Re: How did they get behind my NAT?

In article <1192117842.572115.301750@xxxxxxxxxxxxxxxxxxxxxxxxxxx>,
maniaque27@xxxxxxxxx says...
On Oct 11, 6:25 am, Leythos <v...@xxxxxxxxxxx> wrote:

- I am running an ADSL router, "Xavi" brand, "7028r" model, and it
seems to run a "GlobespanVirata" chipset. This was provided to me by
my previous ADSL provider, Telefonica Spain.

Not having experience with that router, I can't be sure what limits it
has or what quality of NAT and forwarding it has. The key thing is that
the device does not provide a PUBLIC IP inside the LAN area and that you
have control over what is forwarded inbound.

It does not.


I've seen a number of DSL routers that are PPPOE (no experience with oA)
that use NAT to 1 IP, but they forward ALL ports inbound to that IP - so
the users might as well be on a public IP.


regardless of the inbound transport type (PPPoE, PPPoA, RFC1483, etc),
most NAT router devices (that I have seen) do not by default use a
"default forwarding IP", although it is an option on many. Not this
one, as it turns out.

And, having worked all over the country here in the US, I can say that
I've seen in about 30% of cases - that's why I mentioned it.

Double NAT'ing only has an advantage if you have one of those devices
that forwards ALL PORTS to the single internal IP provided by the
device.

ok... and what is the advantage then? The only reason I'm considering
it is because then I can use a regular/standard device like the
linksys wrt54G that is well-known and supported on the internet, turn
on the firewall on that device (which I had to disable on the router I
use now), and keep the services that I need up.

In a double NAT you could use it like a DMZ and LAN - the first NAT
would be your DMZ, the second NAT would be your LAN - so, you would port
forward to the DMZ computer and not to the LAN computers. This means
that your LAN computers could access the internet and DMZ computers, but
the DMZ/WAN networks would not be able to access the LAN computers:

WAN >>> NAT1 >>> DMZ >>> NAT2 >>> LAN

Because if you don't know enough that you have to ask here, it means you
don't know enough to be securely exposed to the internet.

Oh come on - this sounds a lot like "I don't know exactly, but I know
it's a bad idea, so I'm going to make fun of you instead of answering
the question".

No, it means that you really don't know enough and have not spent the
time to just read how to secure your web/network from the thousands of
websites that have been around since before you started doing this. It
means that you're looking for a short-cut to get it done quickly and
don't want to spend the time to properly secure it and learn about it.
No picking on you intended, just calling it like I've seen it thousands
of times.

I understand that exposing a port exposes any service
that listens on that port. I also understand that that then means any
vulnerability in that service then becomes a vulnerability for the
entire server, and potentially (in my case, without DMZ etc) the
entire network. I understand that, and it's a risk I'm OK with. My
question is whether anyone can tell me whether there are any
circumstances under which port forwarding is "bad" in and of itself,
rather than because of any vulnerabilities in the services that it
purposefully exposes.

Port Forwarding is not different than exposing the listening service by
any other means - all traffic that hits that port is sent to the device
listening. Once that listening service is compromised, any number of
things can be done to the host computer/device - and there is no way to
know what the hacker would/is doing unless we see the computer.

uTorrent doesn't expose your VNC, but, there is any number of unknowns
where as to what you've done in addition. The issue is that I've not see
anyone that needs to run a file-sharing program on their computer unless
they were pirating files of some type. Yea, not always true, but it's a
good assumption since there are legal means and methods without using
file sharing methods.


OK, now there's a sensible suggestion - you're saying (unless I got it
wrong) that the infection probably had nothing to do with the port
forwarding at all, but rather was because of some something I picked
up while downloading all those pirated "w4r3z" that I keep hidden
under the kitchen sink, and that said malware has escaped detection
either through comporomising my detection tools or because they're
just too specific, not known widespread infections. To be fair, that
is a possibility. I do take more risks than I probably should, I could
well at some point have run something I shouldn't have... but I don't
think so.

No, since the problem could have been things you downloaded OR from
compromised services you allow public exposure too.

You say you don't think you've done anything, but the fact is that
Someone was using your VNC connection other than you - so you've done
something and don't know what, yet you want to knock the basics of
security because "you don't think so".

No, it's the start of trying to determine what happened while you are
also secure to do it. NAT only blocks inbound, so you could learn if
what's on your machine also phones home or creates a connection to a
remote location to allow control. First thing is block inbound
connections, second is monitor outbound connections or block them
entirely while you look.

Ah, now there's a sensible suggestion, again - running a software
firewall or carefully monitoring all outgoing traffic on the router (a
monster task, i
it's accumulated 20 megs of data in 1 day) would certainly help
identify any unpleasant low-key trojan I may have running.

No, software firewalls are useless on most personal computers. What you
want to do is run a logging application that accepts the logs from the
NAT appliance - this will show, in real time, inbound and outbound
traffic clearly.

If the log doesn't allow easy determination of ports/IP, then it's
useless.

AVG is crap - I've seen hundreds of computers with AVG compromised. I
use Symantec Corporate software, it's not a resource hog like Norton is
and it's stopped all that I've been exposed to.

If you want to know what AV products to trust, I've always found this
site to have unbiased reviews and test results:

http://www.av-comparatives.org/


Nice to know, thanks!

Here are a few tools that I use and trust:

Always remember - only download files from Trusted Sites.

The following links will take you to vendors sites for Spy Ware / Ad
ware removal tools and also for Antivirus tools. After you install any
of these applications and update them, run them in SAFE MODE to allow
them to properly clean your system.

First, make sure that your Java is updated to the latest version:http://www.java.com/en/download/index.jsp

These sites are for downloading Anti-Malware and Anti-Spyware tools, in
order that I would use them myself:

Dave Lipman's tools:
Download MULTI_AV.EXE from the URL --http://www.pctipp.ch/ds/28400/28470/Multi_AV.exe

AdAwareSE can be found here:http://www.lavasoft.com/products/ad_aware_free.php

SpyBot Search and Destroy can be found here:http://www.safer-networking.org/en/download/index.html


Thanks, never heard of multi-AV

err - how does safe mode help? you mean so I don't have any additional
programs running?

Because many malware can't run in safe mode - it's not just "you having
any additional programs running". In the case of Multi-av, download it,
run it in normal mode to get the updates, but don't run the scans, then
reboot in safe mode, run it again, since safe mode disables the network,
you've already downloaded them, now run the scans, full drive, run each
of the 4 scanners and run them until nothing is found.


Fair enough, I didn't realize the idea was to more thoroughly scan for
malware, but with the suggestions above I think I'm well equipped to
do that :)

Always scan offline - in fact, if you can place the drive in a clean
machine and scan, it's even better.

I'm well aware of torrent software, but I don't use it either and never
have a problem getting distro's downloaded. I don't subject my networks
to unknowns.

ok, but calling the entire family of bittorrent programs a general
"unknown" is exaggerating a little, no? The protocol is well-specified
and well-understood, there are the same security measures built in as
for a direct download from a distributor via HTTP or FTP (i.e MD5
hash). If you're referring specifically to uTorrent, fair enough. Not
open-source, already had one known vulnerability - I'd say it's more
risky than I planned.

well, fact is that most people doing torrents are also downloading
things that are unethical/pirated and against licensing. Being Open
Source does not mean it's any better, but that you download a lot means
your exposure is much higher.

I also don't download apps I've not paid for or music or anything that
is questionable - not saying you do, as you've side stepped that issue -
but the quickest way to get compromised is to start downloading pirate
wares.

Yep, that's fair.


5) Put your website on a proper web server, one protected by a real
firewall and on a locked down OS following the OS Vendors FULL
SUGGESTIONS ON HOW TO SECURE IT.

ok, so what you're saying is that there is no way to safely run a
simple website without paying out either professional hosting fees or
buying all the equipment that hosting vendors require. A safe, but
uninspiring, answer.

No, what I'm saying is that there is little chance that a non-OS guru,
that a non-technical type, is going to run a website without being
compromised or exploited - notice why you are here.

Yep, but that's how you learn. I'm a little bit irked by your
condescending tone, but I really do appreciate the time and help -
while I have worked with professional windows-based webserver
development and hosting for several years and have a pretty good idea
of "best practices" are at a corporate level, I'm trying to work on a
shoe-string budget here, get a taste for doing things for free or
cheap. As I get burned, I'm trying to understand exactly why and how.

It's not condescending, it's accurate and because of years of working
with people in your boat - yea, people don't like to be exposed for not
doing the leg work before jumping into things, but, it's not personal,
it's technical.

Fact is that you can secure a Windows PC just fine with a Simple NAT
router and run a nice website on it without much fear, but you really
needed to follow ALL of the security instructions and methods as
suggested for YEARS by MS and others - before you put it online.

UPnP is disabled, but I would love to understand what the problem /
risk with port forwarding is - can you provide any information, links,
resources to help me understand?

IF you allow anyone in you risk being connected too, simple enough to
understand.

But more than a little simplistic, no? The ONLY argument against port-
forwarding that I have seen from you so far, and that I was well
aware of before, is that it limits the security of your server, and in
my case network, to the security of the service running on the
forwarded port. On the other thread (sorry about the messed up cross-
post, like I said I am new here), someone suggested that there are
ways and means to gain access to a port OTHER than the one being
forwarded - but if I understand correctly that argument applies
equally if you don't forward ports at all!

Yea, some routers can be cracked by several means, most of them have
been patched - that's part of not using the default network address
range, not using a weak password, not using standard ports, checking the
logs, etc.... If you are hosting a web server you really need a real
firewall and not a NAT device.

If you run a website then you really need to step back and start
learning about security and how to setup a DMZ and how to lock down your
services, BEFORE YOU PUT THEM ONLINE.

Well, I was pretty sure I had :)

Which is why I'm trying to understand where I went wrong. As you've
noted, I have probably not searched extensively enough for malware - I
will keep at it. Other than that, I run an updated version of Apache,
there are no known vulnerabilities for other services I expose,
uTorrent seems the most risky, and the jury's still out on what
actually caused the problem:
- malware that I somehow acquired?
- unknown uTorrent vulnerability?
- misunderstanding of how NAT works, leading to attacker's ability to
access a port that was NOT forwarded?

Port Forwarding - means you are allowing the WORLD ACCESS TO THE PC YOU
ARE PORT FORWARDING TO, FOR THAT PORT/SERIES OF PORTS. If you don't have
the service answering that port(s) secured then you've exposed your
network.

Yes, that's pretty obvious. But that's not a problem with port
forwarding, it's a problem with the services you are exposing.
Obviously if they are not secure, and they are public, nothing is
secure.

Well, since you can't be sure that you secured the services then you
have to look at if you really need the ports forwarded.

There are methods that you can use to detect attacks with you needing to
be there (auto methods in firewalls) - hosting means you need to
consider the protection of your devices so that the rest of us don't
suffer because of your compromise.


--
Leythos - spam999free@xxxxxxxxxx (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.
.