firewall beats virus

  • Thread starter Thread starter Superkitt
  • Start date Start date
S

Superkitt

Here is my situation.

I have a linksys router with firewall, when I open up a range of ports,
the computer that gets the routing (forward) of the ports gets a virus,
the brazil virus or the opaserv virus, when I close the ports, the virus
protection stops detecting the virus.

I've reopened the ports again and turned on my firewall log to see if I
can find out where this is coming from.

I have run every software I can find to clean up the system of these
viruses and as long as the ports remain open, it keeps coming back.

Question:

What is the person outside doing to activate the virus on my computer? I
suppose once I find the ip I can lock out that IP, but it would be nice
to get rid of what ever is on my system that seem to wake up when the
ports are open.

Oh, these files also come up with the ports open.

Alevir
marco!.scr
instit.bat

This computer with the problem (win98se) doesnt run any new software, I
dont install anything new, it runs the same programs 7/24, so unless the
virus is traveling through my network which are 2 other winXp computers,
I dont know how they got on the win98 computer.

Joel
(e-mail address removed)
 
Superkitt said:
Here is my situation.

I have a linksys router with firewall, when I open up a range of ports,
the computer that gets the routing (forward) of the ports gets a virus,
the brazil virus or the opaserv virus, when I close the ports, the virus
protection stops detecting the virus.

I've reopened the ports again and turned on my firewall log to see if I
can find out where this is coming from.

I have run every software I can find to clean up the system of these
viruses and as long as the ports remain open, it keeps coming back.

Question:

What is the person outside doing to activate the virus on my computer? I
suppose once I find the ip I can lock out that IP, but it would be nice
to get rid of what ever is on my system that seem to wake up when the
ports are open.

Oh, these files also come up with the ports open.

Alevir
marco!.scr
instit.bat

This computer with the problem (win98se) doesnt run any new software, I
dont install anything new, it runs the same programs 7/24, so unless the
virus is traveling through my network which are 2 other winXp computers,
I dont know how they got on the win98 computer.
Click to expand...

Limit your shares, and use strong passwords.
 
FromTheRafters said:
Limit your shares, and use strong passwords.
Click to expand...


Using the old alt+255 trick as the first letter of your password works
wonders see below how to protect a network using it. I have not tested it
against virus yet; but I think it will stop it in it's tracks; because of it
being limited just like windows and not seeing a leading space.

To begin, launch My Computer and select the drive and folder you want to
share. Right-click on the folder, and select Sharing from the shortcut menu.

You'll see the folder's property sheet. At this point, select the Shared As
option and hold down the alt key and while holding down the alt key press
255 on the numeric key pad then release the alt key enter a name that ends
with $ in the Share Name text box. Then specify the access type and a
password, if desired. Click OK. Figure


To secretly share a folder, hold down the alt key and while holding down
the alt key press 255 on the numeric key pad then release the alt key append
$ to the share name in the folder's Properties dialog box.
_________
Once you've secretly shared a folder, you need to know how to connect to it
from another system. To begin, launch Network Neighborhood. Normally, to
connect to a shared folder, you simply select the host system from the
Network Neighborhood list and then locate and connect to the shared folder.
However, as I've explained, since the Secret$ folder is hidden, you won't
see it in the shared folder list.

To connect to the secretly shared Secret$ folder, click the Map Network
Drive button on the toolbar. (If you don't see the Map Network Drive button
on the toolbar, select View/Folder Options from the menu bar. When the
Folder Options dialog box appears, click on the View tab, select the Show
Map Network Drive Button In Toolbar check box, and click OK.) In the Map
Network Drive dialog box's Path text box, enter the, network path and share
name in UNC format. as an example if my computers name is Pavilion then the
path would be \\Pavilion\(hold down the alt key and while holding down the
alt key press 255 on the numeric key pad then release the alt key)Secret$.
If you do a nbtstat -a \\ip.number.goes.here and the only sharing you have
are ALL in the format as above (hold down the alt key and while holding down
the alt key press 255 on the numeric key pad then release the alt
key)folderorDrive$ nbtstat -a \\ip.number.goes.here will return Host Not
Found even though you do have a folder or drive share nbtstat WON'T SEE IT
and if you do a net use x: \\192.168.0.1\(hold down the alt key and while
holding down the alt key press 255 on the numeric key pad then release the
alt key)Secret$ it still won't work, so you are safer using the hidden share
with the alt 255 trick; the secret$ or appending a $ to the end of a shared
folder or drive has been known for some time, I don't know if anyone knows
about using the alt trick with it or not and I have NOT been able to access
my system using nbtstat or net use while using the above technique, if you
just use the folderORDrive$ secret share and they guess the secret share
name like this :
net use * \\24.64.103.23\<guessed hidden fileshare name> well then they can
access your computer but even if they try:
net use * \\24.64.103.23\(hold down the alt key and while holding down the
alt key press 255 on the numeric key pad then release the alt key)and then
<guessed hidden fileshare name>it still won't work. I have as yet NOT been
able to access my computer using any of the above(and have been using it
every since I set up my home network); but you can still access it by using
windows and map network drive and in the path \\computername\(hold down the
alt key and while holding down the alt key press 255 on the numeric key pad
then release the alt key)folderORdriveletter$ As to weather or not you could
access it using a NT system I don't know because I have no NT system to try
it with, it might work using a NT because the file structure on a NT WILL
see a leading space (which is what the alt 255 trick actually is). This is
one of my best tricks I have come up with for security and up to this time
haven't told anyone about it; but I am releasing it here FIRST and then to a
few select ezines. I would greatly appreciated any feedback on how this
works out for you, cause like I said I have tried everything I can think of
to access my own computer from within the LAN and also from a friends house
and up to this time have not been able to access it.

ENJOY
 
I have a linksys router with firewall, when I open up a range of
ports, the computer that gets the routing (forward) of the ports gets
a virus, the brazil virus or the opaserv virus, when I close the
ports, the virus protection stops detecting the virus.
Click to expand...

First off, that Linksys router doesn't have a FW, it has NAT and at
best it has SPI. None of the cheap routers for home use have a FW. I
have a Linksys router myself. You want a router that has a FW they cost
$500 and up.

http://security.ziffdavis.com/print_article/0,4281,a=38771,00.asp
http://www.homenethelp.com/web/explain/about-NAT.asp

You port forward those ports to a machine, the protection of the router
is out of the picture. And all unsolicited inbound traffic will reach
the machine and the network on those ports.

Therefore, when port forwarding or triggering ports with the router to
machine(s), the machine needs a host based FW solution on the machine,
especially with the Windows O/S and the File and Print Sharing you must
be doing between machines on the network.

I don't know why you have the ports open on the router, but there are
things you can do to protect the network and the machines, even with the
ports open.

It's a strong possibility that you have more going on with the machine
and the network being compromised with ports open than a virus
situation.
This computer with the problem (win98se) doesnt run any new software,
I dont install anything new, it runs the same programs 7/24, so unless
the virus is traveling through my network which are 2 other winXp
computers, I dont know how they got on the win98 computer.
Click to expand...


That's because the Win 9'x and ME O/S(s) can easily be attacked.

http://www.uksecurityonline.com/husdg/windows9598.php

Duane :)
 
First off, that Linksys router doesn't have a FW, it has NAT and at
best it has SPI. None of the cheap routers for home use have a FW. I
have a Linksys router myself. You want a router that has a FW they cost
$500 and up.
Click to expand...
My netgear FR114P dsl (true) firewall/router cost just over the price of a
dsl router. About £80.
 
It's a "Simplistic" FireWall not a full blown manageable FireWall but it's a
FireWall none the less...

Dave

| The FR114P has firewall like features such as SPI, but it is not a
| firewall,
|
| Duane :)
|
| --
| The protection of the machine is a process and not a given!
 
Superkitt said:
Here is my situation.

I have a linksys router with firewall, when I open up a range of ports,
the computer that gets the routing (forward) of the ports gets a virus,
the brazil virus or the opaserv virus,
Click to expand...

They all are the same worm, just different names of the driver. The fact that
you got infected under different driver names is an indication that the
incidents are separate instances of the Opaserv worm.
when I close the ports, the virus
protection stops detecting the virus.

I've reopened the ports again and turned on my firewall log to see if I
can find out where this is coming from.

I have run every software I can find to clean up the system of these
viruses and as long as the ports remain open, it keeps coming back.
Click to expand...

That's because your system directory, probably the entire system drive, is
shared with read-write permissions. There is no way Opaserv can infect without
sharing the system files!
Question:

What is the person outside doing to activate the virus on my computer?
Click to expand...

Absolutely nothing. I suppose that the owner of the PC(s) that is/are infecting
you don't even know that they are infected. Otherwise they would do something
to stop it.
I suppose once I find the ip I can lock out that IP, but it would be nice
to get rid of what ever is on my system that seem to wake up when the
ports are open.
Click to expand...

The simplest way to stop getting reinfected by Opaserv is to stop sharing your
system drive/directory. If you must share, then do it on a directory basis, and
never include the system in the share path. No need for a firewall to do that,
just your head, in the right place.
Oh, these files also come up with the ports open.

Alevir
marco!.scr
instit.bat
Click to expand...

All are Opaserv instances indeed, and they will keep coming back as long as you
don't stop sharing your system.
This computer with the problem (win98se) doesnt run any new software, I
dont install anything new, it runs the same programs 7/24, so unless the
virus is traveling through my network which are 2 other winXp computers,
I dont know how they got on the win98 computer.
Click to expand...

Through sharing, of course, as there is no other way that Opaserv can get into a
computer.

Regards, Zvi
 
Duane said:
First off, that Linksys router doesn't have a FW, it has NAT and at
best it has SPI. None of the cheap routers for home use have a FW.
Click to expand...

guess again... the one i have has firewall functionality for both
inbound and outbound traffic... it's certainly no cisco, but i can
define deny-all or accept-all rules with a finite number of exceptions...
I
have a Linksys router myself. You want a router that has a FW they cost
$500 and up.
Click to expand...

i paid less than $200 for mine (and that's in canadian dollars, its less
than 100 USD)... it ain't no linksys, though, it's a dlink 704p
http://security.ziffdavis.com/print_article/0,4281,a=38771,00.asp
http://www.homenethelp.com/web/explain/about-NAT.asp

You port forward those ports to a machine, the protection of the router
is out of the picture. And all unsolicited inbound traffic will reach
the machine and the network on those ports.

Therefore, when port forwarding or triggering ports with the router to
machine(s), the machine needs a host based FW solution on the machine,
especially with the Windows O/S and the File and Print Sharing you must
be doing between machines on the network.
Click to expand...

this is true *if* your router actually has no firewall itself...
 
Duane said:
glfd.server.ntli.net:




When the router can accept or reject packets by specified IP on specified
UDP and TCP ports based on rules created by the Admin of the router, then
it has a firewall.
Click to expand...

the DI-704P has the above mentioned functionality... and it doesn't cost
$500...
 
the DI-704P has the above mentioned functionality... and it doesn't
cost $500...

--
"when surveys of all the world's countries are done,
canada frequently rates number one.
are we the best country? well we'll never know...
there's nowhere else we can afford to go."
Click to expand...

http://www.watchguard.com/infocenter/brochures.asp

If I am going to try to protect a business or even my home after this
Linksys I have plays out, I am coming back with one of thses. I know it
has a real *firewall*. Thw cheapest one I can get.

Duane :)
 
Duane Arnold said:
When the router can accept or reject packets by specified IP on specified
UDP and TCP ports based on rules created by the Admin of the router, then
it has a firewall.
Click to expand...

Erm yes it does that, I can select from a bunch of predefined port/protocol
services. If I need to create more I can do that easily.
I can block specific sites, add keyword blocking or sites that contain
wildcard words in their domain names. Set trusted sites.
I can also schedule these services to start and stop at specific times. It
can block incoming, outgoing, use dmz or set up discrete port forwarding
It will use syslog or email me logs with several different options,
including local activity and all incoming and outgoing connection attempts.
The FR114P has firewall like features such as SPI, but it is not a
firewall,
Click to expand...
If it wasnt a firewall, there would have been one hell of a noise made by
the press by now I think and Netgear would have called it the R114P instead.
My car may not be a rolls royce but it's still a car and does exactly what I
bought it for.
 
Thanks for those links Duane. In my mind I was a little
confused about exactly what SPI meant. I was under
the impression that it meant that packets were inspected
for their state (initial or subsequent) only, and not for
content. It appears that SPI has grown to include more
than just Stateful Packet Inspection, and it now includes
a type of content filtering.
Click to expand...

http://www.netgear.com.sg/powershift/downloads%
5Cstateful_packet_inspection_vs_nat.pdf

If the NAT router or port forwarder, that's my new definition for these
devices, doesn't have SPI, then it is best to install a host based
stateful multilayer inspection firewall that follows the OSI model for
network firewalls that is going to protect the O/S on the machine and
perform the SPI function that is missing on the router. After all what is
the Internet, it's a network coonected by TCP/IP. :):)

http://www.firewall-software.com/firewall_faqs/types_of_firewall.html


Duane :)
 
Yer easy: Basically make a profuile on the win98 box and put a password on
it and it's network shares(thats why the NT PC's are NOT getting
re-infected!), but not before you disconnect the win98 box from the internet
and clean of opaserv. Anyways, straight from symantec:

NOTE: Due to a decreased rate of submissions, Symantec Security Response has
downgraded this threat from Category 3 to Category 2 as of June 13, 2003.

W32.Opaserv.Worm is a network-aware worm that attempts to replicate across
open network shares. It copies itself to the remote computer as a file named
Scrsvr.exe. This worm also attempts to download updates from
www.opasoft.com, although the site may have already been shut down.
Indicators of infection include:

a.. The existence of the files Scrsin.dat and Scrsout.dat in the root of
drive C. This indicates a local infection (that is, the worm was executed on
the local computer).
b.. The existence of the Tmp.ini file in the root of drive C. This
indicates a remote infection (that is, the computer was infected by a remote
host).
c.. The registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current
Version\Run contains the string value ScrSvr or ScrSvrOld, which is set to
c:\tmp.ini.

NOTE: If you are on a network, or have a full time connection to the
Internet such as DSL or Cable modem, you must disconnect the computer from
the network and the Internet before attempting to remove this worm. If you
have shared files or folders, these must be disabled. When you have finished
the removal procedure, if you decide to reenable file sharing, Symantec
suggests that you do not share the root of drive C. Share specific folders
instead. These shares must be password-protected with a secure password. Do
not use a blank password.

Also, before doing so, if you are using Windows 95/98/Me, you must download
and install the Microsoft patch from

http://www.microsoft.com/technet/security/bulletin/MS00-072.asp



Also Known As: W32/Opaserv.worm [McAfee], W32/Opaserv-A [Sophos],
Win32.Opaserv [CA], WORM_OPASOFT.A [Trend], Worm.Win32.Opasoft [AVP]
Type: Worm
Infection Length: 28,672 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows
XP, Windows Me
Systems Not Affected: Windows 3.x, Microsoft IIS, Macintosh, UNIX, Linux
CVE References: CVE-2000-0979



Cheers,

J
 
Oh yeah,

I just read a previous response to yer situation and anyone that says there
is absolutely nothing you can do about it is to stupid to be posting here;
they should go get a job serving burgers 'er sumptin'...

Cheers,

Jon
 
http://www.watchguard.com/infocenter/brochures.asp

If I am going to try to protect a business or even my home after this
Linksys I have plays out, I am coming back with one of thses. I know it
has a real *firewall*. Thw cheapest one I can get.
Click to expand...

lets not get too far ahead of ourselves with what you're going to do in
the future, just yet, shall we?...

your assertion that a firewall is a router that can accept or reject
packets based on ip/port/protocol rules implies my DI-704P is a firewall
(because it can do those things)... it further implies that a number of
other inexpensive router appliances are firewalls also...

if i'm not mistaken, i believe you said elsewhere that your linksys was
a BEFSR41... i can see how you might be disappointed in it from a
security point of view, but i think if you'd done some more homework
before purchasing you'd have held out for the BEFSX41 (one of the
alternatives i was looking at when i was in the market for a cheap
router + firewall) or perhaps the FR114P mentioned by ned, or the DI704P
that i settled on...

now these watchguard devices do indeed look very interesting *but* they
are a lot more than *just* firewalls... they are feature rich and that
is the root of their greater expense... that's not to say there's
anything wrong with them, there isn't, but if someone doesn't want to
pay for a 'Firewall+' there are certainly basic firewall alternatives
out there...

(and frankly, if i wanted feature rich, i'd probably have put smoothwall
on an old 386 with 2 NICs in it)
 
kurt wismer said:
lets not get too far ahead of ourselves with what you're going to do in
the future, just yet, shall we?...

your assertion that a firewall is a router that can accept or reject
packets based on ip/port/protocol rules implies my DI-704P is a firewall
(because it can do those things)... it further implies that a number of
other inexpensive router appliances are firewalls also...

if i'm not mistaken, i believe you said elsewhere that your linksys was
a BEFSR41... i can see how you might be disappointed in it from a
security point of view, but i think if you'd done some more homework
before purchasing you'd have held out for the BEFSX41 (one of the
alternatives i was looking at when i was in the market for a cheap
router + firewall) or perhaps the FR114P mentioned by ned, or the DI704P
that i settled on...

now these watchguard devices do indeed look very interesting *but* they
are a lot more than *just* firewalls... they are feature rich and that
is the root of their greater expense... that's not to say there's
anything wrong with them, there isn't, but if someone doesn't want to
pay for a 'Firewall+' there are certainly basic firewall alternatives
out there...

(and frankly, if i wanted feature rich, i'd probably have put smoothwall
on an old 386 with 2 NICs in it)

--
"when surveys of all the world's countries are done,
canada frequently rates number one.
are we the best country? well we'll never know...
there's nowhere else we can afford to go."
Click to expand...

I have found a good relatively cheap ($39) router/firewall (although I
think the firewall is more of a software firewall contained within the
router as opposed to a true hardware firewall) to be the Belkin 4-port
cable/DSL gateway Router which I have installed on my home LAN. It has
quite a few bells and whistles for a low end product including a firewall
and NAT. When anyone hits my IP they get the router and although there are
ways to hack/bypass routers it will stop most all except the most
experienced and those types have no interest in my humble home LAN, lol.
I have another pig/test machine with a dial up account which I use to
test entry into my router/LAN I have as yet NOT been able to get past the
router; but then I am not near as good as the least best learned system
hacker/cracker; but I have had my moments<s> back in the day, lol
 
I run with a BEFW11S4 NAT router. IMHO, the NAT router for home use
doesn't have a true firewall. And I would not go to anyone in IT
security and tell them that a Linksys, D-link, Netgear or any other
device in this class has a real firewall.

Duane :)
 
When anyone hits my IP they get the router and although there are
ways to hack/bypass routers it will stop most all except the most
experienced and those types have no interest in my humble home LAN, lol.
Click to expand...

Well in order for someone to be the best, practice makes perfect.:)

Duane :)
 
Duane said:
I run with a BEFW11S4 NAT router. IMHO, the NAT router for home use
doesn't have a true firewall.
Click to expand...

that one doesn't, no... in fact i can't find the word "firewall"
anywhere on this page
http://www.linksys.com/Products/product.asp?grid=23&prid=173

which is the BEFW11S4 product page...
And I would not go to anyone in IT
security and tell them that a Linksys, D-link, Netgear or any other
device in this class has a real firewall.
Click to expand...

i can see why you wouldn't do so... you went wireless... ick... i don't
blame you your lack of confidence among IT security guys...

however, i reiterate, there *are* cheap firewall router appliances and
and above mentioned companies do happen to make a few...
 
Back
Top