilla to dig out and destroy

IE. IE is a repulsive abomination of a program that should only exist

in the fiery depths of hell, amid the tortured screams of all of those

who thought it was a good idea to integrate it into the OS.

I somehow doubt I will be willing to migrate to Longhorn when it comes

out. At the point that XP becomes obsolete, I think it will be time to

go to whatever else is out there at that point.

[Guest guest]

Clay wrote:

> Again with the format and reinstall stuff. I have no idea how to do

> that, don't know what it entails. With my peculiar brand of

> aspieness, I was given an unusual command of the English language,

> knowing the spellings and definitions of words by just hearing or

> seeing them (you don't have to believe, ),

I don't believe. I conclude. And I don't just mean about this-- I

mean in general. Belief is illogical.