View Full Version : Firewalls Bypassed
August 11th, 2002, 09:53 AM
August 11th, 2002, 11:36 AM
I think I've seen some of these -- especially if those XML-RPC calls are outbound Port 135.
Running NIS/NPF and ICS, I've got unsolicited inbound RPC (Port 135) blocked about half a dozen different ways from Sunday. However, I do use it within the LAN here.
However, that leaves the little matter of outbound -- and that's where it occasionally gets a bit interesting.
I have highly customized firewall rules in effect for MSIE -- very specific ports for very specific functionality. Immediately after those rules, I have a "Block everything else from MSIE" rule -- yes, an explicit rule. (And there's a reason for the explicit rule that I'll get to in a moment.)
This rule looks like
Rule Name: ***Block all other Internet Explorer
Rule Creation: ***Customized Internet access for this application
Logging: ***Yes (Event Log) after 1 match(es)
Protocol: ***TCP or UDP
Application: ***Internet Explorer
Local Service: ***Any Service
Local Address: ***Any Address
Remote Service: ***Any Service
Remote Address: ***Any Address
Rule Status: ***Active (Application Executable has not changed since Rule creation)
SHA1 Hash: ******
(Again, this rule follows all other rules for MSIE.)
And, every now and then, this rule does catch something; for example: Action: ***Blocked Outbound TCP connection
Local IP, Port: ***127.0.0.1, 4776
Remote IP, Port:***220.127.116.11 (66-44-60-111.s111.tnt4.lnhva.md.dialup.rcn.com), 135
Well, there's our old buddy -- Port 135! The other interesting fact about this event is that it's directed to another dial-up subscriber on the ISP's subnet that I was using at the time.
I had not created a similar "Block Everything Else" rule for MS Outlook; and, not surprisingly, less than two weeks later, I got the following event:07/31/2002 12:34:40:774 - This one time the user has decided to Block communications.
Action: ***Blocked Outbound TCP connection
Remote IP, Port:***18.104.22.168 (66-44-60-198.s198.tnt4.lnhva.md.dialup.rcn.com), 135
Note that, once again, this outbound communication was directed to another dial-up user on the same ISP subnet. (I have no idea what precipitated this event because I hadn't opened any OL e-mails when it occurred, but OL was running at the time.)
However, this is the important part: I got a pop-up alert from the firewall informing me that MS Outlook was attempting to access the Internet. Would I care to PERMIT, DENY, or CREATE a rule for this communication? Well, hold on, boys 'n girls! I've got rules for Outlook -- again, highly detailed rules. What was this all about? Now, typically, a message like this would indicate that the Outlook executable had been changed. Well, I hadn't changed or updated Outlook (indeed, it's a bit difficult to do these days with OL 98.) What the hell? Quick check, . . . nope, same executable. Look at details. What's this? OL 98 is trying to communicate outbound to remote Port 135. Well, that's interesting!
So, yes, there does appear to be some sort of exploit out there relying on this vulnerability. I haven't seen it pop up in Outlook Express (which I frequently use as a NewsReader), but I'm fairly certain that OE would also be vulnerable.
Watch for this -- and be verrry careful what you allow your firewall to PERMIT if you see a similar pop-up query.
August 11th, 2002, 11:49 AM
Oops, left out the important part. At least in my experience, this does not bypass my firewall . . . . but that's because I've got highly customized rules set up for my browsers, e-mail clients, and newsreaders.
However, it might bypass something like ZA (free) which, if I understand correctly simply permits or denies Internet access for a specific application without regard to the remote ports being called. And, again if I understand correctly, denying MSIE, OE, or OL server privileges is not involved in this instance, so that setting will have no impact, either.
Addendum: In this instance, the exploit is not so much bypassing the firewall as simply using the inherent PERMIT privileges granted by the firewall.
August 11th, 2002, 07:24 PM
greetings my friend.......a rather interesting exploit we have here..........you would seem correct in saying that zone alarm free would not withstand this exploit......which may well be cause for some rather interesting activity in the future............
we do seem to have a commonality......most my hits are coming from my own ip customers..or china.......china is hitting on udp port 4001......a rather odd choice imo....unless they are searching for Jap users...which is tcp 4001.........maybe trying to "mask" an hoping no one will notice that its udp ?
well for sure.....by whatever it was...my computer is acting like an intoxicated silly willy......was really banged yesterday....my firewall icon actually began blinking......then poof...gone! my finger was already pressing the disconnect.
I was postponing installing another firewall but guess I best get on the job an just do it.........right now there are several exploits floating around.....plus a couple of new release "tools" for Linux that could wash windows..
will keep in touch with you on this one......an keep an eye on port 135..........only oddities I noticed is tcp 243 .....an high scanning on the 20,000 range....
August 12th, 2002, 12:54 AM
well my instinct was right........just finshed re-newing the registry after being alerted that my firewall files were not the same..........computer screen was flickering as if a program was running in the background.....thought my monitor was ready to go......but no problem since cleaning and renewing.......I don't believe that whatever hit me was able to complete its job........
as for what it was....I've no idea.....my set-up is rather unusual.........never had anything like this happen before an I've been hard hit in the past......eventually I will get to the root of it........no I wasn't hacked..partcially parhaps....this was more like a massive flood......I forgot to enable one of my firewall protection progarms....so have to blame myself for not letting it run at start-up....impatient
August 12th, 2002, 01:31 AM
Well the flickering screen has returned (on and off thing)
I am positive that its not a "hook" exploit.. nor a change in the registry.......no scanning being done unless its the most unknown stealth ever made...........in a few moments I'll do a restore back a day before this began......
sure would be nice to know what hammered me so hard.......this is no trojan or virus.....more like something trying to get in .....
August 12th, 2002, 04:43 AM
can't offer an explanation.....however..my problem appears to be resolved......found this tuxed away an removed it: >http://~i< without the <>.....the scanner was moving fast so its possible that it was ~f but cannot confirm.........an idea how this could effect a computer in the manner mine was ?
a search revealed also this >http://~i./< an the search engine was blocked by something I already have listed as a block....no idea what......
right now its just guessing on my part..yet that massive flood I mention earlier could it have been outbound.....but being prevented?? my registry shows no changes....no trojans either.....
I was able to see in search that there is an <~i-advertising.com> the thing is these sort of things just never make into my os......
well......thats all I have to offer..............
August 12th, 2002, 04:49 AM
can anyone tell me if ~i equals "!" ? as in <yahoo!) an a zillion other uses
August 12th, 2002, 07:37 AM
Snowman - Curious, to say the least.
Question: Have you ever used J. Levine's little program called IRCBot_Detector? Here: http://www.jasons-toolbox.com/IRCBot-Detector.asp .
Do you come up clean on that? Pete
August 12th, 2002, 05:33 PM
thanks for the reminder......I had completely forgot about bots........going to check right now.
yes this is most curious......at 3:58 a.m. hundreds of ico.temp files were created in my temporary folder.....all had zero bytes
my screen is stable once again.......but having trouble with mouse control...just barely able to use mouse......
August 12th, 2002, 07:54 PM
lol im here representing the newby asochiation in newby enghlish pleas lol.
im not only a newby but the newby presdent lol
August 12th, 2002, 08:50 PM
This is the simple explaination of what Jason's Tool does.
@echo The commands this batch file executes will check for the
@echo presense of IRC Bots. Each test will let you know how to
@echo whether or not your system passed the test.
@echo Make sure any valid IRC program is closed down before
@echo you run this or you might get a false positive. (If you
@echo don't know what IRC is, chances are you don't have to
@echo worry about closing down any programs.)
@echo Test #1:
netstat -an | find ":6667"
@echo Test #1 complete. If there is no line between this and the
@echo command above, your system passed the test.
@echo Test #2:
netstat -an | find ":113 "
@echo Test #2 complete. If there is no line between this and the
@echo command above, your system passed the test.
@echo Test #3:
dir rundil.exe /s
@echo Test #3 complete. If "File Not Found" is displayed your
@echo system passed the test.
@echo Tests Completed.
August 12th, 2002, 08:57 PM
at your request Sir....in newbes talk:
"I don't like Spiders and Snakes an that aint what it takes to surf.........stomp..stomp....squash...squash....no I don't like Spiders and Snakes an none am I going to tolarate..."
Checked for "bot" all clean.......made a few adjustments here and there an reached the conclusion that the biggest "bot" is "Windows"" LOL
Sir Blaser....in newbes talk: "no I don't like Spiders and Snakes an "Windows" aint what it takes to surf......no I don't like Spiders and Snakes an thats why I will install Mandrake......cause Windows aint what it takes...stomp..stomp...squash..squash....
vBulletin® Copyright ©2000-2013, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2013, Wilders Security Forums