Win2k Netstat sockets interpretation

I have been trying to learn as much as I can about internet 'security'
to get a better feeling for what data is leaving my home,
cable-connected computer.
Win2Ksp4,ZAint-security7-Highsecurity,cookies expirede immediately,
remote access service disabled, filesharing deleted in 'networkadapter
properties. T-bird, Firefox2.0

BUT, netstat /a indicates netbios ports 137,138,139,445 listening when I
allow ZA to allow T-bird to act as a server to connect to the
mail/news server.

I am confused by netstats output and don't understand the loopback
0.0.0.0 ports, the 255.255.255 gateway significance? I see when i have
established tcp/ip connections to webpages ip addresses, but the other
report outputs are confusing?

For eg; If I allow scvhost to access 0.0.0.0 when firefox2.0 opens i
notice randomly ports assigned to urls or ip addresss. Most are obvious,
but Akamaitech~ is frequently there and firefox always has 4 connections
local and 4 remote open inaddition to the url i am browsing????

The output from Ethereal showed a big download in the background from
google...hex and what looks like certificates or host file additions to
banks .....I no option to control F.F. updates and like to know
when/what is updated since permissions and options have a nasty habit of
being reset to 'lame' when updates happen silently [old M$ trick]

I have checked many netstat resources to no avail...help?
Warf, back in the saddle....but I'm still slippin off!

warf

warf wrote:

> I have been trying to learn as much as I can about internet 'security'

Obviously you didn't. Anyway else you would have never installed:
>ZAint-security7-Highsecurity,
to **** up your system for no good reason.

> to get a better feeling for what data is leaving my home,

Eh... is that any serious problem at all?

> cookies expirede immediately,

What a nonsense. Seems like you don't understand the concept of cookies.

> BUT, netstat /a indicates netbios ports 137,138,139,445 listening

See, you didn't learn anything. You didn't even disable the SMB binding and
the NetBIOS bindings. And this even when some clever guys already collected
an easily understandable overview on websites like
<http://ntsvcfg.de/ntsvcfg_eng.html>.

> when I allow ZA to allow T-bird to act as a server

Again, pure nonsense. Thunderbird doesn't open any ports in LISTENING
state. An no, the things below are no excuse for ZA.

> I am confused by netstats output and don't understand the loopback
> 0.0.0.0 ports, the 255.255.255 gateway significance?

0.0.0.0 is no loopback, 255.255.255.x is no gateway. You want to run a
host-based packet filter as a security mechanisms, but you don't even have
the slightest clue about TCP/IP? Get figure!

> For eg; If I allow scvhost to access 0.0.0.0 when firefox2.0 opens i
> notice randomly ports assigned to urls or ip addresss.

> and firefox always has 4 connections local and 4 remote open inaddition
> to the url i am browsing????

*repeating the thousandth time*
'netstat' on Win2K provides a view on the state of the *TDI interface*, not
the actual TCP/IP sockets. The TDI interface has different semantics, and
something appearing as 0.0.0.0 listening means "an outstanding request to
open a TCP/IP connection", thus no actual TCP/IP socket in LISTENING state.
If you had just take the simplest measures to actualy verify such bogus
open ports with a port scan, you'd have found them closed.

> but Akamaitech~ is frequently there

Wow... Windows Automatic Updates... the mysterious of technology aren't to
be believed !!!11

> I have checked many netstat resources to no avail...help?

MSDN... Ah, might just be better to get a replacement which works like the
real netstat command, f.e. TcpView from Sysinternals^W Microsoft.

Sebastian Gottschalk

Sebastian Gottschalk wrote:
> warf wrote:
>
>> I have been trying to learn as much as I can about internet 'security'
snip diatribe and gratuitous snarling....
>> to get a better feeling for what data is leaving my home,

> Eh... is that any serious problem at all?

Yes, if you have, or ever did have, any media on your system, or if you
realize the RIAA and ilk will someday get the legal club to go after
'other' citizens for $750USD/title, or even if you are just fed up with
surreptitious datamining for unstated purposes. or if subversion of your

connection for nepharious purposes is 'problematic: then,YES.

>> BUT, netstat /a indicates netbios ports 137,138,139,445 listening
>
> See, you didn't learn anything. You didn't even disable the SMB binding and
> the NetBIOS bindings. And this even when some clever guys already collected
> an easily understandable overview on websites like
> <http://ntsvcfg.de/ntsvcfg_eng.html>.

I said I was "trying"....never claimed to 'know'. better ishould be like
the rest of the cattle and pretend it is not really going to affect me?
By making an effort to learn I take responsibility...you have been
helpful..even if grumpy.

>
>> when I allow ZA to allow T-bird to act as a server
snip.......
Restated "When I run T-bird ZA tells me T-bird wants to access the
internet and act as a server.
I have deleted "file and print sharing" under "internet connections and
disbled most recognizable "remote access" services under 'services.msc'
but ZA detects a few remote access modules running and gives them
permission if select "OK" to the suggested query.
AND
>> For eg; If I allow scvhost to access 0.0.0.0 when firefox2.0 opens i
>> notice randomly ports assigned to urls or ip addresss.
>
>> and firefox always has 4 connections local and 4 remote open inaddition
>> to the url i am browsing????


> *repeating the thousandth time*
> 'netstat' on Win2K provides a view on the state of the *TDI interface*, not
> the actual TCP/IP sockeets. The TDI interface has different semantics, and
> something appearing as 0.0.0.0 listening means "an outstanding request to
> open a TCP/IP connection", thus no actual TCP/IP socket in LISTENING state.
> If you had just take the simplest measures to actualy verify such bogus
> open ports with a port scan, you'd have found them closed.

Iam using Ethereal and there is traffic...I am 'learning' but it is a
very complex topic ...for non-pro's like me...but that is why i ask.

>> but Akamaitech~ is frequently there
>
> Wow... Windows Automatic Updates... the mysterious of technology aren't to
> be believed !!!11

no, WINUPDATE is manual...I reassembled the TCP/IP strream and saw in
one instance it was a ZA update. This concurrs with the stated utility
of those servers. I read conflicting ideas as to the scope of the AKAMAI
servers and wondered why I would be 'uploading' to them as well...with
optout selected for all products 'satisfaction' reports.

>> I have checked many netstat resources to no avail...help?
>
> MSDN... Ah, might just be better to get a replacement which works like the
> real netstat command, f.e. TcpView from Sysinternals^W Microsoft.

Now I have to spracken ze duetch. That is exactly what i needed but the
launguage for the links is all german!!! Damn.

Breifly: How does one interpret the 'listening', 'waiting',
'established' and all the other port information netstat lists? The only
one I get is one with a 'foreign' ip and 'established'...those are
actual internet connections right?
Eastlink is very coy and stingy with 'what services and ports I require'
info...so I am trying to learn thru you and int-resources.

Thanks for that helpful link...wish I spoke enough german to decipher it!
Warf.

warf

warf wrote:

> Sebastian Gottschalk wrote:
>> warf wrote:
>>
>>> I have been trying to learn as much as I can about internet 'security'
> snip diatribe and gratuitous snarling....
>>> to get a better feeling for what data is leaving my home,
>
>> Eh... is that any serious problem at all?
> [...]
> or if subversion of your connection for nepharious purposes is
> 'problematic: then,YES.

Subversion of your connection implies malicious software. There's nothing
you can do against this except to ensure that it doesn't get executed in
first place. Once it's running, you've lost.

>>> when I allow ZA to allow T-bird to act as a server
> snip.......
> Restated "When I run T-bird ZA tells me T-bird wants to access the
> internet and act as a server.

Then uninstall this software. It's obviously telling nonsense.

>>> For eg; If I allow scvhost to access 0.0.0.0 when firefox2.0 opens i
>>> notice randomly ports assigned to urls or ip addresss.
>>
>>> and firefox always has 4 connections local and 4 remote open inaddition
>>> to the url i am browsing????
>
>> *repeating the thousandth time*
>> 'netstat' on Win2K provides a view on the state of the *TDI interface*, not
>> the actual TCP/IP sockeets. The TDI interface has different semantics, and
>> something appearing as 0.0.0.0 listening means "an outstanding request to
>> open a TCP/IP connection", thus no actual TCP/IP socket in LISTENING state.
>> If you had just take the simplest measures to actualy verify such bogus
>> open ports with a port scan, you'd have found them closed.
>
> Iam using Ethereal

Fine, then why don't you provide a dump of which traffic you see and what's
unclear to you?

> and there is traffic...

Let's hash this together:

If a socket is not in LISTENING state, even though TDI tells so, then every
incoming traffic to that port gets a TCP RST as reply. Nothing more.

If you're actively sending data on this port, it should be in the OPEN
state and TDI just gets it wrong as well.

If you're passively sending data on this port really being in LISTENING
state, then it can't be on 0.0.0.0, but must be bound to an interface. (An
exception would be Raw Sockets, but this almost never applies.)

In any case, TDI gets it wrong. Thus, there is traffic, but no port in
LISTENING state.

> I reassembled the TCP/IP strream and saw in
> one instance it was a ZA update. This concurrs with the stated utility
> of those servers. I read conflicting ideas as to the scope of the AKAMAI
> servers and wondered why I would be 'uploading' to them as well...with
> optout selected for all products 'satisfaction' reports.

This "upload" is either the requests for the download or the ACKs of the
connection.

Unless we once again catched ZoneAlarm with spying on the users.

>>> I have checked many netstat resources to no avail...help?
>>
>> MSDN... Ah, might just be better to get a replacement which works like the
>> real netstat command, f.e. TcpView from Sysinternals^W Microsoft.
>
> Now I have to spracken ze duetch. That is exactly what i needed but the
> launguage for the links is all german!!! Damn.

Ehm... now why don't you grap TcpView?

> Breifly: How does one interpret the 'listening', 'waiting',
> 'established' and all the other port information netstat lists?

Read RFC 793. On page 21 you'll find a wonderful ASCII art illustration.

> Eastlink is very coy and stingy with 'what services and ports I require'

As a client you don't require any services at all.

Sebastian Gottschalk

Sebastian Gottschalk wrote:
> warf wrote:
>
>> Sebastian Gottschalk wrote:
>>> warf wrote:
>>>
>>>> I have been trying to learn as much as I can about internet 'security'
snip....
> Ehm... now why don't you grap TcpView?

I have It Sebastian, while useful it appears to yield a subsection of
what Spybot S&D 'processtool' coughs up. And S&D lists modules and
process's. etc...

I am reading the win2k manual and it explains the difference between
application 'ports', sockets[winsock] and the various protocals layered
within. I am getting a 'better' picture of the hiearchy.
I am still confused by 'NETBUI'[not NETBIOS, that I understand is simply
a file/print sharing protocal yes?] Even when I have 'SERVER', FILE
PRINT SHARING, REMOTE ACCESS services disabled I still see NETBUI ports
136,137,138,139,445 'listening in TCPVIEW and S&D Processes???
Then enthereal shows NETBUI "name lookup" traffic...is this the DHCP IP
renewal server contacting my cable ISP to register my IP?

I ask becasue in an effort to disable all 'REmote access' I ineveitably
loose DNS Lookup or something that can't be restored short of an OS
REPAIR install...and that gets tiring..."wipe and rebuild"

>> Eastlink is very coy and stingy with 'what services and ports I require'
>
> As a client you don't require any services at al l.

As a Cable modem customer placed directly on the Inet backbone if I
block ALL servers via ZA I loose DNSlookup, autoupdates and I can't
restore it easilly...

Most of the W2K essential services [services.msc] are hard to ascertain
for HTTP internet browsing, pop/smtp and newsgroups...for eg: REMOTE
ACCESS CONNECTION MGR....seems to imply "I am a server" if allowed to
start automaticly....but DHCP fails because NETBUI is innactivated If I
disable it in SERVices.msc

I'll get it someday.
I sure wish that link you sent me was in English as well as German...se
la gar.
Warf.

warf

warf wrote:

> Even when I have 'SERVER', FILE
> PRINT SHARING, REMOTE ACCESS services disabled I still see NETBUI ports
> 136,137,138,139,445 'listening in TCPVIEW and S&D Processes???

Well, why don't you take a look at <http://ntsvcfg.de/ntsvcfg_eng.html>?

> I ask becasue in an effort to disable all 'REmote access' I ineveitably
> loose DNS Lookup or something that can't be restored short of an OS
> REPAIR install...

Then why don't you read before acting?

> and that gets tiring..."wipe and rebuild"

Nonsense. It's trivial to backup and restore the service configuration.

> but DHCP fails because NETBUI is innactivated If I disable it in SERVices.msc

Very strange.

Sebastian Gottschalk

Sebastian Gottschalk wrote:
> warf wrote:
>
>> Even when I have 'SERVER', FILE
>> PRINT SHARING, REMOTE ACCESS services disabled I still see NETBUI ports
>> 136,137,138,139,445 'listening in TCPVIEW and S&D Processes???
>
> Well, why don't you take a look at <http://ntsvcfg.de/ntsvcfg_eng.html>?

I did...twice, even emailed the admin [very nice guy] who said they only
have Deutsch pages linked for the near future. It is exactly what I
need though.

>
>> I ask becasue in an effort to disable all 'REmote access' I ineveitably
>> loose DNS Lookup or something that can't be restored short of an OS
>> REPAIR install...
>
> Then why don't you read before acting?

Vida Supra...

>
>> and that gets tiring..."wipe and rebuild"
>
> Nonsense. It's trivial to backup and restore the service configuration.

Correct me if I am wrong [like I have to offer...grin]:new versions
mal-executables are very stealthy 'and sticky' visa vi code-melt,MBR
partition hiding, kernal level misdirection of detection...ad naus.

FOR EG...while updating my firwall a newly discovered file infecting
virus [with no known repair method to date] slid in with the update TCP

traffic and settled in the Winnt\internetlogs\ZA as J.S-LAME and was
flagged during the subsequent bit level scan.
So...to what extent, if any, my files were compromised or if it had
even yet been executed is unknown. SO....i take your oft 'suggested'
advice and WIPE then REBUILD.

Are you suggestion you were remiss for that advice?

I accepted you earstwhile advice re rebuiling and:
I acted atavisticly and installed Win2000 on a spare laptop with no
useful data just so I could do a better job of noting changes AND
rebuild in far less time time than with my XP macine.
Then istill have to install,SP4,ZA,Ethereal,TCPview,Spybot,Adaware,
Dlink router setup,all the Ibuddie drivers for NICard THEN...disable a
dozenservices,remove FILE&PRINT SHARING, T-BIRD,FIREFOX and configure
the Dlink WLan [killit!] enable the Dlink WAN, clone the Mac address,
set the lame software defaults to block mobile code, not save any
..DAT,HST...nor cookies web-bugs and like ilk....then fight for an hour
to find which services I accidently disabled with names like "REMOTE
ACCESS...REMOTE DESKTOP...DNS...DHCP...TCP/NETBUI..." and so on and on.

All because i lost my innocense reading how the boys at PHRAK get their
jollies!

SO>>>>>>>maybe it's easy for you but for pleabs like me playing with the
bigleagers in kids gear [actually, irroicly the inverse is more likely!]
it is hard not to add to the problem by naivley being a server for
malcode and redirection and providing safe haven for code that should be
nuked.

>> but DHCP fails because NETBUI is innactivated If I disable it in SERVices.msc
>
> Very strange.

I thought so as well... and that is becasue I am not even sure of what I
don't know yet.[as I grin weakly and apologeticly for inflicting my
carcass on you ...sycophantly groveling for pearls of info.] Most
webpages on the subject say disable DNSlookup [or is it DNSserver?] and
DHCP if acting as a client only. My
inability to connect

My ISP provides no filtering for us...Straight to the pipe [backbone]
with our cable modems. A report on Eastlink.ca indicates a problem with
an "open DNS server" and they require DHCP for IP aquisition...which is
'maybe' why the actions of my service.msc changes are not immediate???

With Ethereal in 'promiscuous mode' it is incredible [to me] how much
broadcasting and icmp traffic there is at any one moment.
Fr,Israel,Cn,Ru,USA...and how much is lost/misdirected and how much is
actively seeking vulerable IP addresses is unknown to me but this is a fact:
Twice, while connecting my computer to the internet via an ethernetcable
and W2k [no firewall] I had a bogus popup before I could even pop in the
ZA CD....as though there is near constant broadcasting seeking open
unprotected servers to compromise.

Help?
Warf.
..

warf

warf wrote:

> Sebastian Gottschalk wrote:
>> warf wrote:
>>
>>> Even when I have 'SERVER', FILE
>>> PRINT SHARING, REMOTE ACCESS services disabled I still see NETBUI ports
>>> 136,137,138,139,445 'listening in TCPVIEW and S&D Processes???
>>
>> Well, why don't you take a look at <http://ntsvcfg.de/ntsvcfg_eng.html>?
>
> I did...twice, even emailed the admin [very nice guy] who said they only
> have Deutsch pages linked for the near future. It is exactly what I
> need though.

The one specified page I linked is written in English, so is the script.
Only the website linking the content of the script to the specific services
sadly is only in German.

Thus, what about now finally understanding that this script does exactly
what you want?

>>> and that gets tiring..."wipe and rebuild"
>>
>> Nonsense. It's trivial to backup and restore the service configuration.
>
> Correct me if I am wrong [like I have to offer...grin]:new versions
> mal-executables are very stealthy 'and sticky' visa vi code-melt,MBR
> partition hiding, kernal level misdirection of detection...ad naus.

I though you just referred to yourself ****ing up the service configuration
by experimenting.

> and settled in the Winnt\internetlogs\ZA as J.S-LAME

JS-Lame sounds like a JavaScript which does some non-malicious, but
annoying (thus lame) action. I guess its description will point this out
exactly.

> So...to what extent, if any, my files were compromised or if it had
> even yet been executed is unknown. SO....i take your oft 'suggested'
> advice and WIPE then REBUILD.

When did this discussion start off? I assumed that you've already done so.

> I accepted you earstwhile advice re rebuiling and:
> I acted atavisticly and installed Win2000 on a spare laptop with no
> useful data just so I could do a better job of noting changes AND
> rebuild in far less time time than with my XP macine.

A rebuild with an image backup is sure way faster.

> Then istill have to install,SP4,ZA,Ethereal,TCPview,Spybot,Adaware,

SP4 should have already been integrated in your Windows 2000 CD. And still
I sense at least 3 superfluos programs in that list.

> Dlink router setup,

WTF? Doesn't it have a web configuration interface?

> all the Ibuddie drivers for NICard

WTF? What a bunch of bloat is your NIC driver?

> THEN...disable a dozenservices,remove FILE&PRINT SHARING,

Yes, reasonable.

> T-BIRD,FIREFOX

Well, try SeaMonkey.

> set the lame software defaults to block mobile code,

What software and which settings?

> not save any .DAT,HST

What?

>...nor cookies web-bugs and like ilk....

You're talking nonsense. Cookies aren't malicious. Web-bugs don't exist.

> then fight for an hour to find which services I accidently disabled

See? That why you should take a look at the ntsvcfg script.

> All because i lost my innocense reading how the boys at PHRAK get their
> jollies!

Then why aren't you running a Unix flavour?

>>> but DHCP fails because NETBUI is innactivated If I disable it in SERVices.msc
>>
>> Very strange.
>
> I thought so as well... and that is becasue I am not even sure of what I
> don't know yet.

Maybe you might use Regmon to track down this bug?

> With Ethereal in 'promiscuous mode' it is incredible [to me] how much
> broadcasting and icmp traffic there is at any one moment.
> Fr,Israel,Cn,Ru,USA...and how much is lost/misdirected and how much is
> actively seeking vulerable IP addresses is unknown to me but this is a fact:
> Twice, while connecting my computer to the internet via an ethernetcable
> and W2k [no firewall] I had a bogus popup before I could even pop in the
> ZA CD....as though there is near constant broadcasting seeking open
> unprotected servers to compromise.
>
> Help?

Get the patches installed before you go online. Or at least get the
vulnerable services deactivated. Or active the TCP/IP filtering or RAS
firewall.

Sebastian Gottschalk

Sebastian Gottschalk wrote:
> warf wrote:
>
>> Sebastian Gottschalk wrote:
>>> warf wrote:
>>>
>>>> Even when I have 'SERVER', FILE
>>>> PRINT SHARING, REMOTE ACCESS services disabled I still see NETBUI ports
>>>> 136,137,138,139,445 'listening in TCPVIEW and S&D Processes???
>>> Well, why don't you take a look at <http://ntsvcfg.de/ntsvcfg_eng.html>?
>> I did...twice, even emailed the admin [very nice guy] who said they only
>> have Deutsch pages linked for the near future. It is exactly what I
>> need though.
>
> The one specified page I linked is written in English, so is the script.
> Only the website linking the content of the script to the specific services
> sadly is only in German.
>
> Thus, what about now finally understanding that this script does exactly
> what you want?

Ungh, I took for granted that running someone elses code to accomplish a
task i 'could' do manually was sloppy and invited malware?
I think I also just read that security rule #1 was " If you are running
unknown code you have already lost control" I know very little of ANY of
the code on my machine so...I ask you, "is it safe"
[Marathon man, Dustin Hoffman]

>>>> and that gets tiring..."wipe and rebuild"
>>> Nonsense. It's trivial to backup and restore the service configuration.
>> Correct me if I am wrong [like I have to offer...grin]:new versions
>> mal-executables are very stealthy 'and sticky' visa vi code-melt,MBR
>> partition hiding, kernal level misdirection of detection...ad naus.
>
> I though you just referred to yourself ****ing up the service configuration
> by experimenting.

yes...that is why I seek your help... to allow me to access the internet

somewhat safely whilst edifying myself as to the vagueries of
I-protocal[s]...and M$ weaknesses.

>> and settled in the Winnt\internetlogs\ZA as J.S-LAME
>
> JS-Lame sounds like a JavaScript which does some non-malicious, but
> annoying (thus lame) action. I guess its description will point this out
> exactly.

Well I can't wait for the VBS-blowjob virus to go wild!

snip..
> SP4 should have already been integrated in your Windows 2000 CD. And still
> I sense at least 3 superfluos programs in that list.
no, it is an older OEM disk...It lacks USB2.0, So I take my saved SP4
upgrade I got before M$ made us pull pur pants down and take a shot of
code to make sure we own the OS install.
BTW...I drop the defenses reluctantly and incrementally to enable manual
update [upgrade] from M$ but still don't pass the 'wideopenvulnerable
enough to allow your upgrade' test.

>
>> Dlink router setup,
> WTF? Doesn't it have a web configuration interface?

Yes it does. If you understand :MAC address and cloning same, protcols,
SSID, WLAN/WAN/LAN, ad-infinitum...AND don;t allow their farmed out tech
support to mislead you about when the WAN is actually activated, it is
probably a snap to make it secure...AND functional. I now know
192.168.0.1 like I know my birthdate!

>
>> all the Ibuddie drivers for NICard
>
> WTF? What a bunch of bloat is your NIC driver?

SIS drivers have a lot of applets.

>> THEN...disable a dozenservices,remove FILE&PRINT SHARING,
>
> Yes, reasonable.

Ok,I'm feelin on track now!

>
>> set the lame software defaults to block mobile code,

ZA, Dlink setup utility requires J-script enabled or it won't update
settings.....it just makes you think it does.

>
> What software and which settings?
>
>> not save any .DAT,HST
>
> What?


I'm just making a point; I dislike all the tracking of everything I
type,save,see,use,start,stop,plugin etc, So Disable password saving,
history,remember lastfile etc.

>> ...nor cookies web-bugs and like ilk....
>
> You're talking nonsense. Cookies aren't malicious. Web-bugs don't exist.

Web-bugs do...scroll your mouse over bug-encoded webpages and watch the
script call in the lower left...OR use DOM editor. A single pixle is
enough..and it can be the same color as the background=> invisible.
Scripted cookies are certainly capable of doing maliscious things, as I
read, AND, every problem [not of my own doing by
disabling useful services] has occurred while temporarilly enabling Java
/Java-Scripting or 'mobile code' to accomplish a download or a device
configuration. I get security levels reset, host file manipulated etc...
I have been reading that the old cookie has been supplanted with a
myriad of ways to get info you or I would likely not volunteer if given
a choice before it happened.

I doubt you are didactically 'out of date' on mal-techniques datamining
and exploits, so what are you getting at? Seriously, I know only
what I read from security dedicated websites...and less from opinion
columns and NGs unless public scrutiny exposes a fake professor.

>> then fight for an hour to find which services I accidently disabled
>
> See? That why you should take a look at the ntsvcfg script.

Well then I ask you; is that not the same as installing utilities from
websites? [like going sans condom, eventually something comes.... alive!

a
>> All because i lost my innocense reading how the boys at PHRAK get their
>> jollies!
>
> Then why aren't you running a Unix flavour?

I bought a MANDRAKE kit and realized that it was only safer because I
'could' get to know the code intimately [unlike M$ code]. In
otherwords, it is only safer if I REALLY understand what I'm doing. I
plan to install it on a separate laptop specifically for learning, and
learing about the free V-OS I have as well.
Until then, I am still working on making windows work for me. [country
song in the works]

>>>> but DHCP fails because NETBUI is innactivated If I disable it in SERVices.msc
>>> Very strange.
>> I thought so as well... and that is becasue I am not even sure of what I
>> don't know yet.
>
> Maybe you might use Regmon to track down this bug?

Does regmon track registry changes? ZA alerts me to ALLOW/DISALLOW every
instance of a program, module or process before it makes a registry
change. There are still many changes that slip by unannounced though;
must be at the kernal level?[ring1?] Even Spybot Teatimer stops
responding to registry changes after a few days.

I have a beef with all commercial security software [to date]; in order
to allow people with even less knowledge than I to get running they
allow some questionable defaults on install. FOR EG; both Mcafee and
Symantic allow every already on your computer 'trusted' status...from
spyware, datamining phonehome-ware to mal-ware. Worse, you can't
unselect many of them either.
Atleast ZA allows manual reconfiguration but who would want to allow
WEBBUGS and a dozen or so clicktracking URLs to have 'trusted' status by
default...unless they paid for that privilege!? At least they can be
removed though in ZA.

>
>> With Ethereal in 'promiscuous mode' it is incredible [to me] how much
>> broadcasting and icmp traffic there is at any one moment.
>> Fr,Israel,Cn,Ru,USA...and how much is lost/misdirected and how much is
>> actively seeking vulerable IP addresses is unknown to me but this is a fact:
>> Twice, while connecting my computer to the internet via an ethernetcable
>> and W2k [no firewall] I had a bogus popup before I could even pop in the
>> ZA CD....as though there is near constant broadcasting seeking open
>> unprotected servers to compromise.
>>
>> Help?
>
> Get the patches installed before you go online. Or at least get the
> vulnerable services deactivated. Or active the TCP/IP filtering or RAS
> firewall.

I saw that applet. Would I enable filtering of TCP,UDP,IP and allow only
port80 I/O, 110 In, 25 Out, 53 I/O[dns lookup]?
There an applet to ENABLE NETBIOS LOOKUP, DISABLE/BLOCK NETBIOS OVER TCP/IP

This is exactly where I eventually disable something and can't recover.
All I want is HTTP browsing, email and newsreader...maybe file download.
Is that so hard to enable without loosing DNS lookup, DHCP IP assignment
and connect ability?

I know your time is valuable.
maybe I'll try the script for now...of course i have to pull down my
pants to download and then run it though.
Warf.

warf

warf wrote:

>> Thus, what about now finally understanding that this script does exactly
>> what you want?
>
> Ungh, I took for granted that running someone elses code to accomplish a
> task i 'could' do manually was sloppy and invited malware?

Isn't that the reason why it's Open Source? (beside that this is by design)

>>> and settled in the Winnt\internetlogs\ZA as J.S-LAME
>>
>> JS-Lame sounds like a JavaScript which does some non-malicious, but
>> annoying (thus lame) action. I guess its description will point this out
>> exactly.
>
> Well I can't wait for the VBS-blowjob virus to go wild!

And I can't wait for an RFC for "remote-stabbing over TCP/IP"...

>> SP4 should have already been integrated in your Windows 2000 CD. And still
>> I sense at least 3 superfluos programs in that list.
> no, it is an older OEM disk...It lacks USB2.0

There a various guides on the net that describe how to convert an OEM
install disc into a retail version. But, even though, OEM disks can also
get SP4 integrated.

> So I take my saved SP4
> upgrade I got before M$ made us pull pur pants down and take a shot of
> code to make sure we own the OS install.

Huh?

> BTW...I drop the defenses reluctantly and incrementally to enable manual
> update [upgrade] from M$ but still don't pass the 'wideopenvulnerable
> enough to allow your upgrade' test.

Are you talking about Windows Automatic Updates or the Windows Update
website?

>> What software and which settings?
>>
>>> not save any .DAT,HST
>>
>> What?
>
> I'm just making a point; I dislike all the tracking of everything I
> type,save,see,use,start,stop,plugin etc,

Even if this is just supposed to assist you?

>>> ...nor cookies web-bugs and like ilk....
>>
>> You're talking nonsense. Cookies aren't malicious. Web-bugs don't exist.
>
> Web-bugs do...scroll your mouse over bug-encoded webpages and watch the
> script call in the lower left...OR use DOM editor. A single pixle is
> enough..and it can be the same color as the background=> invisible.

This is no web-bug. It's something that is supposed to work like this, and
there's nothing malicious about it.

> Scripted cookies are certainly capable of doing maliscious things,

So? What specifically?

> as I read, AND, every problem [not of my own doing by
> disabling useful services] has occurred while temporarilly enabling Java
> /Java-Scripting or 'mobile code' to accomplish a download or a device
> configuration.

Interesting. Could it be that your Java VM and/or your webbrowser is
totally outdated?

> I get security levels reset, host file manipulated etc...

WTF? A non-admin user doesn't even have write access to the HOSTS file.


> I doubt you are didactically 'out of date' on mal-techniques datamining
> and exploits, so what are you getting at?

You should learn to differ between non-identifying information,
computer-identifying information and personal information, as well as who
can read it under which circumstances.

About exploits: The official statistics tell that Mozilla Firefox, if
always kept up-to-date, was at best vulnerable for 34 days for a
non-critical problem. Which could already have been worked around by
pro-active configuration.

>>> then fight for an hour to find which services I accidently disabled
>>
>> See? That why you should take a look at the ntsvcfg script.
>
> Well then I ask you; is that not the same as installing utilities from
> websites?

A script is a script is a series of commands that you can read in
cleartext. You can easily read how the script determines the Windows
version, configures the services and adds registry entries.

>>> All because i lost my innocense reading how the boys at PHRAK get their
>>> jollies!
>>
>> Then why aren't you running a Unix flavour?
>
> I bought a MANDRAKE kit

I pity you. Mandrake is about the second-worst to start off.

>>>>> but DHCP fails because NETBUI is innactivated If I disable it in SERVices.msc
>>>> Very strange.
>>> I thought so as well... and that is becasue I am not even sure of what I
>>> don't know yet.
>>
>> Maybe you might use Regmon to track down this bug?
>
> Does regmon track registry changes?

As the name (and the description of the program) implies.

> ZA alerts me to ALLOW/DISALLOW every instance of a program,
> module or process before it makes a registry change.

If you're still running ZoneAlarm, you shouldn't wonder about anything
going wrong in your system. The registry functions filter ****ing it up a
bit should be your least worries.

> FOR EG; both Mcafee and
> Symantic allow every already on your computer 'trusted' status...from
> spyware, datamining phonehome-ware to mal-ware. Worse, you can't
> unselect many of them either. Atleast ZA allows manual reconfiguration

What about using Windows' security features? Now this allows you to define
security domains and, in contrast to the addon nonsense, can actually
enforce this policy.

>> Get the patches installed before you go online. Or at least get the
>> vulnerable services deactivated. Or active the TCP/IP filtering or RAS
>> firewall.
>
> I saw that applet. Would I enable filtering of TCP,UDP,IP and allow only
> port80 I/O, 110 In, 25 Out, 53 I/O[dns lookup]?

Maybe you may want to read the documentation again. The TCP/IP filtering
only applies to inbound traffic and already works stateful. Thus, you don't
need to allow anything for TCP and UDP, and for IP you may just want 1,6
and 17.

> There an applet to ENABLE NETBIOS LOOKUP, DISABLE/BLOCK NETBIOS OVER TCP/IP
>
> This is exactly where I eventually disable something and can't recover.
> All I want is HTTP browsing, email and newsreader...maybe file download.
> Is that so hard to enable without loosing DNS lookup, DHCP IP assignment
> and connect ability?

Normally not. Maybe you should really consider uninstalling FroneAlarm?

Sebastian Gottschalk