Need Auto Interrogate Script

Discussion in 'Trojan Defence Suite' started by gmmex, Jun 29, 2003.

Thread Status:
Not open for further replies.
  1. gmmex

    gmmex Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    4
    Can anyone offer me a script that will auto interrogate when TDS notifies me of a connection request? I am a total dumb ass where scripts are concerned but would really like to know that TDS is doing something more than notify me at those times.
    Currently I start an interrogation manually when I see the connection request, this could be anything up to 20 minutes after the request, not a lot of use really.

    Would really appreciate some help or advice here.

    Michael
     
  2. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Hi Michael and welcome aboard
    I don't really understand you question, do you have other scripts running, because normally TDS doesn't watch connection requests by default.
    Did you have a look at the sample scripts?
    Dolf
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Michael,
    welcome to the TDS forum!
    If you have a registered TDS version, you can run the Screx script, which can do lots for you.
    I only very seldom interrogate on somebody, only if they would keep bothering me on trojan ports, and yes, then a "friendly" message via the UDP broadcast (for which i use the interrogate like you to find a port to broadcast through) helps in most cases.
    If you have the newest TDS download, make sure to grab the "scripts.zip" too from the same download page, which are examples to work with.


    So the basic construction of your script model would be
    if TDS alarm detected (on special port settings?)
    do interrogate scan
    on found open ports on intruders system do stuff
    This is in Jazzie's script as well, in the usersubmitted scripts) working with the ZA firewall log, if you like with voice alert, for port 27374.
    If you have ZA you might like to use VisualZone as well, (free) which analyses the ZA log all time you run it and can make a knocking sound on portscans.
    The FW should block intrusions, so they hardly should get to TDS to alert in anyway.
    It's no use to react on every portscan, of course, but some might be enough significant to bother.
    Remember the moment you react with ping or scan or resolve them you are no longer invisible if you were stealth for instance and a valid target.

    Are there special reasons or alerts you want to react on?
     
  4. gmmex

    gmmex Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    4
    Appreciate the comments of those who answered my message.
    Here, in a nutshell, is my problem and reason for the message.
    My system is on most of the time and does not have, to my knowledge, a static IP. I would get somewhere in the region of 100+ notifications of connection requests daily and was of the impression that throwing an interrogation at them would let them know to go elsewhere.
    I do not necessarily understand how TDS works or what it really does, I just know that it works in some way, at least it lets me know.
    It is entirely possible that I don't need to be running a script to auto interrogate (based on info from you), I just want to do something to let these prats know that I can see their attempts.
    Am I wrong in this?
    I have not been able to make head or tail of the scripts that came with TDS purely because I am a klutz in this area. Even when I look at a script I don't understand it therefore I don't know what it does.

    Any recommedations on ways to stop these would be intruders or at the very least let them know I am aware of them, would be greatly appreciated. Again, if you guys tell me I don't need to do this then I am happy with that. The TDS crew assures me that TDS will stop intruders and for this I am grateful as it is ultimately what I want to do.

    However, it would be nice to have the ability to send some message to these prats automatically, if for no other reason than to make me feel good, I just don't know how to do this.

    Michael
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    When i run VisualZone, the backtracing (if i automate that) from alerts in the logfile is an alert already for them they have been noticed. So it's easy to see if they received that message, if they stop or continue their actions.
    Interrogate scan in a good way to see which ports are open, for doing what you want, of course.

    You do have a firewall, don't you? As i really wonder about your many connection requests!
    I get portscans like everybody, but further nasty bahavior is blocked by the firewall.

    The UDP broadcast is the easiest tool to send something nice to their open port.
     
  6. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Hi Gmmex,
    i've had a look at this and the following seems to be the way to go:

    [*]Open Sockets Configuration
    [*]For Port 0: Click On Protocol To Select TCP/UDP And Click On Port To Type in the port you want To Listen To.
    [*]Activate "Use"
    [*]Save sockets.
    [*]Make a New SS3 script File With the following contents:
    Code:
    '// Event-handlers for Socket #0 (TCP/UDP:what you wish)
    Sub mSocket0_DataArrival
     Call AddLine("SS3 Socket 0", "TCP:" & mSocket(0).LocalPort & " received data from " & mSocket(0).RemoteHostIP & ":" & mSocket(0).RemotePort)
     Call AddLine("SS3 Socket 0", "Data: " & mSocket(0).Tag)
     Call AddLine("SS3 Socket 0", "Inpecting TCP Port of: "  & mSocket(0).RemoteHostIP)
     Call ShellExec(SysVar("TDS.Path") & "\Ext.Plug\tcpinsp.exe TDS-2 Plugin x " & mSocket(0).RemoteHostIP,"normal")
    End Sub
    
    Sub mSocket0_Error
     Call AddLine("SS3 Socket 0", "Error: " & mSocket(0).Tag)
    End Sub
    
    Sub mSocket0_ConnectionRequest
     Call AddLine("SS3 Socket 0", "Connection request from " & mSocket(0).RemoteHostIP & ":" & mSocket(0).RemotePort)
     Call AddLine("SS3 Socket 0", "Inpecting TCP Port of   "  & mSocket(0).RemoteHostIP)
     Call ShellExec(SysVar("TDS.Path") & "\Ext.Plug\tcpinsp.exe TDS-2 Plugin x " & mSocket(0).RemoteHostIP,"normal")
    End Sub
    
    Sub mSocket0_Close
     Call AddLine("SS3 Socket 0", "Connection closed by " & mSocket(0).RemoteHostIP)
    End Sub
    
    [*]Then Load this script, Open sockets config, initialise sockets And Save again.
    [*](Test it by using TDS's own TCP-connect to connect to this port on 127.0.0.1...)

    Obviously, you can replace tcpinsp.exe with bdknock.exe, comports.exe, intero.exe, troports.exe - whichever suits you best.

    I hope this works for you.
    Andreas
     
  7. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Andreas,
    This is really a nice script, I never got those sockets to work, but have you ever managed to make a connection via UDP ?
    Finally a way to get to those Messenger spammers :D
    Dolf
     
  8. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Nice script Andreas :D Have a nice fresh cool karma.

    Hi gmmex, A hundred scans a day is quite normal if they are from various addresses. If your firewall is stopping them don't worry about them.
    Here is my wallwatcher log from yesterday. As you can see ports 137 & 135 are scanned a lot probably by compromised servers.
    It hey are consistently from one address report them to the scanners ISP abuse@theirisp.com with a copy of your firewall logs.
     

    Attached Files:

  9. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    @Pilli: yummyumm - ahh that was good. It's a rather hot afternoon over here, i needed that :D

    @Dolf:
    Hmmm, weird, i've set up udp ports listening in TDS both in automated and in scripted mode and neither TDS's udp broadcast nor netcat (More Info) did trigger anything in TDS...
    I will have a look at it later, but maybe someone from DCS can comment...

    CU,
    Andreas
     
  10. gmmex

    gmmex Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    4
    Hmm, again thanks for all the response.
    Do I have a firewall? this is a good question because that's pretty much what I thought TDS was (told you I was a klutz). I have much to learn and I am keen to do so, it seems I may have found the right place to do so. However, let me explain my situation.
    I run a small Security Company which has 4 computers.
    All these computers are networked very simply through Windows 2000 but we have no 'server' as such. Each computer has TDS installed and updated regularly.
    Because of this scenario I have not seen a need for a firewall, until now. As each of these machines connects individually to the web via 56k modem they all get connection requests (although not as many as my home system) daily, TDS appears to close the ports and stop any intrusion.

    1. Do I need to have a 'server' to run a firewall?
    2. If I can run a firewall on each system instead of installing a server (which I would prefer not to do)
    can anybody suggest which one would suit my needs?
    3. Can I utilize TDS to act as a firewall or does it already do that job?
    4. My home system is not connected in any way to my office systems, do I need a firewall on that system?

    Sorry for all the questions, if I am overstepping my welcome please let me know. The connection requests are becoming more frequent and it is a worry for me.

    Michael
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    If you don't have a firewall i would certainly try to keep as stealth as possible.
    Any computer connected to any network or internet in my opinion should have a firewall installed somehow.
    At least activate your windows2000 firewall on each system.
    Is it necessary for each computer to look at the others in the network, do you use file and printersharing for instance?
    Is it possible for you to use just one connection to internet and have all systems using that one connection?

    On another person's system i put a free firewall (zone alarm as it is an almost set and forget thing, even though i prefer the pro version very much; if you don't mind to lear about configuring a little more and rulesets i think i've seen several times mentioned Sygate as one of the nicer ones) beside his win2000 firewall and TDS plus Port Explorer and am planning to put WormGuard there too, and changed some security settings, which helps tremendously.

    A small security company you say and as you say not too much knowledge about computer security?


    An older TDS version seemed more like a combination of firewall and trojan protection and if it ever (would) come to DCS creating a firewall i hope to be among the first to proudly betatest it.
    TDS-3 does a lot in this field, but it's not a firewall in that sense.
    You can Use TDS nicely to communicate among the four of you too in a safe way.

    TDS listens on the ports you configured the sockets to listen on: at automated it listens at least to the ten most used trojan ports, so no infection nor intruder can use that same port to harm your system. But there are some 65554 TCP and the same amount of UDP ports of which (see portref list) many can be default trojan ports.

    Andreas' Screx script which ships with TDS might be a nice extra help too, btw!


    Not sure if you would need a server or can do with a switch or hub if the other way is not possible, but these tech advises i leave for others!
     
  12. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    He Michael,
    this is my job, the easiest thing to do is to get an ADSL connection with Thomson SpeedTough 510(i) ADSL modem.
    The 510 has a built in hardware firewall and because of that my ZoneAlarm (firewall) has shown not a single scan for months now
    It is also a 4 ports router, so no need for a server
    TDS is a very good solution for blocking trojans
    Wormguard excellent for worms
    and I like ZoneAlarm Pro 4.0 for outbound protection (this is personal)
    and if you hurry you can get etrust antivirus for free with unlimited signature updates. Works well under W2000 Check this out:
    https://www.wilderssecurity.com/showthread.php?t=9672
    think about it
    Dolf
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Ahh Dollefie, i just went back to add a router to the options, you mention already the best solution with the brand and more, sounds really great! Glad you jump in!
    Thanks for that!
     
  14. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Yes, get a firewall! Although as you are on dial up your IP probably changes with each re-connection, so you are not quite as vulnerable as a cable or ADSL user, especially as you have TDS3 on all four PC's, I assume you also have up to date Anti-virus as well.

    In your situation I would go for a 4 or 8 port Cable/ADSL router that includes a modem port, there is one I believe that is made by D-Link? $60 - $100, All your PC's can use it whilst having the inbound protection of a NAT firewall and a LAN running at 10/100 through the router & will make the transition to broadband painless when you decide to upgrade your connection.

    If you are confident that your users are sensible there is little likelihood of getting a Trojan though I would also run Worm Guard, Spybot S & D + AdAware & Java Cools nice free tools.
    For a software firewall you have many choices. Kerio, Sygate, Zone Alarm & Agnitum's Outpost all do good free versions. :D

    BTW I assume you security company is not computer related ;)
     
  15. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Don't forget Port Explorer for being able to see in the blink of an eye any suspicious connections (in- and outbound!) and so many more possibilities with that!
     
  16. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Whoops! forgot that, Gmmex will have a lot to learn but at least he has found us, so let's hope we can lower the learning curve :D
     
  17. gmmex

    gmmex Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    4
    My sincere thanks to all who have been involved in this discussion, these answers have been a great help.
    I will take on board everything that has been said and will install items to make our system more secure.
    Learning curve aside, this has been simply a good forum with helpful responses from all.
    Again thank you to all.

    Michael
     
  18. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Michael, report back how it goes and where hands are needed for more helpful suggestions along the way to keep the peace on your system!

    Please at least start with the firewall right this moment (a free version will do as you'll have the hardware fw soon as described), for instance zone alarm is easy "set and don't forget" www.zonelabs.com or one of the others if you don't mind some puzzling over the rulesets, as i guess getting the modem, adsl, configuration will not all together be done in a few moments, TDS you have already to clean out the nasties, so up to the next layers of security!
     
Thread Status:
Not open for further replies.