Re: How did they get behind my NAT?

In article <1192090609.610379.315530@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
maniaque27@xxxxxxxxx says...
Thanks for the feedback!

- I am running an ADSL router, "Xavi" brand, "7028r" model, and it
seems to run a "GlobespanVirata" chipset. This was provided to me by
my previous ADSL provider, Telefonica Spain.

You mention the ADSL Router and NAT LAN, but you don't tell us how the
NAT is implemented - is the ADSL device doing the NAT or do you have a
NAT Router Appliance? You sort of indicate you do, but you don't tell us
what device/vendor it is.

Sorry I wasn't clear - the ADSL router is the NAT device. The ADSL
connection uses PPPoA, which means (as I understand it) that I cannot
operate the ADSL device in "bridged" mode with a different device
handling the routers/NAT functions. I guess I could simply leave the
ADSL device be, and set up a second NAT LAN behind another device - is
there any disadvantage to double-NATing?

Not having experience with that router, I can't be sure what limits it
has or what quality of NAT and forwarding it has. The key thing is that
the device does not provide a PUBLIC IP inside the LAN area and that you
have control over what is forwarded inbound.

I've seen a number of DSL routers that are PPPOE (no experience with oA)
that use NAT to 1 IP, but they forward ALL ports inbound to that IP - so
the users might as well be on a public IP.

Double NAT'ing only has an advantage if you have one of those devices
that forwards ALL PORTS to the single internal IP provided by the
device.

You mention that you have ports forwarded for sharing - bad move.


Fair enough - why? Based on my limited understanding, this would only
be a bad move if the file sharing program (uTorrent) had some
vulnerability, right? Otherwise how could this be a problem?

Because if you don't know enough that you have to ask here, it means you
don't know enough to be securely exposed to the internet.

To be fair, I agree that the file-sharing is probably a major
contributing factor - first of all there is the fact that the attack
happened while I had the file-sharing program running, which is only
once a month or less, and secondly I have noticed that when I have it
running it drastically increases the amount of non-legitimate-looking
activity to my IP address, so I guess attackers monitor this activity
closely as "clueless but ambitious home user here, let's see what we
can do with him!" targets. There could well be an unknown
vulnerability in uTorrent of course, but I expect if that were the
case the attacker would have done more than access my vulnerable VNC
server.

You can get Linux without uTorrent, at least any quality Distro.

uTorrent doesn't expose your VNC, but, there is any number of unknowns
where as to what you've done in addition. The issue is that I've not see
anyone that needs to run a file-sharing program on their computer unless
they were pirating files of some type. Yea, not always true, but it's a
good assumption since there are legal means and methods without using
file sharing methods.

I suspect that you also have UPnP enabled and a weak password on the
router.

No and No. And the router does not have outside admin access enabled.
And the first thing I did within seconds of the attack was check the
router configuration to make sure that they hadn't got in that way.


I suspect that you have so many holes in your NAT that you've let the
person in on VNC and just don't know it.


Fair enough, but I'd love to know how!

Try this:

1) Disable UPnP


done, always was

2) Change the NAT Router (assuming that you have one and it's not the
DSL router) to 192.168.6.1/24 and remove ALL port forwards and ALL
Triggers if used. Change the password to something proper.


I could do this, but that would really defeat the purpose of my asking
the question here, as it would also prevent me from providing public
access to specific services on the desktop. If that is totally
impossible (to expose only specific ports to the internet and have all
other ports be normally hidden) then I guess that's that. But it seems
counter-inuitive.

No, it's the start of trying to determine what happened while you are
also secure to do it. NAT only blocks inbound, so you could learn if
what's on your machine also phones home or creates a connection to a
remote location to allow control. First thing is block inbound
connections, second is monitor outbound connections or block them
entirely while you look.

3) Run a quality Anti-Malware tool on your computer, run it in Safe Mode
also.


Any suggestions on quality anti-malware tools? I use AVG antivirus and
Spybot S&D, so far they haven't missed anything that I know of (but
then I wouldn't, would I? :))

AVG is crap - I've seen hundreds of computers with AVG compromised. I
use Symantec Corporate software, it's not a resource hog like Norton is
and it's stopped all that I've been exposed to.

If you want to know what AV products to trust, I've always found this
site to have unbiased reviews and test results:

http://www.av-comparatives.org/


Here are a few tools that I use and trust:

Always remember - only download files from Trusted Sites.

The following links will take you to vendors sites for Spy Ware / Ad
ware removal tools and also for Antivirus tools. After you install any
of these applications and update them, run them in SAFE MODE to allow
them to properly clean your system.

First, make sure that your Java is updated to the latest version:
http://www.java.com/en/download/index.jsp

These sites are for downloading Anti-Malware and Anti-Spyware tools, in
order that I would use them myself:

Dave Lipman's tools:
Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/ds/28400/28470/Multi_AV.exe

AdAwareSE can be found here:
http://www.lavasoft.com/products/ad_aware_free.php

SpyBot Search and Destroy can be found here:
http://www.safer-networking.org/en/download/index.html

err - how does safe mode help? you mean so I don't have any additional
programs running?

Because many malware can't run in safe mode - it's not just "you having
any additional programs running". In the case of Multi-av, download it,
run it in normal mode to get the updates, but don't run the scans, then
reboot in safe mode, run it again, since safe mode disables the network,
you've already downloaded them, now run the scans, full drive, run each
of the 4 scanners and run them until nothing is found.

4) Do not share your computer with anything/anyone outside the LAN, stop
doing file sharing completely - buy what you need instead.

If what I "need" were easy to buy, I would happily do so :) - I use
uTorrent only to get stuff that I cannot find anywhere else, or for
linux distributions (I would recommend it in fact, it is an incredibly
fast way of getting any full multi-GB distribution you may want to try
out, AND it makes the overall distribution much much easier/cost-
effective for the maintainers)

I'm well aware of torrent software, but I don't use it either and never
have a problem getting distro's downloaded. I don't subject my networks
to unknowns.

I also don't download apps I've not paid for or music or anything that
is questionable - not saying you do, as you've side stepped that issue -
but the quickest way to get compromised is to start downloading pirate
wares.

5) Put your website on a proper web server, one protected by a real
firewall and on a locked down OS following the OS Vendors FULL
SUGGESTIONS ON HOW TO SECURE IT.

ok, so what you're saying is that there is no way to safely run a
simple website without paying out either professional hosting fees or
buying all the equipment that hosting vendors require. A safe, but
uninspiring, answer.

No, what I'm saying is that there is little chance that a non-OS guru,
that a non-technical type, is going to run a website without being
compromised or exploited - notice why you are here.

Don't port forward and make sure that UPnP is disabled.

UPnP is disabled, but I would love to understand what the problem /
risk with port forwarding is - can you provide any information, links,
resources to help me understand?

IF you allow anyone in you risk being connected too, simple enough to
understand.

Stop providing services over a residential grade DSL service.


"Services"? I run my own personal 10-pageview/month website! It's
kind of sad if there is no way to do that using home tools... Maybe
that's where we're at now, I'm not sure.

If you run a website then you really need to step back and start
learning about security and how to setup a DMZ and how to lock down your
services, BEFORE YOU PUT THEM ONLINE.

Thanks again for the feedback, I'd appreciate any info you could
provide on the port forwarding question though!

Port Forwarding - means you are allowing the WORLD ACCESS TO THE PC YOU
ARE PORT FORWARDING TO, FOR THAT PORT/SERIES OF PORTS. If you don't have
the service answering that port(s) secured then you've exposed your
network.

--
Leythos - spam999free@xxxxxxxxxx (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.
.