Port 1433

Deloris - you might want to try the first link again. Worked fine for me. Had to do with a trojan allowing someone full use of your web cam(s). Bad stuff and more likely to hit home with most of us than the "big business" second one.

Brett - thank you. Interesting links.

 

Hey folks, I disabled my AdAware (correction=Zone Alarm) last week and forgot to turn it back on. You guessed it. While eating lunch in view of my monitor, a virus alert flashed on screen. Then another and a third before I could get the plug pulled from the nic.

Following the indicated path on the alert message I see that inside the My Documents folder is the folder named My Pictures. It has the blue hand that indicates it is shared (no way I set that up) and inside it is three files, all with an eml extension. Their names were myhomework.eml, dads.eml, and jayson.eml. A second scan with AV gave the confirmation that they were all infected with the Nimda bug.

We can only wonder if they contained pictures from some other innocent person's web cam or whether they were merely script files. That first link in Brett's post refers to this scenario so I'm here to tell you it's a real possibility.

I did a good scrub down and turned AdAware (correction=Zone Alarm) back on of course.
edit, corrected post to name Zone Alarm instead of AdAware. Pardon my confusion please.

 

Zephyr - Nimda creates mime encoded versions of itself in files with an .eml extension. As these .eml files are a result of infection rather than the source of infection, you may wish to re-scan your system.

BTW, Ad-aware would not have prevented this infection.

 

Wow! Talk about timing! I think you just topped us all, Zephyr. Sorry about your problem. I agree with brett, that you should re-scan. You're probably still not rid of it. You want to make certain that demon is gone.

Well, for some reason the first link brett gave still won't work for me. I just get a blank window. Nothing on it at all. Maybe the actual url address would work.

I think I am having some minor problems with IE. It's been doing this "the page cannot be displayed" bit quite a bit lately. But brett's link was the first totally blank window I've gotten. I've gotten three more from some other links that were given to me since then on another post. I think it might be time for an Internet Explorer repair & if that don't work, pilfer through some other possible fixes. I hope I don't have a Gremlin lurking around in this thing.

BTW, I sent that one article to a friend in Tennessee & he wrote back wanting to know if I didn't think his Norton System Works 2002 was enough protection. He wasn't being sarcastic. He really wanted to know. I told him, no way, and that if he read all three pages of that article, it would be enough to scare the pants off of you. Then I explained exactly what a Firewall does & that open ports are an invitation to disaster, especially the NetBios port & a few others, and that Norton don't protect them, without a built in Firewall, & I didn't think NSW 2002 had that. I asked if he knew that he had over 65,000 ports on his computer & then told him that they were all vulnerable to some sort of unwanted traffic without a good Firewall. Betcha I made the hair stand up on his neck. I sent him some links for reading about the Firewalls I use. ZA & Sygate. Both good Firewalls. Haven't heard back from him yet though.

My oldest daughter is the most hard headed one of the ones I am trying to convince. Don't know what I am gonna do with her, if she don't get some sense. Refuse to fix her computer I guess, when her bull headedness gets her into trouble. Wonder where she gets it.

Deloris.

 

I think you're right. NPF is bundled with NIS but not NSW although NSW and NPF are quite often sold as a bundled package.

 

especially the NetBios port & a few others, and that Norton don't protect them, without a built in Firewall, & I didn't think NSW 2002 had that.

I myself am not 100% clear on this but, I believe even with a Firewall if File and Printer Sharing is bound to TCP/IP it still leaves at least port 139 ( NetBios ) wide open.

I say I am not clear because I believe that if software ( F&PS ) is holding the port open the Firewall will not block access to it.

I am not even sure the Router would block access to it.

And I am not about to bind it to find out.

Many users do not realize that F&PS is bound to TCP/IP by default when Windows is installed or Dial-up Networking is re-installed.

BillyBob

 

... which is precisely why one should unbind these services.

A PF will block any incoming connection request for which there was not an associated outgoing request. Therefore, if some "leak-test" style nasty were to be able to find its way past your firewall and initiate an outgoing request whilst these services were enabled, you'd be *******!

 

Thanks brett

That enforces what I thought to be true.

Again many users are not aware of that. And with DSL or Cable ( always connected ) it is even more important to not have F&PS bound.

In fact with my 3 machine LAN I have NOTHING bound to any TCP/IP on any machine. And for quite some time I had both A Dial-up Adapter and a Cable connection to the Internet on each.

BillyBob

 

Thanks Brett and Delois for the tip about the possible further infection from the Nimda bug.

Unfortunately or fortunately we'll never know if it was a secondary effect or a primary intrusion since I used GoBack to revert the drive to a point before it happened.

Consider this though, I have AV running full time and it caught the intrusion immediately. I have ZoneAlarm but it was disabled at the time. It may be true that ZoneAlarm would not have caught it but McAfee sure did. It is always up to date automatically although I check it manually often just to see.

As I said, the properties of the folder were altered to allow sharing so that indicates that some script was run prior to placing the tainted files in that folder. That does tend to back up the theory that the infection was elsewhere and what I saw was merely the results of its work.

I am going to guess that the Nimda was part of a package delivered by some other means that ZoneAlarm would have nailed had it been online. I think that is the most likely scenario but as I say, we'll never know. Darn, I wish I had taken the time to scan the drive before reverting it just to see what the other bug's name was, if there was one.

I'm kind of glad it happened just so I'll know that my paranoia is not unjustified and it's worth the small effort it takes to have ZoneAlarm. Frankly I was doubting its worth, that's why I had disabled it. No more!

Regards.

ps, I mistakenly said AdAware in my first post when I was really meaning to say Zone Alarm. My poor brain is overloaded sometimes. I must agree, AdAware certainly would not have caught this. I'm almost certain that Zone Alarm would have.

 

File & Printer sharing are very useful if you have networked PCs on a LAN. Sure, you can turn it off but you will lose some functionality in the effort to safeguard your LAN.

Better IMO to use

1. strong passwords for the shares (strong = 8+ characters, not a word in any major language, and including some symbol(s) within the password). A strong password would be something like aTb1C#uv@7.

2. Scope IDs. See Q138449 for a little more detail. Briefly, if a scope ID is set, only other machines with the same scope ID will be able to communicate using NetBios over TCP/IP.

 

Newt

What are the advantages/disadvantages to the above approach compared to handling file/printer sharing within a LAN via NetBEUI rather than TCP/IP?

 

I have been having problems getting back to here.

Newt, If your like me & don't have networked computers, then there's no need for P&FS.

I unchecked it before I found out that it was dangerous for it to be checked, because I ran accross it one day & when I right clicked to see what it was for, I unchecked it because it seemed it wasn't necessary to have it checked, since I don't have any networked computers. Then later I found out, to my surprise, that I'd actually done the right thing without knowing about he danger. That was an accidental benefit of being nosey & logical.

I guess having that restore feature is a good thing, Zephyr, but I don't have it, so when mine gets messed up bad enough, I have to do a total clean re-install. It's a pain, but at least I know how to do it on my own now. Being the type to want to do my own thing, I plugged away untill I learned how to do it without help.

Like you Zephyr, I am paranoid as all get out. Some people think my paranoia about computer safety borders on psychotic.

Ever since that one time that I got infected with the Kak virus over two years ago, I have been so very protective of my baby. Yep, it's my baby! TV isn't worth watching anymore & I get bored stiff with it. Working on my computer & playing my Fiddle both help to keep my wits sharpened.

I forgot to tell Bill about the File & Print Sharing thing. Guess I had a senior moment there. Since Bill is running Windows 2000, will his P&FS be in the same place as Windows 98? I don't know anything about Win 2000.

Bye! Catch you guys later.

Deloris.

 

but you will lose some functionality in the effort to safeguard your LAN.

Please tell me where you feel any functionality is lost. Unless there is something I have not tried I don't see any loss.

If it is speed you are reffering to, leave me out as speed is not my cup of tea. Data and machine protection come first.

If you don't want somebody sharing something on your machine just don't set it to be shared. It is very easy to share the whole drive or just part of same. Passwords are nice but they are a BIG pain if they are forgotten.

I myself only set things to be shared when they need to be. Nothing is continuously shared.

It depends quite a bit on how the LAN is set up.

One PC with one NIC and one with TWO NICs I know nothing about.

With one NIC in each machine and connected though a HUB And the Hub connected to the Internet. I do.

With IPX/SPX and NetBeui installed it is absolutlely unnecessary to have F&PS bound to TCP/IP. And each card does not need an
IP Address. It works with names.

With no IP Address on the card and F&PS not bound to TCP/IP keeps the LAN & Internet SEPARATED.

On a LAN that has F&PS bound to TCP/IP, anyone that can access just one machine may be able to get to them all via NetBIOS ( port 139 which F&PS keeps open )

Now the above is not just my way of doing things. It came right from Symantec in their instructions on how to protect your Network. And that was as much as two years ago. ( if not more )

Now that I have a Router/Switch I don't need to worry quites as much as it keeps the LAN and the Internet separated anyway.

With the Router each machine has an IP address but it is not in the properties of the card itself. All three cards are set to Auto optain IP. The Router being set to be a DHCP server I guess does that.

But even with the Router You do not want F&PS bound to TCP/IP

And both Symantec and GRC sites will tell you the same. I was on the GRC site the other day and I believe they stressed that quite strongly.

Plus I have the added protection with having Norton Internet Security installed with which I can stop any machine on the LAN from getting to this one. Or I can go to the other one and stop me from getting there.

Each game my Wife and I play between the machines MUST have permisson from BOTH parties ( both in & out ) before we can play.

I even blocked myself out of one machine a couple of days ago.

BillyBob

 

While Microsoft's networking client is installed, a default setting which would have protected many millions of computers if it were normally set to OFF instead of ON is TCP/IP File and Printer Sharing. We already know how useful it is to share files and printers among the machines on our LOCAL networks. But "binding" the NetBIOS protocol to the TCP/IP protocol with this setting automatically extends your computer's file sharing services out across the entire Internet. (The "Network Bondage" page also provides a clear explanation of changing this setting if you need or wish to retain the Client for Microsoft Networks but want to prevent Internet intruders from gaining access to your computer.)

The above is a very SMALL excerpt from a page at GRC.COM.

It clearly says; ( at least to me it does )

" If you do not want to share you PC ( or PCs if on a LAN ) with the World, DO NOT bind F&PS to TCP/IP "

And I agree 100%. F&PS should never have been bound to TCP/IP by default.

BillyBob

 

Hello guys,

Could I please, please, get an answer to this question I posted earlier.

I forgot to tell Bill about the File & Print Sharing thing. Since Bill is running Windows 2000, will his P&FS be in the same place as Windows 98? I don't know anything about Win 2000.

 

I suppose so

The answer is no!

 

Ok. You'll find a guide here but the easiest way is to use EBURGER.

 

brett!

Thank you for the guide. I am sure it will help him a lot. I shall send it to him & hope he does what it says.

As Tweety Bird would say, "Tank You Vewy Much. "

 

From Brett

If it were only a matter of file/printer sharing, I suppose NetBEUI or IPX/SPX would do fine. Although I do seem to remember my system giving me problems with large print jobs with NetBEUI. Not positive though and I haven't run that way for a good while so it may not have been the cause of problems.

I like the availibility of the various diagnostic utilities those protocols lack. I also like the TermServ remote control feature and AFAIK, it requires TCP/IP.

There are probably more items like the above but I haven't really worried too much about them since I run TCP/IP as described on the previous page.

And I really wonder if M$ hiding NetBEUI when they released XP isn't a sign that they may not continue to support it for much longer. I am basically lazy and would rather not have to re-do my setup if that happens.

All in all, the NetBEUI/IPX option is simpler and easier to safeguard so is probably a preferred solution for most folks with a home network.

It is just that the idea of all that unnecessary broadcast traffic and the extra protocol(s) running affects me like having bugs in the house. Mostly harmless and rarely noticed but I just don't like em.

 

Newt

What you ( we ) are basicly saying is that there is more than one way of doings things.

What we wish certain things to do for us and our personal preferences.

There are ( or at least may be ) advantages, drawbacks or certain dangers to either.

But the main thing is to be aware of those advantages, drawbacks or dangers. And know how to work with ( or around ) them.

If we all did or liked the same things,

IF Windows would install and behave the same on all systems,

Life would be VERY boring. And we would have nothing to discuss here. Which I personaly would miss

BillyBob