Re: How did they get behind my NAT?

In article <1192012721.669983.16490@xxxxxxxxxxxxxxxxxxxxxxxxxxx>,
maniaque27@xxxxxxxxx says...
- I am running an ADSL router, "Xavi" brand, "7028r" model, and it
seems to run a "GlobespanVirata" chipset. This was provided to me by
my previous ADSL provider, Telefonica Spain.
- I have a standard NAT lan, with a variety of devices connecting to
the internet through the router.
- I have certain very specific ports forwarded to my desktop for
remote access, peer-to-peer connectivity, etc. \
- I am NOT forwarding either of the VNC ports (standard ports 5900
and 5800), so to my limited knowledge the VNC service should not be
accessible from the internet. I have of course tested this, and found
that to be correct. The VNC service is not publically accessible.
- I do not have the firewall enabled on the router, because I assumed
the NAT basically made it safe. I tried enabling the router firewall
today but it also seems to block the services that I need to be able
to access from the internet (eg HTTP, I run a small webserver), so
that does not work for me.
- I WAS running uTorrent at the time of the attack (and had been for
a few hours)
- I did get the IP address of the attacker from my VNC log, it was
"85.239.126.86", an address in germany. I have not looked for or found
any further information. I guess I could try a port scan but I assume
it's a zombie computer so what's the point.

You mention the ADSL Router and NAT LAN, but you don't tell us how the
NAT is implemented - is the ADSL device doing the NAT or do you have a
NAT Router Appliance? You sort of indicate you do, but you don't tell us
what device/vendor it is.

You mention that you have ports forwarded for sharing - bad move.

I suspect that you also have UPnP enabled and a weak password on the
router.

I suspect that you have so many holes in your NAT that you've let the
person in on VNC and just don't know it.

Try this:

1) Disable UPnP

2) Change the NAT Router (assuming that you have one and it's not the
DSL router) to 192.168.6.1/24 and remove ALL port forwards and ALL
Triggers if used. Change the password to something proper.

3) Run a quality Anti-Malware tool on your computer, run it in Safe Mode
also.

4) Do not share your computer with anything/anyone outside the LAN, stop
doing file sharing completely - buy what you need instead.

5) Put your website on a proper web server, one protected by a real
firewall and on a locked down OS following the OS Vendors FULL
SUGGESTIONS ON HOW TO SECURE IT.

Don't port forward and make sure that UPnP is disabled.

Stop providing services over a residential grade DSL service.

--
Leythos - spam999free@xxxxxxxxxx (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.
.