| From the trenches: Hacked from the Inside Out Welcome to the big fight of the day.
In the BLUE corner:
Small company network with 25 PCs, 256Kbps frame relay network Internet connection via single NATed IP, Vexira anti-virus on all PCs, a walter-weight network administrator. Dozens of PCs with C drive shared with no password (but "protected" by NAT firewall).
And in the RED corner:
W32.Opaserv and its countless tag-teaming variants
Network admin calls me a few days ago after getting constant myNetWatchman alert emails since early December.
He has major surfing lag since October, previous anti-virus product was alerting constantly but not always able to disinfect, so he spent $1000 to upgrade to Vexira.
Because he was using NAT, he had no easy way to know which hosts were infected. I had him setup Ethereal just inside his router, as discussed here:
»www.mynetwatchman.com/pckidiot
He used the usual capture filter of 'port 137' to identify the internal IP that was generating all the outbound port scanning.
Normally, I expect to see about 7 probes/second when you have an Opaserv infected host. He was seeing 200-300 udp/137 probes PER SECOND!
At 92 bytes each, do the math 92Bytes * 8 bits/byte * 300/second = ~220Kbps. Kiss your Internet link goodbye.
At first I was excited, I thought was had something other than Opaserv as I know it doesn't scan that fast. I have him stop the packet trace and read off the internal IP address generating this traffic.
The first one he saw was 10.0.0.247 .. I started asking about it, but he kept reading off IPs, 10.0.0.213, 10.0.0.204, 10.0.0.201, 10.0.0.175, 10.0..0.248....we stopped at that point.
Bottom-line, the scan rate was so high because he had over 6 different host infected...several of them with 2-3 Opaserv variants. (I'm perplexed by his $1000 Vexira didn't pick this up).
Here's how he was infected. He has an open C share on his desktop system which he moves back and forth between his office and home. Guess how he connects to the Internet at home: dialup ... with NO firewall! (my guess, infected within 10 minutes). Then he drags the PC back to his office to infect all the hosts behind his NAT firewall (note: he setup C-shares on all the PCs for management purposes).
Another interesting note is that he was only intending to give a handfull of PCs Internet access. Many of the infected PCs that were throwing port probes out on the Internet didn't even have DNS setup or even a default gateway defined. (he thought this was enough to prevent Internet access). We'll here's the thing: His Cisco router had Proxy ARP enabled, causing it to respond to all ARP requests for public IPs with it's own Ethernet address...thus allowing Internet access even *without* a default gateway defined. Of course Opaserv is probing by *IP* not by *DNS name* so the lack of DNS server definitions didn't stop it.
My first suggestion to him was to put share passwords on all the C-drives. Here's where you guys can help...he initially tried setting 10-character passwords...it accepted the assignment, but then he couldn't authenticate...he said he had to drop the password length down to 8 characters to get it to work. Is there a Windows 98 limit on share password length of 8 characters!?
Bottom line: Opaserv wins by knockout in round 2.
Anyway, thought I relay this story as it is extremely typical of what I hear every day. Want to keep emphasizing this prevalant theme of being infected from the *inside* of the network, due to allowing transient hosts to move freely between your *secured* network and Gods knows where. If you allow this, you might as well take down your firewall.
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch |
|
pslossPremium
join:2002-02-24
Alpharetta, GA | said by NetWatchMan:
My first suggestion to him was to put share passwords on all the C-drives. Here's where you guys can help...he initially tried setting 10-character passwords...it accepted the assignment, but then he couldn't authenticate...he said he had to drop the password length down to 8 characters to get it to work. Is there a Windows 98 limit on share password length of 8 characters!?
Not sure about password length, but do you know if he's patched his systems for the old vulnerability that Opaserv attacks?
»www.microsoft.com/technet/securi···-072.asp
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
pslossPremium
join:2002-02-24
Alpharetta, GA | reply to NetWatchMan
said by NetWatchMan:
Is there a Windows 98 limit on share password length of 8 characters!?
Yes. If you have your Windows development include files handy, it's "documented" in the LMCons.h file...the #define is "SHPWLEN"
I took a peek at SHPWLEN on Google and you'll find it mentioned in samples and in the Samba source, too...
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
| reply to NetWatchMan
Disconnect all the computers from the internet and from each other, and re-install Windows. 
--
less talk. more music. thecrystalmethod.com |
|
|
|
 phriday613Your Avatar Is Nice... For Me To Poop OnPremium
join:2002-02-06
Eastchester, NY | reply to NetWatchMan
i use a linux distro firewall, and i have been fine.. i guess this goes to show that even the most expensive firewall can be the crappiest..
the good thing with linux ipchains and iptables, is that it covers both ends of the interface.. rules specifies packets going in and coming out..
--
Help find a cure for Cancer - Join Team Discovery! |
|
| reply to psloss
said by psloss:
Not sure about password length, but do you know if he's patched his systems for the old vulnerability that Opaserv attacks?
»www.microsoft.com/technet/securi···-072.asp
Yeah he HAD actualy already done that...patch not very useful when you leave the pwd blank anyway. 
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch |
|
| reply to phriday613
said by phriday613:
the good thing with linux ipchains and iptables, is that it covers both ends of the interface.. rules specifies packets going in and coming out..
OK, here's a questions for you. Do you actually monitor your *outbound* filter hits in some automated way?
In other words, if you did by chance get Opaserv behind your firewall, would your firewall alert you to that?
The reason I ask is that myNetWatchman currently only monitors *inbound* deny activity...next month I plan to start development of Private mNW...a version you could run locally to feed *outbound* deny activity, then use the same logic to detect and alert you to *internal* compromises.
Curious if that sounds of interest or if you've found some existing toolset to accomplish this level of detection.
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch |
|
phriday613Your Avatar Is Nice... For Me To Poop OnPremium
join:2002-02-06
Eastchester, NY | reply to NetWatchMan
that is a very interesting point..
after further investigation, ipchains only logs incoming port connection attempts, and as for snort, no. I have hacked my friends computer to assess his poor network security skills, and nothing was flagged.. good point!
i only have 1 windows computer (family computer) and i have that sucker on a tight leash (NAV, email filters and scanned once a week). My mom is a virus magnet, with all her computer illiterate friends
i dont even think there are rules for this in snort.. something to check into!!
PS. still no probes/hits for iraq_oil..
--
Help find a cure for Cancer - Join Team Discovery! |
|
Bob142
join:2001-03-28
Benicia, CA | reply to NetWatchMan
said by NetWatchMan:
Guess how he connects to the Internet at home: dialup ... with NO firewall! (my guess, infected within 10 minutes). Then he drags the PC back to his office to infect all the hosts behind his NAT firewall (note: he setup C-shares on all the PCs for management purposes).
That's the fundamental mistake.
How about cleaning all the machines, installing a working low-cost firewall on each machine (like ZoneAlarm), and a proven AntiVirus program like NAV, and running SpyBot once in a while on every machine. |
|
| reply to NetWatchMan
said by NetWatchMan:
Do you actually monitor your *outbound* filter hits in some automated way?
Though I take your question a bit out of context, I'd like to pipe in my .02
At home I use outbound packet filtering in my D-Link routers, blocking ports 135, 137-139, 445, and a few others originating from anywhere in the network. The router logs packet violations and it's often my first clue of when something's not right in the network. My teenage kids have laptops ...
But the D-Link doesn't support syslog or any easy way to get the info other than viewing it via a browser, also its log memory is only able to store about 70 lines. Sadly, D-Link's latest firmware for these routers eliminates the network-level filters in favor of having to assign filters to each individual DHCP client individually  Idiots, apparently they must use only fixed IP's in their network.
Also I monitor a local agency's internet activity via syslog. I put tons of incoming & outgoing packet filters into their Netopia. Occasionally spot odd events coming from one of their PC's (like outgoing port 137) worth calling them about. Last year a company of idiots "upgraded" them with a Linux "firewall". The firewall was totally exposed to the WAN, even had its own unique public IP. It was openly running everything it shouldn't have been (FTP, Telnet, SMTP, SSH, RLogin, Squid, etc.) with no security and got seriously infested. The network was used as a relay for a lot of nasty activity. Monitoring goes on long after the cleanup because the problems were so bad. I ignore most of the inbound stuff because they protect but don't indicate a problem -- but the outbound filters can signal the potential existence of a problem. 500 blocked inbound to port 25 - so what, they were blocked. But a single unauthorized outbound to ports like 25 or 137 is worth investigating.
Yes, I definitely think it helps to monitor certain outgoing activity. Especially at the last router before the WAN. |
|
 Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:6 | reply to NetWatchMan
My guess is they did not clean those machine properly in the first place before they installed the new anti-virus product..that some machine are still infected no matter what he is running today and they need someone to go in there who knows what he/she is doing and help them out and then lock it all down properly and then show him what security precautions he must take himself. It is easy to think that he had it all setup properly..that they have all the current OS upgrades..and that each user of those stations is not violating some security policy..but until you physically go in there yourself and check ever machine and make sure..you will have no idea how to stop any bad boy not just Opie.
I still see companies giving employees too much access to the Internet..beyond that which is required for the business..you can not expect those employees to be as knowledgeable as your IT..but they know enough how to make things work for them..just as they do it at home..and that is bad..for most of them are also infected with something or the other and do not know it or even care unless their PC crashes.
You can have the best AV or AT product in the world setup on your internal network and think that will solve all your problem..but when it happens to walk in the door every morning for work with keys to the executive restroom and you do not even know it..someone has to clean it all up. |
|
 mboyPremium
join:2001-04-13
Little Falls, NJ | Good idea to have Netbios blocked from LAN to WAN (goes withoutsaying WAN to LAN as well.) I have it blocked on my Sonicwall pro 200 at work and my Soho at home just for this reason.
They need a new admin if he is dropping the ball on basic stuff like this, including his home network. |
|
phriday613Your Avatar Is Nice... For Me To Poop OnPremium
join:2002-02-06
Eastchester, NY | i apologise.. i forgot that there are backdoor rules, however opaserv isnt included.. many subsevens and rootkit rules, but nothing for opaserv..
--
Help find a cure for Cancer - Join Team Discovery! |
|
