NetBios connecting

Discussion in 'Trojan Defence Suite' started by taba, Jul 27, 2004.

Thread Status:
Not open for further replies.
  1. taba

    taba Registered Member

    Joined:
    Jul 27, 2002
    Posts:
    25
    When I run TCP Inspector, it shows Netbios (135) connected. I've checked and verified that Netbios is still disabled (or looks like it should be) in TCP properties. I also downloaded the Noshare utility from GRC which is supposed to disable Netbios. Still, Netbios is connecting.

    Does this indicate something bad on my system? I'm on a standalone computer - no network, dialup access, no IIS installed either.

    How do I completely disable Netbios? Is there any way to tell who it's connecting to?
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Taba & Welcome,

    You can download TDS3 from here: http://tds.diamondcs.com.au/
    On that same page you will find a link to the latest Radius file, Install TDS3 then place the radius file in the TDS3 folder (you will be asked to verify this)
    Reboot and in scan control enable all the scans. Select all logical drives and start the scan, this is an in depth scan and will take a while, so get yourself a nice drink.

    Whilst at the DiamondCS website download the trial version of Port Explorer,
    http://www.diamondcs.com.au/portexplorer/
    this will enable to trace your port 135 actions. Note Port Exploerer does not get on with McAfee's firewall

    Pleas report your findings - Pilli :)
     
  3. paulson

    paulson Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    25
    Location:
    South Of Germany
    Last edited: Jul 27, 2004
  4. taba

    taba Registered Member

    Joined:
    Jul 27, 2002
    Posts:
    25
    Thanks, Philli,

    I installed and updated TDS-3 yesterday and ran *all* tests, including all drives. It did take a long time but didn't find anything on the drives. I found the NetBios connection listed in TCP inspector.

    I'll update again and re-run all tests just to be sure, and also check the Port Explorer. Do I need to be online while doing the drive scan?
     
  5. taba

    taba Registered Member

    Joined:
    Jul 27, 2002
    Posts:
    25
    Thanks for the links, Paulson. Looks like great info - I'll check it out in a bit. I'm familiar with the GRC site - I use some of his utilities on every system I check or use. Very helpful. I'm surprised that his NetBios disabler didn't really disable NetBios.

    Now on to another round of testing...
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi again Taba, Being on line should make no difference, though I would stop any Anti Virus resident programs as they can get in the way :)

    Pilli
     
  7. paulson

    paulson Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    25
    Location:
    South Of Germany
    The GRC stuff is quite good, no question. But it only disables DCOM, the messenger and upnp. This is a "one for all" solution. Every user could and should use these tools. If your machine is a standalone (you said so) and never connected to a network surrounding there's some more options to protect it. When doing this you can (or better, you will) loose the ability to share stuff or interact with other machines in a network 'cause all doors are really closed. (and can't be opened, except you're changing the settings). You can't do this in most office and home network surroundings.
    paulson
     
  8. taba

    taba Registered Member

    Joined:
    Jul 27, 2002
    Posts:
    25
    OK, I ran the full scan again with all options. Here's the scandump. I also installed Port Explorer - I'm posting the results but it's probably going to be messy to read. Let me know if there's something else that would be helpful.

    Thanks for any help in figuring out why NetBios won't close, and if there's anything else going on here.


    Scan Control Dumped @ 17:55:28 27-07-04
    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 368 bytes
    File: c:\documents and settings\all users\application data\microsoft\windows nt\msfax\inbox\401c3ec04c61fc1.tif:xj1phwzh5qcwungrn45kt3kice

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 368 bytes
    File: c:\documents and settings\all users\application data\microsoft\windows nt\msfax\inbox\401c3ec12e71538.tif:xj1phwzh5qcwungrn45kt3kice

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 368 bytes
    File: c:\documents and settings\all users\application data\microsoft\windows nt\msfax\inbox\401c3f72c8091db.tif:xj1phwzh5qcwungrn45kt3kice

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 324 bytes
    File: c:\documents and settings\all users\application data\microsoft\windows nt\msfax\inbox\401c4024c113ac2.tif:xj1phwzh5qcwungrn45kt3kice

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 368 bytes
    File: c:\documents and settings\all users\application data\microsoft\windows nt\msfax\inbox\401c420aaad73c0.tif:xj1phwzh5qcwungrn45kt3kice


    Port Explorer results (the 207.69.... is my ISP)
    | NAME | CREATION | PID | PROTOCOL | LOCAL ADDR | LOCAL PORT | REMOTE ADDR | REMOTE PORT | PORT STATUS | SENT | RECVD |
    ------------------------------------------------------------------------------------------------------------------
    | SYSTEM | --- | 4 | TCP | 0.0.0.0 | 1027 | 0.0.0.0 | 0 | LISTENING | --- | --- |
    | ccapp.exe | 18:06 27/07/2004 | 388 | TCP | 127.0.0.1 | 1028 | 0.0.0.0 | 0 | LISTENING | 0/0 | 0/0 |
    | lsass.exe | 18:05 27/07/2004 | 664 | UDP | 0.0.0.0 | 500 | *.*.*.* | * | LISTENING | 0/0 | 0/0 |
    | svchost.exe | 18:05 27/07/2004 | 824 | TCP | 0.0.0.0 | 135 | 0.0.0.0 | 0 | LISTENING | 0/0 | 0/0 |
    | svchost.exe | 18:05 27/07/2004 | 880 | TCP | 0.0.0.0 | 1025 | 0.0.0.0 | 0 | LISTENING | 0/0 | 0/0 |
    | svchost.exe | 18:09 27/07/2004 | 880 | UDP | XX.XXX.X.XX | 123 | *.*.*.* | * | LISTENING | 0/0 | 0/0 |
    | svchost.exe | 18:09 27/07/2004 | 880 | UDP | 127.0.0.1 | 123 | *.*.*.* | * | LISTENING | 0/0 | 0/0 |
    | svchost.exe | 18:09 27/07/2004 | 944 | UDP | 0.0.0.0 | 1029 | 207.69.188.186 | 53 | LISTENING | 15/572 | 11/2174 |
    | svchost.exe | 18:09 27/07/2004 | 944 | UDP | 0.0.0.0 | 1031 | 207.69.188.186 | 53 | LISTENING | 5/219 | 4/674 |
    | svchost.exe | 18:09 27/07/2004 | 944 | UDP | 0.0.0.0 | 1032 | 207.69.188.185 | 53 | LISTENING | 1/45 | 1/221 |
    | vsmon.exe | 18:05 27/07/2004 | 1508 | TCP | 0.0.0.0 | 1026 | 0.0.0.0 | 0 | LISTENING | 0/0 | 0/0 |
    | iexplore.exe | 18:11 27/07/2004 | 2080 | UDP | 127.0.0.1 | 1036 | 127.0.0.1 | 1036 | LISTENING | 361/361 | 361/361 |
     
  9. taba

    taba Registered Member

    Joined:
    Jul 27, 2002
    Posts:
    25
    Sorry, Paulson, but I'm not quite sure what you are recommending here. Are you saying not to use these 3 GRC utilities to disable DCOM, messenger, and upnp? If there are better options for a completely standalone pc, I'm interested. This pc will never be used in a networked environment at home or office.
     
  10. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    You can try this wormdoor cleaner:
     

    Attached Files:

    • wwdc.gif
      wwdc.gif
      File size:
      39.1 KB
      Views:
      162
  11. taba

    taba Registered Member

    Joined:
    Jul 27, 2002
    Posts:
    25
    Thanks, Gerardwil! That did the trick and 135 is now really closed. Also closed 445 as well.


    So is there anything else I should be checking given the logs above? Anyone?
     
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
  13. paulson

    paulson Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    25
    Location:
    South Of Germany
    Hi, I didn't want to make things more complicated. What I tried to say was: Use the GRC utilities, they are very good tools. After they did their work, you machine is more secure than before and you are able to use all of them networking functions windows gave to you. But if you're working on a standalone you can improve security and lower the risks by going further. F.e. you can release network services from your dial up adaptors and so on...

    The prog in gerardwil's post looks good, will check it out. Did TDS shows all ports closed and not in use (Network --> Local Host Scanner) after running the wormdoor cleaner on your machine? Or was it an online scan that showed the ports closed?

    paulson
     
  14. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi paulson, GK's WWDC does similar things to Steve's tools but in an all in one utility with a user friendly interface and loads of help on his website. :D
     
  15. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Yep, agree with Pilli there, it's all-in-one utility is great.

    I've been beefing up security on my daughter's PC [new browser, email] etc. and I had done port scans and always Stealthed/Closed, depending on the site so no worries there.

    I read this thread and thought I'd try TCP Inspector in TDS and lo and behold it said the UnP&P Port 5000 was open. Huh? So I did a Trojan Port check also, and said 5000 open.... whoa..

    I immediately did scans at 3 sites, GRC, PC FLank, Blackcode and all reported fine. I had already DISABLED UnP&P in Services, I had already set FW rules up, but was still concerned with TCP Inspector's findings.... so dl'd gkweb's WWDC app, applied all the settings, and I am now convinced it's locked tighter than a fish's, you know what.

    TAS
     
  16. taba

    taba Registered Member

    Joined:
    Jul 27, 2002
    Posts:
    25
    Thanks for clarifying, Paulson. I've been using GRC tools and tips for years (to disable upnp, dcom, tcp 135, unnecessary tcpip bindings, etc) and so was surprised when I discovered they didn't work completely on this pc. Online scans (GRC, PCFlank, Hackerwhacker) showed 135 and 445 closed, yet TDS showed both open. Hence the need to use the wormdoor cleaner which did really close them down based on new TDS-3 scans.

    Now I'm trying to figure out why a few ports are showing in use in Local Host Scanner. I emailed support rather than posting here because I'm getting a bit paranoid about posting info about potential security issues. ;)


    Philli - thx for the feedback on the hidden data streams and for the links.
     
Thread Status:
Not open for further replies.