R
Rich Grise
I've been getting so sick and tired of this virus crap. I'd
abandon windows completely if I didn't need to use Autocad
at my job. I'm running http://housecall.antivirus.com as
I type this (Luckily, I have two computers in the office,
Win 2000 Pro is on the other) - I'm on Thunderbird, the
one with the viri is Daphne. So, anyway, I was having
problems that were acting very much like a memory problem -
I was getting access violations and fatal errors, and
every time I shut down, it'd put up a window about
"program is not responding... end now?" with explorer.exe
in the title bar.
So, anyway, since I had 256MB in Thunderbird, and an old
48 MB stick on the bookshelf, I stuck it in the other memory
stick, and things did improve, for a while. Well, if I
rearranged the drives a bit, and installed Windows on
Daphne, I discovered during my diagnosis, I could have
768 MB in Daphne. Got all the drives swapped around -
well, actually, I just swapped Thunderbird and Daphne
under the desk, and moved hdd from Thunderbird to
Daphne - but then had to find a partition on Daphne
to install W2K - so this is a fresh install on an
essentially Windows-pristine computer - all I had
ever had on Daphne has been Linux. Slackware 10.0.
OK, more background - ops is our "Server." It has
a Samba server, one instance of Apache, and masquerades
the DSL to the LAN, on 10.0.0.* . It's running rc.firewall
that I got from some website that seems to be down...
Yeah: This firewall:
---
#!/bin/bash
#
# rc.firewall Linux Firewall version 2.0rc9 -- 05/02/03
# http://projectfiles.com/firewall/
#
# Copyright (C) 2001-2003 Scott Bartlett <[email protected]>
#...
---
And the website is still timing out.
Anyways, this firewall has a "BLACKLIST" clause, but clearly
I haven't got the right malware sites blacklisted yet.
The problem is, I'm getting viruses. When Autocad wouldn't
work on Daphne, with a fresh install, even not even plugged
into the network - and this is a fresh Windows2000, WITH
format, and a fresh Autocad, and NOT EVEN PLUGGED IN!!!!
Answerworks Runtime installed itself.
Again.
Not even plluggged into the ****ing NETWORK! That's
black ****ing magic.
So, anyway, I decided to bite the bullet, and do something
about these viruses. I haven't been able to find anything
at all on getting rid of answerworks runtime and making
it not install itself - everybody seems to like it. Problem
is, there's a correlation - every time Autocad breaks,
it turns out Answerworks has installed itself again.
So I'd like to find out how to make that go away and
not come back.
I did some serious googling on viruses and trojans and
stuff, and did come up with this:
http://www.claymania.com/removal-trojan-adware.html
I've followed their instructions to the letter, on another
fresh clean install of W2K, and while in safe mode -
incidentally, they did turn up some really vicious-sounding
stuff!
Right at this very moment, I have the W2K box (Thunderbird)
booted in "safe mode with networking", and am in the
middle of http://housecall.antivirus.com 's check, and
it reports "PE_Parite A", 9 times, Aw, ****! One of them
is in mamepp.exe, which is supposed to only be MAME -
Multiple Arcade Machine Emulator, so I can play Mr. Do!
and Bubble Bobble and Centipede and PacMan and Donkey
Kong! Geez, guess I'll have to look at Xmame again...
1 Worm/Trojan horse detected:
PE PARITE A File Infector
They call ordinary cookies "spyware" - heh.
Microsoft Vulnerability Check:
Oh. There's 6, but the fix for them is to go to MS's
patch page.
OK, so there's the PE PARITE.
Answerworks hasn't installed itself yet...
But on top of that, I went to run s-t-i-n-g-e-r, from
http://www.claymania.com/removal-trojan-adware.html ,
and it gave an error message: "Caution! May Be Infected!"
So I downloaded stinger again, and the one that said that
it might be infected was about 200K bigger.
So, I looked up housecalls, lessee - I should run the
other ones - but I can do that any time; I hope I've
made my point about the virus problems and that I am
trying to do something about them on my own, and not
having any damn success.
But I have a "firewall"! - oh, yeah, did I say that
their website is down?
Well, here's the whole script - it gets run during
etc/rc.d/rc.inet2, FWIW.
http://neodruid.org/rc.firewall.txt
But I had only just downloaded it and installed it
about a year ago, and forgot about it - none of the
other doze units on the LAN seem to have a virus problem,
albeit I did see on the PHBs computer, while I
was looking over his shoulder and he was showing
me something, that three times within less than
a minute, there were popup warnings that an attack
was in progress.
That's not supposed to happen!
(he evidently has some commercial live virus
blocker, but I have no money. )-
And, I've got two ethernet interfaces on my box,
and only activate one in Linux, and the other in
Windows, so that I was able to put the
DENY_OUTBOUND clause in the settings part of the
firewall. It doesn't seem to help.
I'm not going to ask somebody to teach me how to
write a firewall, and I don't think I'll ever
understand IPTABLES; and I should be asking the
Windows folks if there's something I can do to
Windows to keep that stuff out?
Also, yesterday, while doing all of those scans,
I also did Windows Update while in "safe" mode.
I also now have a broken windows explorer - blank
folders pane, AND, when I went to move the minesweeper
shortcut from start/program files/accessories/games
to start, it dragged all right, but at the start
menu, id didn't drop or prompt me or anything -
the little black bar just disappeared.
But, is there a URL of block of URLs that have been
determined to be where all those viri are coming
from, so I could blacklist them?
I think I know that sniffing for content requires
an entire proxy server, but if I can't even get
IPTABLES right, how am I supposed to configure
a proxy server?
This all has to be freeware, of course. I have
no money.
Of course, the ideal proxy server would be the
one where the defaults are everything's closed,
and I could go into a GUI and click which luser
is allowed to do what.
Essentially, I want to completely block the
internet from me, while still being able to
access the Samba server. "DENY_OUTBOUND"
doesn't seem to do that yet, and I can't
operate the free on-line scanners that
way. Then, I'd want the boss and the CFO
to have their internet access, but if possible,
block malware before it gets to them. Of course,
if a proxy server did that, then it'd be safe
for me to go to the internet in Doze - Doze
does still have the purtyer eye candy!
A list of malware IPs that should be blacklisted
would be cool.
And, presumably, it's easy to do.
Or a dead-easy, copy the script and run it and
you're safe, kind of proxy server.
There is no email server here - just HTTP port
80, is the ONLY thing I want getting through.
Oh - I could go to, is it, say, etc/services?
And just close all of the ports there?
no, that's not it - ... inetd.conf.
The only things I have uncommented in inetd.conf
on ops (the "Server") are:
time stream tcp nowait root internal
time dgram udp wait root internal
ftp stream tcp nowait root /usr/sbin/tcpd proftpd
comsat dgram udp wait root /usr/sbin/tcpd in.comsat
auth stream tcp wait root /usr/sbin/in.identd in.identd
Any comments? (on any of this rambling dissertation?)
Thanks,
Rich
abandon windows completely if I didn't need to use Autocad
at my job. I'm running http://housecall.antivirus.com as
I type this (Luckily, I have two computers in the office,
Win 2000 Pro is on the other) - I'm on Thunderbird, the
one with the viri is Daphne. So, anyway, I was having
problems that were acting very much like a memory problem -
I was getting access violations and fatal errors, and
every time I shut down, it'd put up a window about
"program is not responding... end now?" with explorer.exe
in the title bar.
So, anyway, since I had 256MB in Thunderbird, and an old
48 MB stick on the bookshelf, I stuck it in the other memory
stick, and things did improve, for a while. Well, if I
rearranged the drives a bit, and installed Windows on
Daphne, I discovered during my diagnosis, I could have
768 MB in Daphne. Got all the drives swapped around -
well, actually, I just swapped Thunderbird and Daphne
under the desk, and moved hdd from Thunderbird to
Daphne - but then had to find a partition on Daphne
to install W2K - so this is a fresh install on an
essentially Windows-pristine computer - all I had
ever had on Daphne has been Linux. Slackware 10.0.
OK, more background - ops is our "Server." It has
a Samba server, one instance of Apache, and masquerades
the DSL to the LAN, on 10.0.0.* . It's running rc.firewall
that I got from some website that seems to be down...
Yeah: This firewall:
---
#!/bin/bash
#
# rc.firewall Linux Firewall version 2.0rc9 -- 05/02/03
# http://projectfiles.com/firewall/
#
# Copyright (C) 2001-2003 Scott Bartlett <[email protected]>
#...
---
And the website is still timing out.
Anyways, this firewall has a "BLACKLIST" clause, but clearly
I haven't got the right malware sites blacklisted yet.
The problem is, I'm getting viruses. When Autocad wouldn't
work on Daphne, with a fresh install, even not even plugged
into the network - and this is a fresh Windows2000, WITH
format, and a fresh Autocad, and NOT EVEN PLUGGED IN!!!!
Answerworks Runtime installed itself.
Again.
Not even plluggged into the ****ing NETWORK! That's
black ****ing magic.
So, anyway, I decided to bite the bullet, and do something
about these viruses. I haven't been able to find anything
at all on getting rid of answerworks runtime and making
it not install itself - everybody seems to like it. Problem
is, there's a correlation - every time Autocad breaks,
it turns out Answerworks has installed itself again.
So I'd like to find out how to make that go away and
not come back.
I did some serious googling on viruses and trojans and
stuff, and did come up with this:
http://www.claymania.com/removal-trojan-adware.html
I've followed their instructions to the letter, on another
fresh clean install of W2K, and while in safe mode -
incidentally, they did turn up some really vicious-sounding
stuff!
Right at this very moment, I have the W2K box (Thunderbird)
booted in "safe mode with networking", and am in the
middle of http://housecall.antivirus.com 's check, and
it reports "PE_Parite A", 9 times, Aw, ****! One of them
is in mamepp.exe, which is supposed to only be MAME -
Multiple Arcade Machine Emulator, so I can play Mr. Do!
and Bubble Bobble and Centipede and PacMan and Donkey
Kong! Geez, guess I'll have to look at Xmame again...
1 Worm/Trojan horse detected:
PE PARITE A File Infector
They call ordinary cookies "spyware" - heh.
Microsoft Vulnerability Check:
Oh. There's 6, but the fix for them is to go to MS's
patch page.
OK, so there's the PE PARITE.
Answerworks hasn't installed itself yet...
But on top of that, I went to run s-t-i-n-g-e-r, from
http://www.claymania.com/removal-trojan-adware.html ,
and it gave an error message: "Caution! May Be Infected!"
So I downloaded stinger again, and the one that said that
it might be infected was about 200K bigger.
So, I looked up housecalls, lessee - I should run the
other ones - but I can do that any time; I hope I've
made my point about the virus problems and that I am
trying to do something about them on my own, and not
having any damn success.
But I have a "firewall"! - oh, yeah, did I say that
their website is down?
Well, here's the whole script - it gets run during
etc/rc.d/rc.inet2, FWIW.
http://neodruid.org/rc.firewall.txt
But I had only just downloaded it and installed it
about a year ago, and forgot about it - none of the
other doze units on the LAN seem to have a virus problem,
albeit I did see on the PHBs computer, while I
was looking over his shoulder and he was showing
me something, that three times within less than
a minute, there were popup warnings that an attack
was in progress.
That's not supposed to happen!
(he evidently has some commercial live virus
blocker, but I have no money. )-
And, I've got two ethernet interfaces on my box,
and only activate one in Linux, and the other in
Windows, so that I was able to put the
DENY_OUTBOUND clause in the settings part of the
firewall. It doesn't seem to help.
I'm not going to ask somebody to teach me how to
write a firewall, and I don't think I'll ever
understand IPTABLES; and I should be asking the
Windows folks if there's something I can do to
Windows to keep that stuff out?
Also, yesterday, while doing all of those scans,
I also did Windows Update while in "safe" mode.
I also now have a broken windows explorer - blank
folders pane, AND, when I went to move the minesweeper
shortcut from start/program files/accessories/games
to start, it dragged all right, but at the start
menu, id didn't drop or prompt me or anything -
the little black bar just disappeared.
But, is there a URL of block of URLs that have been
determined to be where all those viri are coming
from, so I could blacklist them?
I think I know that sniffing for content requires
an entire proxy server, but if I can't even get
IPTABLES right, how am I supposed to configure
a proxy server?
This all has to be freeware, of course. I have
no money.
Of course, the ideal proxy server would be the
one where the defaults are everything's closed,
and I could go into a GUI and click which luser
is allowed to do what.
Essentially, I want to completely block the
internet from me, while still being able to
access the Samba server. "DENY_OUTBOUND"
doesn't seem to do that yet, and I can't
operate the free on-line scanners that
way. Then, I'd want the boss and the CFO
to have their internet access, but if possible,
block malware before it gets to them. Of course,
if a proxy server did that, then it'd be safe
for me to go to the internet in Doze - Doze
does still have the purtyer eye candy!
A list of malware IPs that should be blacklisted
would be cool.
And, presumably, it's easy to do.
Or a dead-easy, copy the script and run it and
you're safe, kind of proxy server.
There is no email server here - just HTTP port
80, is the ONLY thing I want getting through.
Oh - I could go to, is it, say, etc/services?
And just close all of the ports there?
no, that's not it - ... inetd.conf.
The only things I have uncommented in inetd.conf
on ops (the "Server") are:
time stream tcp nowait root internal
time dgram udp wait root internal
ftp stream tcp nowait root /usr/sbin/tcpd proftpd
comsat dgram udp wait root /usr/sbin/tcpd in.comsat
auth stream tcp wait root /usr/sbin/in.identd in.identd
Any comments? (on any of this rambling dissertation?)
Thanks,
Rich
