PRE-LOAD PROTECTION AFTER XP INSTALL!!

Discussion in 'other software & services' started by cortez, Nov 12, 2008.

Thread Status:
Not open for further replies.
  1. cortez

    cortez Registered Member

    Joined:
    Nov 19, 2006
    Posts:
    444
    Location:
    Chicago
    After a fresh XP Pro install I used Internet Explorer to get to the AT&T Browser site but was immediately bombarded by:

    1. a screen full of full blown porn ( a real porn site) and

    2. 7 Trojan infections!! Internet explorer opened their MSN home page and BAM!! instant infections!! I did not even have a chance to click on anything or enter the site ( Malwarebytes was able removed them all).

    This has never happened to me before but to insure that the install was squeaky clean I opted to reinstalled XP and pre-installed AVAST, Spyware Blaster and COMODO before I turned on the modem to get on the web.

    After I was sure I was safe, I downloaded AT&T's Browser (an Internet explorer Shell based browser). After this SandboxIE and Returnil Premium are all systems go.

    This may have been a fluke incident but it is one fluke too many.

    Whew!! Talk about a drive by, this was with a mini-gun!! :D
     
  2. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    Cool:
    Want to collect malware ... quick how to by cortez :D
    Who says all our various "stuffs" dont work..?

    Obviously been back to the site ?? Any issues ??
    Notify AT&T they are "hosting" some nasties??
     
  3. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Did you install windows while connected to the internet? Did you update Windows before going online? If not, I assume you have had several vulnerabilities which may have included vulnerable services listening on ports.

    It was suggested to me a while back to close a few ports/holes before connecting and updating Windows. There is a thread here somewhere about it. I'll see if I can find it.

    Edit: Here is the thread although some of it is irrelevant. Post #2 is the advice I used but my last install was with SP3 slipstreamed with nlite.

    Edit#2: Oops, here's the link https://www.wilderssecurity.com/showthread.php?t=194208
     
    Last edited: Nov 12, 2008
  4. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Pesonally, in my unattended xp dvd, my gateway is always set to my static ip of my nic. Never allow the box to go outside until I am done with everything. Firewall, AV, hips/etc, close ports. All the goods are done before I ever let it online.

    Sul.
     
  5. cortez

    cortez Registered Member

    Joined:
    Nov 19, 2006
    Posts:
    444
    Location:
    Chicago
    I always shut down my modem when installing, but now know that this is not enough.

    On my Fire Fox browser your reference to "Post #2" does not show up. ( EDIT: On my AT&T broswer there still is not any reference to your post #2).

    Like Sully I will now pre-load all protection prior to going online.

    I still would like to know how to shut down ports, COMODO seems to ask before allowing any connection but this is not same as actually knowing how to restrict access to ports, so I am still interested in your "Post#2" reference-- Thanks, cortez

    Note: I use a router and still I got nailed!!
     
    Last edited: Nov 12, 2008
  6. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    If using an unattended setup (which you should consider) you can set up your network, but like me just give it a gateway that goes nowhere. The proceed to install and when done with everything, set it to your router.

    As far as ports are concerned, use WWDC (Windows Worm Door Cleaner i think it is called). Close down all of them except for netbios if you need it, or close that if you don't.

    Next use from cmd prompt netstat -ano. this will show you current open ports. Most often they are opened by services or current processes. Note the PID of the process with a port open. You can then use tasklist or tasklist -svc to check out what is holding it open. Then you must decide what apps/services to close for your effect. You might already know all of this though.

    The goal should be to have a netstat -ano show one of 2 things. Only netbios open if using, or if not using, show nothing. Just note that if you open a browser or something, it will remain open for a time. It is best to do it upon first boot. There are other front end apps like tcp view or currports that will show you much the same data.

    Sul.
     
  7. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
  8. cortez

    cortez Registered Member

    Joined:
    Nov 19, 2006
    Posts:
    444
    Location:
    Chicago
    innerpeace:

    Thanks for the link to the post and the other links. It looks like I will be busy for a while getting up to speed on ports and their importance to security.

    Sully:

    Thanks for your informative reply. I found "Windows Worms Doors opener" and will try to get to know it.

    port closings.JPG

    Longboard:

    Thanks for the funny post, just what I needed to lift my spirits after a deadly drive by.
    --cortez
     
  9. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    It definitely must have been a fluke. I've never bothered to disconnect from the network when installing windows xp and never had any troubles. As long as you have sp2/sp3 the firewall is enabled by default so you are pretty safe. You can also remove the default firewall exceptions to increase security.
    But all this is unnecessary if you have a properly configured hardware firewall.
     
  10. cortez

    cortez Registered Member

    Joined:
    Nov 19, 2006
    Posts:
    444
    Location:
    Chicago
    Hello farmerlee,

    I agree it was a fluke as it is the only time it has happen in over 50 fresh installs.

    I had to reinstall just in case the porn site Trojan was somehow still lurking hidden somewhere and would pop up while either my grand children or wife used this partition. If that happened I would never have hear the end of it.

    I had installed SP2 and SP3 and some updates prior to hooking up. I did not have COMODO installed yet, only the standard XP firewall.

    I will look into the exceptions you mention that are "on" in the XP firewall, this is the first time I heard of them.

    Seems that XP firewall has more to it than I thought.

    Thanks for the heads up.
     
  11. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    @cortez:
    I was wondering about this:
    Didn't you say you were behind a router ?
    I took that to mean HW Firewall...??
     
  12. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    Yeh a router with built in firewall.
     
  13. norky

    norky Registered Member

    Joined:
    May 1, 2004
    Posts:
    172
    Location:
    Lithia, FL
    I've got to call shenanigans on this
     
  14. cortez

    cortez Registered Member

    Joined:
    Nov 19, 2006
    Posts:
    444
    Location:
    Chicago
    I got an "Air Link 101" hardware router sitting on top of my machine.

    I thought I was buying a router/firewall combination but now I am not too sure it operates as a hardware firewall seeing that I got creamed with porn and 7 Trojans.

    I now wonder how to test to see if my router is also a HW firewall?

    I pinged it and it pinged back from the manufacture's server. My address is the one given me by the server which is different from the DSL address from my internet service.

    Perhaps I need to get another router that is also a Hardware Firewall.
     
  15. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Here I load all my needed security/maintenance apps from a usb drive to a fresh install, including Firefox and I'm behind a hardware firewall.

    You can also copy and paste "C:\Documents and Settings\USERNAME\Application Data\Mozilla" (XP), or "C:\Users\USERNAME\AppData\Roaming\Mozilla" (Vista) folder from an old install to a new install which will have all your addons, bookmarks, about:config tweaks etc and will save a lot of time reinstalling/finding/tweaking those.
     
  16. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Cortez, if you have a router, and not a wireless access point, odds are very very high that it has at least NAT. And odds are still very high it has some rudemantary firewall as well, somtimes just listed as SPI. Go into the router menus and you should be able to tell.

    As far as pinging is concerned, most routers I have ever set up were by default set to not reply to a WAN ping. However, there is the option to make it do so.

    If you have not set the admin password to something other than default, and if you have no security for your wireless, it is quite easy for a drive by or neighbor to then access your router and set it to anything they like.

    If your router is set to not ping to WAN requests, and it has NAT/ and or a firewall, then I don't know what to say. If you don't have anything going 'out' from your box on a default install, it is hard to say. Normally that is how it happens. If your router has no NAT or firewall, I would also say it is a fluke. I have had boxes up on dmz or just raw on a STATIC dsl ip, and have seen many port scans. I closed all ports, so I have never seen those rigs get 'cracked', but surely they were scanned.

    You can also get software for your router that will show you what the router logs contain. At work I use an older linksys router with NAT/SPI, and use WallWatcher to monitor the logs. It is very interesting to see how many things a router blocks. Both legitimate as well as nefarious.

    Sul.
     
  17. cortez

    cortez Registered Member

    Joined:
    Nov 19, 2006
    Posts:
    444
    Location:
    Chicago
    Franklin:

    Good solution, especially pre-loading Fire Fox's bookmarks ect.. I definitely will include this on my next install as it is a real time saver.

    Sully:

    I will start with an administrators password and start learning how my particular router works. I did not realize that it needed some attention as I thought it was automatic, a very dangerous assumption as it turned out!

    Thank you gentlemen for your insights. ---cortez
     
Loading...
Thread Status:
Not open for further replies.