Am I getting owned?
Templar
You first.
Alrighty, so I wake up this morning and turn on my monitor to find the RPC service has barfed and Windows has to restart. Never done this before. I remembered what this is when I tried to close svchost in XP processes. I thought it strange it killed itself on its own.
Windows starts up.. no problems. I start a virus scan and get to about 60000 files when I get the same error message again. Once I would call a fluke.. but twice it happened, and that's no fluke. Especially within 4 minutes.
So yet again I restart and Windows gives me the "Select program to open file" message box of a file called TFTP36xx. Don't remember the last two numbers. X.x Turns out it's in startup, and TFTP is trivial file transfer protocol, so I can only imagine someone was trying to start a TFTP server on my box for some odd reason. I went ahead and deleted the file and unnamed myself the DMZ (I named myself the DMZ because SWG doesn't like Linksys routers, and setting yourself as the DMZ seems to fix this, though I still drop occasionally.. lol).
I decided to do a little testing and set myself as DMZ again (and changed my router password just in case) and started Ethereal. Sure enough, after a while, I had these two packets come in:
I was interested. Ran a trace and he lives in Germany. Figures.
Windows starts up.. no problems. I start a virus scan and get to about 60000 files when I get the same error message again. Once I would call a fluke.. but twice it happened, and that's no fluke. Especially within 4 minutes.
So yet again I restart and Windows gives me the "Select program to open file" message box of a file called TFTP36xx. Don't remember the last two numbers. X.x Turns out it's in startup, and TFTP is trivial file transfer protocol, so I can only imagine someone was trying to start a TFTP server on my box for some odd reason. I went ahead and deleted the file and unnamed myself the DMZ (I named myself the DMZ because SWG doesn't like Linksys routers, and setting yourself as the DMZ seems to fix this, though I still drop occasionally.. lol).
I decided to do a little testing and set myself as DMZ again (and changed my router password just in case) and started Ethereal. Sure enough, after a while, I had these two packets come in:
I was interested. Ran a trace and he lives in Germany. Figures.
0
Comments
Get trojan removers such as spybot search and destroy or adaware, unplug your box from the network, and clean house.
Just a newbie question: This a port scanner?
Update Windows, Update IE to latest-- windows itself is the most vulnerable, some of the patches made in late July kill parts of the problem (the ones that talk about remote control of a computer, Microsoft does not figure that most folks would understand RPC implications). There are security patches for RPC. Remote Programmatic Control also allows for control of a program or computer remotely, in this case an attacker who knows the exploits can launch a remote DDOS attack from computrs with the vulnerability.
In This Particular Case, I would also change my admin password and make sure the remote aid or remote computer control feature in XP is off if you have XP. It defaults on, and it has holes in it. Do not use that for aceessing your computer at home from work until you have the patches, and if must use change the password on your home computer.
Ideally, do not use it until after you have the computer secured-- big time secured, and the patching might take a while to become available for all of these features that relate to RPC.
There was a hacker's (not true black hat in the sense of breakers mostly, as Microsoft even threw a dinner to thank the folks that participated to thank them for helping to make Windows more secure at the end of that dinner (not all of them, but I do not have lists needless to say)) conference and LAN out in the desert and Microsoft will be using some of the stuff that was fully isolated from that to tighten down Windows. eWeek had an article online about "Microsoft makes nice to security experts" late last week telling about the curious nature of that dinner.
I have been hearing from eWeek about this for a month, including CERT advisiory sysnopses. This particular vulnerability set (more than one that relate to RPC) has been openly discussed for quite a while.
Computer Security folks are concerned in many places that there will be hackers taking advantages of this more than they have. It is possible to use a remote computer to route through the web using RPC. They are most concerned about a worm, but so far no one piece of malware has itself been discovered that does this particular routing.
This thread shold be in security also, or cross-linked to there, if this site has a Computer Security area. As I get specifics that have been acted on I will pass them on - fixes and patches that are needed, etc, worms if any that have definition patches as things develop. Just be aware that the remote computer control uses RPC in part, and packets for RPC are program level port packets that do not use TCP\IP first, they seek network wide on any net the RPC functionality is not closed off on. Unfortunately, some web devs have also used program specific ports to feed things, so the SpyBot S&D idea is a good one to try also.
Prime was right, in saying to do what he did say to do, but these things will also help some to make the risk overall smaller. If the program being called does not respond, no message will go back.
Trivial FTP is HHTPable FTP, by the way. This that the thread starter posted about could have been a scan, but anomalies like this are what wake us up to holes and the need to clean house. normally Trivial FTP uses port or IP address plus port. A good firewall like Sygate can help close off a search for FTP servers at the boxes' network cards and not allow things to continue inot the O\S deeply. A good firewall inspects packets from the NIC, and requests for use of NIC ports. Putting a good firewall in an aggressive mode is a good way to truncate junk in or out and with a good AV product on Windows one can also check outbound and incoming email which is a good preattack malware spreading vector right now because so many networks and machines are vulnerable (due to old defs or expired antivirus subscriptions or lack of making that scanning active and checking every once in a while to make sure the software is not compromised).
If you are using a router/firewall with a DMZ port and you have your computer connected to that port then you are TOTALLY exposed to the internet and this will continue to happen. I'm assuming that SWG is Star Wars Galaxies and that you connected your PC to the DMZ port because this is the only way you could get it to work. If the firewall is causing problems for SWG, then you need to figure out what SPECIFIC ports need to be opened up to allow it to operate - not exposing yourself to the network.
Ideally Templar, when a host is behind a firewall and not configured as a DMZ, no inbound connection(s) can be made unless you explicitly configure port forwarding in you router. Through port forwarding you can redirect inbound connections to specific hosts and ports that you allow. Unless you allow them, inbound requests are typically dropped at the firewall. You should not see activity on port 135, 137, 139, 445 (or any port you do not allow) from addresses outside you network in Ethereal once you get setup correctly.
At least until you get things figured out, do not continue to use the DMZ feature of the router! Sorry for the brevity, but you need to take action now as you are getting raped on the network.
Windows/Norton is updated. Spybot had some entries but they just looked like normal spyware, cleaned those out. Norton hasn't found anything yet and I've already scanned Documents and Settings and Windows and nothing showed. I'm scanning my entire drive just in case, but I doubt a virus is roaming around. Alg.exe still starts up when I restarted Windows after I updated. That's bugging me. Killed it again and nothing happened so I'll just continue doing so. My password got changed and the remote assistant and access was already turned off (Control Panel/System/Remote and uncheck the box, right?).
It has been a while, and I'm too lazy to check in regedit for the tree, but go I think it's HKLM\Software\Microsoft\Windos\CurrentVersion\Run
and delete any entries that are not necessary.
from the swg site
Your registry location was correct, but it wasn't in there. And yeah, I checked startup from the start menu
So far it hasn't done anything. If it does, I could always use a good format. :shrug:
Thanks for the digging shwaip
N: is Internet Connection Sharing/Internet Connection Firewall showing started?
L:yes
L: should i just disable it
N: ok... double click it...
N: no
L: k
N: set it to Manual
N: and stop it
N: alg will still be running, we'll get to that in a sec
N: let's check a couple of others...
L: k
N: Remote Registry should be running... set it to manual and stop it
L: i disabled that while ago
N: ok, good
N: Upload Manager - Manual and Stop
N: WebClient - Manual and Stop
N: Wireless Zero Configuration - Manual and Stop
L: webclient is disabled alreaqdy, just leave it?
N: that's fine
N: SSDP Discovery Service - Disabled and stop
L: wirless already at manual and not started
L: k
N: (good on wireless0
N: TCP/IP NetBIOS Helper - Manual and Stop
L: ssdp is already disabled
N: good
N: sounds like you have done some tweaking already ;-)
L: tcp/netbios already disabled is that good?
N: yup
L: yah i have =)
N: I prefer manual to disabled...
N: that way, if you screw up
L: do i need it
N: and Windows needs the service, it can start it
L: ic
N: none of these are needed by anything
L: k
N: but when you tweak, be careful...
L: yeah ive learned the hard way =)
L: damn rpc...
N: I would set to manual, run the comp for a couple of days, if it doesn't start itself, disable it if you must
L: k
N: ok... the service Application Layer Gateway
N: should already be manual...
N: just stop it and alg.exe will go away