Re: [LUG] Windows XP, a review ?

[Frank Johnson <frank@xxxxxxxxxxxxxxx>]

Neil Williams wrote:
> On Monday 17 Nov 2003 11:27 am, Bailey Mark wrote:

> > Erm I don't understand why Windows is being blamed for port-scans on
> > your router?  Port scans will happen regardless of OS...

I advertised my presence by trying to do something a bit shady..
Windows was successfully attacked and the whole thing escalated.

> The only factor, possibly, is that the sites that were generating all the 
> popups could only do so via IE/Windows and if Frank was on a static IP, these 
> sites could have forked some port scans, possibly even passing on details to 
> other friendly sites (via the linked popups) - making his IP more of a target 
> than before? Don't know how likely that really is, but it's possible I 
> suppose. 
>
> It's quite easy to code a popup that always opens another one if you try and 
> close it. The only way to stop them is to close the new one before it gets a 
> chance to download the next set of Javascript. With a fast broadband 
> connection, that becomes quite a challenge.
>
> Or the rogue software that was downloaded without Frank's knowledge - that 
> could easily call home to a nefarious site that would respond with a port 
> scan to try to drop a trojan etc. Maybe that's what the virus-checker 
> stopped. 
>
> From Frank's email:
>
> > Two viruses were found but fortunately the virus monitor had denied
> > access to run them. Six or seven rougue applications had been installed
> > and it was not until I had gone through the registry with a fine tooth
> > comb that I was reasonably happy I had got rid of "most" of it.
>
>
> Maybe a third virus slipped past the virus checker? Certainly, something 
> untoward was being executed because of all the Registry setting changes. It 
> doesn't take much for one of those 6-7 applications to 'call home'.

It is possible, I had a close look at task manager and killed off 
anything suspect.

> What internet connection does your router use, Frank?

ADSL

> Were you using a Windows firewall?

No but the router contains a hardware firewall.

> What level of alerts were you getting prior to your experiment?

Just getting the odd one before and after the event, usual "background 
noise" that one expects.
I was definately TARGETED during the "experience"

> Have the alerts died down yet? (Now that you're back behind a Linux box.)

Yes, just the odd one.

> Do you have a static IP? (Have you changed it!?)

Have a permanent staic IP address.

Incidentally, I tried visitng the same site using Linux, At one time I 
had 15 browser windows open and three attempts to send me  .exe files 
before I gave up and did something useful.
No ill-effects of course.

Its worrying that Windows users are told, by these sites, to accept any 
certificate that pops up. And of course accept the executable, whatever 
it is.


Frank.



--
The Mailing List for the Devon & Cornwall LUG
Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the
message body to unsubscribe.