Re: Clarification-Win2k Netstat sockets interpretation

Sebastian Gottschalk wrote:
warf wrote:

Sebastian Gottschalk wrote:
warf wrote:

Even when I have 'SERVER', FILE PRINT SHARING, REMOTE ACCESS services disabled I still see NETBUI ports 136,137,138,139,445 'listening in TCPVIEW and S&D Processes???
Well, why don't you take a look at <http://ntsvcfg.de/ntsvcfg_eng.html>?
I did...twice, even emailed the admin [very nice guy] who said they only
have Deutsch pages linked for the near future. It is exactly what I need though.

The one specified page I linked is written in English, so is the script.
Only the website linking the content of the script to the specific services
sadly is only in German.

Thus, what about now finally understanding that this script does exactly
what you want?

Ungh, I took for granted that running someone elses code to accomplish a
task i 'could' do manually was sloppy and invited malware?
I think I also just read that security rule #1 was " If you are running unknown code you have already lost control" I know very little of ANY of the code on my machine so...I ask you, "is it safe"
[Marathon man, Dustin Hoffman]

and that gets tiring..."wipe and rebuild"
Nonsense. It's trivial to backup and restore the service configuration.
Correct me if I am wrong [like I have to offer...grin]:new versions mal-executables are very stealthy 'and sticky' visa vi code-melt,MBR partition hiding, kernal level misdirection of detection...ad naus.

I though you just referred to yourself fucking up the service configuration
by experimenting.

yes...that is why I seek your help... to allow me to access the internet

somewhat safely whilst edifying myself as to the vagueries of I-protocal[s]...and M$ weaknesses.

and settled in the Winnt\internetlogs\ZA as J.S-LAME

JS-Lame sounds like a JavaScript which does some non-malicious, but
annoying (thus lame) action. I guess its description will point this out
exactly.

Well I can't wait for the VBS-blowjob virus to go wild!

snip..
SP4 should have already been integrated in your Windows 2000 CD. And still
I sense at least 3 superfluos programs in that list.
no, it is an older OEM disk...It lacks USB2.0, So I take my saved SP4 upgrade I got before M$ made us pull pur pants down and take a shot of code to make sure we own the OS install.
BTW...I drop the defenses reluctantly and incrementally to enable manual
update [upgrade] from M$ but still don't pass the 'wideopenvulnerable enough to allow your upgrade' test.


Dlink router setup,
WTF? Doesn't it have a web configuration interface?

Yes it does. If you understand :MAC address and cloning same, protcols, SSID, WLAN/WAN/LAN, ad-infinitum...AND don;t allow their farmed out tech support to mislead you about when the WAN is actually activated, it is probably a snap to make it secure...AND functional. I now know 192.168.0.1 like I know my birthdate!


all the Ibuddie drivers for NICard

WTF? What a bunch of bloat is your NIC driver?

SIS drivers have a lot of applets.

THEN...disable a dozenservices,remove FILE&PRINT SHARING,

Yes, reasonable.

Ok,I'm feelin on track now!


set the lame software defaults to block mobile code,

ZA, Dlink setup utility requires J-script enabled or it won't update settings.....it just makes you think it does.


What software and which settings?

not save any .DAT,HST

What?


I'm just making a point; I dislike all the tracking of everything I type,save,see,use,start,stop,plugin etc, So Disable password saving, history,remember lastfile etc.

...nor cookies web-bugs and like ilk....

You're talking nonsense. Cookies aren't malicious. Web-bugs don't exist.

Web-bugs do...scroll your mouse over bug-encoded webpages and watch the script call in the lower left...OR use DOM editor. A single pixle is enough..and it can be the same color as the background=> invisible.
Scripted cookies are certainly capable of doing maliscious things, as I read, AND, every problem [not of my own doing by
disabling useful services] has occurred while temporarilly enabling Java /Java-Scripting or 'mobile code' to accomplish a download or a device configuration. I get security levels reset, host file manipulated etc...
I have been reading that the old cookie has been supplanted with a myriad of ways to get info you or I would likely not volunteer if given
a choice before it happened.

I doubt you are didactically 'out of date' on mal-techniques datamining and exploits, so what are you getting at? Seriously, I know only what I read from security dedicated websites...and less from opinion columns and NGs unless public scrutiny exposes a fake professor.

then fight for an hour to find which services I accidently disabled

See? That why you should take a look at the ntsvcfg script.

Well then I ask you; is that not the same as installing utilities from websites? [like going sans condom, eventually something comes.... alive!

a
All because i lost my innocense reading how the boys at PHRAK get their
jollies!

Then why aren't you running a Unix flavour?

I bought a MANDRAKE kit and realized that it was only safer because I 'could' get to know the code intimately [unlike M$ code]. In otherwords, it is only safer if I REALLY understand what I'm doing. I plan to install it on a separate laptop specifically for learning, and learing about the free V-OS I have as well.
Until then, I am still working on making windows work for me. [country song in the works]

but DHCP fails because NETBUI is innactivated If I disable it in SERVices.msc
Very strange.
I thought so as well... and that is becasue I am not even sure of what I don't know yet.

Maybe you might use Regmon to track down this bug?

Does regmon track registry changes? ZA alerts me to ALLOW/DISALLOW every
instance of a program, module or process before it makes a registry change. There are still many changes that slip by unannounced though; must be at the kernal level?[ring1?] Even Spybot Teatimer stops responding to registry changes after a few days.

I have a beef with all commercial security software [to date]; in order to allow people with even less knowledge than I to get running they allow some questionable defaults on install. FOR EG; both Mcafee and Symantic allow every already on your computer 'trusted' status...from spyware, datamining phonehome-ware to mal-ware. Worse, you can't unselect many of them either.
Atleast ZA allows manual reconfiguration but who would want to allow WEBBUGS and a dozen or so clicktracking URLs to have 'trusted' status by
default...unless they paid for that privilege!? At least they can be removed though in ZA.


With Ethereal in 'promiscuous mode' it is incredible [to me] how much broadcasting and icmp traffic there is at any one moment. Fr,Israel,Cn,Ru,USA...and how much is lost/misdirected and how much is actively seeking vulerable IP addresses is unknown to me but this is a fact:
Twice, while connecting my computer to the internet via an ethernetcable
and W2k [no firewall] I had a bogus popup before I could even pop in the
ZA CD....as though there is near constant broadcasting seeking open unprotected servers to compromise.

Help?

Get the patches installed before you go online. Or at least get the
vulnerable services deactivated. Or active the TCP/IP filtering or RAS
firewall.

I saw that applet. Would I enable filtering of TCP,UDP,IP and allow only
port80 I/O, 110 In, 25 Out, 53 I/O[dns lookup]?
There an applet to ENABLE NETBIOS LOOKUP, DISABLE/BLOCK NETBIOS OVER TCP/IP

This is exactly where I eventually disable something and can't recover.
All I want is HTTP browsing, email and newsreader...maybe file download.
Is that so hard to enable without loosing DNS lookup, DHCP IP assignment and connect ability?

I know your time is valuable.
maybe I'll try the script for now...of course i have to pull down my pants to download and then run it though.
Warf.
.