RE: a few basic simple questions

From: David@cawdgw.net
Date: 01/30/02 

From: <David@cawdgw.net>
To: <Enquiries@globalart4u.com>
Date: Wed, 30 Jan 2002 20:30:54 +0100

You did not mention an operating system. That makes a difference when you
get into details.

Rules:

A. Never load a box while it is connected to the network, if you can help
it. It could be exploited before you can get the patches in. I've seen boxes
exploited in less than two minutes. That was just plain bad luck, but don't
you always go back to that fishing hole where you caught them before?
They'll automate scanning of that subnet and root you with a script.
B. Once the OS is loaded, the first software you should load is a good
AntiVirus. It may slow down the rest of the install, but at least you can be
reasonably sure you aren't infecting yourself while you do it.
C. Never load the patches from the network, if you can help it. Download
them on a hardened machine and burn them to CD. Load from that.
D. Before you ever connect to the internet, but after you have loaded all
your favorite software, image or back up the disk. Don't you hate loading
software, AV's, and OS's? I sure do.

Suggestions:
- If the disk is suspected of having been virii'd or trojaned, low level
format it at the least before you reinstall. Run a KO or DiskWipe on it.
Kill that thing. On a Win9x load, I once had Monkey.B drive me crazy. I'd
fdisk the drive, blow away the partitions, fdisk /mbr it, rebuild the
partitions and it's still have monkey.b. Monkey.b was sitting memory
resident, and when I'd go to shutdown, it'd reinfect the boot sector. Fix?
Make the disk non-bootable, reboot and then make it bootable.
- Don't use easy passwords. Get downright ugly with the root or
administrator password. Make it log and ugly. In MS systems, don't spend too
much time changing the admin account name. They'll know which accounts are
which anyway.

How to find out you've been breached?
1. Some sort of personal firewall reporting attempts at strange outbound
connection attempts.
2. Sniffing your outbound.
3. Logs from your corporate firewall which blocked your outbound.
4. Your newly updated AV starts making rude noises at you and depicts
captured vermin.
5. Your friends and relatives start sending you death threats for infecting
them with your damned party pictures.
6. Your tripwire like software sees filesize changes.
7. You run a port scanner and find you are listening on ports you should not
be.

D. Weiss
MCSE/CCNA/SSP2

-----Original Message-----
From: Enquiries [mailto:Enquiries@globalart4u.com]
Sent: Tuesday, January 29, 2002 10:04 PM
To: security-basics@securityfocus.com
Subject: a few basic simple questions

Dear Group

How do you know when you are infected by a trojan or someone has control of
your pc from a backdoor?

Is it when your windows update's always continuously refuse to update from
the microsoft site, including the ever popular critical updates to patch
security holes?
When trying to update IE from microsoft it does not work?
When you discover every so often that the hard drive when wiped clean
suddenly becomes a 1gb hard drive instead of a 20 gb hard drive - has
happened several times to me?
when the firewalls (zonealarm) every so often is disabled while surfing?
Other strange happenings...

How does one detect what the problem is and cure it, especially when you are
a beginner? If using a trojan to fight a trojan to cure the problem how
does you know which ones to trust, as I have found there seems to be a lot
of programmes out there saying they can find this that and the other but
what if it is something really specialised?

Thaque

Relevant Pages

  • Re: High dns traffic, how do I reduce this.
    ... Errr, a trojan? ... There're load of things that can cause a high dns traffic, for instance, I was ... he has set up a forecast map which got refreshed every ... But saying that he might have a trojan is quite disproportionate, ...
    (Fedora)
  • RE: "Cant find cwindowsimage.dll"
    ... trojan. ... Down load ...
    (microsoft.public.win2000.new_user)
  • Cant load my programs
    ... I ran AVG to get rid of trojan. ... Now I can't load any of ... my program - word, spider solitare, etc. ...
    (microsoft.public.windowsxp.perform_maintain)
  • Re: So how secure is Windows XP with all current updates?
    ... Okay. ... Sorry, couldn't load trojan. ...
    (microsoft.public.security)
  • Re: .Net Scalability problem
    ... LoadRunner will peak out a server with a few virtual users. ... To get an idea of load, ... Fire off the test client and watch the number of ... > So I think that the MTC generate concurrent connection and per ...
    (microsoft.public.dotnet.framework.adonet)