win2000 - 1000s of ports opened

Hi, just wondering if anbody can help. I have a w2k server running
java applications for the past 4 years. No problems at all. Past 3
days we experienced program crashes etc. When the server is cold-
booted, an error says "At least 1 service or driver failed during
system startup". When I do a "netstat -a" I get a scroll of listening
ports, dont know how many, must be several thousands. Is the server
hacked? I have ZoneAlarm (free version) installed. What do I do now?
Can I close these ports manually or via ZoneAlarm? Thanks all.

halimtan

halimtan wrote:

> When I do a "netstat -a" I get a scroll of listening
> ports, dont know how many, must be several thousands. Is the server
> hacked?


Most likely.

> I have ZoneAlarm (free version) installed.


That alone would be enough to consider it as compromised.

Even further, it seems like you're abusing MSIE as a webbrowser. Now that's
clearly a sign of total resignation.

> What do I do now?

Restoring from the latest backup? What else?

> Can I close these ports manually


Unlikely, since the system is compromised.

> or via ZoneAlarm?


How should that work?

Sebastian G.

On Jan 22, 8:23*am, "Sebastian G." <se...@seppig.de> wrote:
> Even further, it seems like you're abusing MSIE as a webbrowser. Now that's
> clearly a sign of total resignation.

Dear Sebastian, evidently you know much more than I do. In what way am
I abusing MSIE as a webbrowser?

halimtan

halimtan wrote:

> On Jan 22, 8:23 am, "Sebastian G." <se...@seppig.de> wrote:
>> Even further, it seems like you're abusing MSIE as a webbrowser. Now that's
>> clearly a sign of total resignation.
>
> Dear Sebastian, evidently you know much more than I do. In what way am
> I abusing MSIE as a webbrowser?

Just to remind, one of your posting's headers:

> X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
> SV1),gzip(gfe),gzip(gfe)

Unless you're faking headers for no obvious reasons, it looks like you're
posting through Google Groups, using MSIE as a webbrowser. Google Groups is
a website on the internet, which is an untrustworthy network. MSIE, on the
other hand, is only supposed to be used on a trusted network, otherwise it's
trivially insecure.

Thus, you seem to abusing it for something that it's clearly unsuitable for.

Sebastian G.

On Jan 22, 10:34*am, "Sebastian G." <se...@seppig.de> wrote:
> halimtan wrote:
> > On Jan 22, 8:23 am, "Sebastian G." <se...@seppig.de> wrote:
> >> Even further, it seems like you're abusing MSIE as a webbrowser. Now that's
> >> clearly a sign of total resignation.
>
> > Dear Sebastian, evidently you know much more than I do. In what way am
> > I abusing MSIE as a webbrowser?
>
> Just to remind, one of your posting's headers:
>
> > X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
> > * *SV1),gzip(gfe),gzip(gfe)
>
> Unless you're faking headers for no obvious reasons, it looks like you're
> posting through Google Groups, using MSIE as a webbrowser. Google Groups is
> a website on the internet, which is an untrustworthy network. MSIE, on the
> other hand, is only supposed to be used on a trusted network, otherwise it's
> trivially insecure.
>
> Thus, you seem to abusing it for something that it's clearly unsuitable for.

Wow. You are exactly right in describing how I posted. And I didnt
even know I was abusing something. At the risk of sounding stupid,
whats the correct way to post this?

halimtan

halimtan wrote:


> Wow. You are exactly right in describing how I posted. And I didnt
> even know I was abusing something. At the risk of sounding stupid,
> whats the correct way to post this?


Using Google Groups with an actual webbrowser? Using an NNTP server and a
NNTP client?

Sebastian G.

halimtan <> writes:

> On Jan 22, 8:23*am, "Sebastian G." <se...@seppig.de> wrote:
> > Even further, it seems like you're abusing MSIE as a webbrowser. Now that's
> > clearly a sign of total resignation.
>
> Dear Sebastian, evidently you know much more than I do. In what way am
> I abusing MSIE as a webbrowser?

Hi Tan,

Welcome alt.computer.security. I see you've met our resident
curmudgeon Sebastian G.

Sebatian is (unnecessarily rudely, in following his tech bully M.O.,
which allegedly is attributable to his tiny penis) making the point
that Internet Explorer is a rather dangerous web browser. With its
default configuration and inclusion of ActiveX technology, it has
quite a bit larger attack surface than other browsers that are
available (such as Opera or Mozilla Firefox).

He's also railing against a common prejudice in usenet these days
against those posting to usenet via Google Groups versus using an
actual NNTP news reading client (such as Mozilla Thunderbird--which is
also a mail client, or Forte Agent, or... whatever people like posting
news with these days). He deduced your posting method out of headers
available in the postings themselves.

It's left as an exercise to the reader what method of
computing/living/whatever that Sebastian actually approves of.

If we could get him to contribute without all the attitude, it'd be a
wonderful thing. But until then, I'll try to play good cop to his bad
cop and interpret.

Give Mozilla Firefox with the NoScript extension a try for a safer
browsing experience. Do it in a VMWare virtual machine running
something off the beaten path like OpenBSD for bonus points. The nice
thing about virtual machines is that they're quite tough fro malware
to break out of, and are easy to rollback to a known state if they
themselves get corrupted.

Best Regards,
--
Todd H.
http://www.toddh.net/

Todd H.

Todd H. wrote:


> Sebatian is (unnecessarily rudely, in following his tech bully M.O.,
> which allegedly is attributable to his tiny penis) making the point
> that Internet Explorer is a rather dangerous web browser. With its
> default configuration and inclusion of ActiveX technology, it has
> quite a bit larger attack surface than other browsers that are
> available (such as Opera or Mozilla Firefox).


I'd go further: There is no configuration of IE that could be secure in an
untrusted network. This is well documented.

> He's also railing against a common prejudice in usenet these days
> against those posting to usenet via Google Groups versus using an
> actual NNTP news reading client (such as Mozilla Thunderbird--which is
> also a mail client, or Forte Agent, or... whatever people like posting
> news with these days).


Huh? I was not railing that... he is free to post on Google Groups, as long
he doesn't want to tell me anything about security while abusing MSIE as a
webbrowser.


> Give Mozilla Firefox with the NoScript extension a try for a safer
> browsing experience.


Please consider that NoScript is only a GUI exposing functionality that he
been inside Mozilla since ever. Well, the lack of such a GUI is even a
long-term entry in BugZilla. I have the feeling that such recommendations
create the impression that Firefox wouldn't be safe without NoScript.

Aside from that, I'd rather recommend Mozilla SeaMonkey. Interestingly, it
integrates all the Mozilla Suite products and a lot of functionality
(including uncrippled configuration menus), but it still lighter than
Firefox (wrt. performance and memory usage).

> The nice

> thing about virtual machines is that they're quite tough fro malware
> to break out of, and are easy to rollback to a known state if they
> themselves get corrupted.

Be a bit careful with that, there are quite some VMs which are not supposed
to provide secure isolation, but only virtualization. Many para-virtualized
stuff like Xen, as well as pure software virtualization like Virtuzzo or
Thinstall, or pure API emulations like WINE or Sandboxie can't stop
malicious software from breaking out of the virtualization container.

Sebastian G.

On Tue, 22 Jan 2008 18:49:12 +0100, "Sebastian G." <>
wrote:

>Huh? I was not railing that... he is free to post on Google Groups, as long
>he doesn't want to tell me anything about security while abusing MSIE as a
>webbrowser.

Lets be fair, the guy was asking about a problem on
his w2k server.

Most likely he is posting here from another machine and
not his SERVER.

I also run IE on my W2K servers because windows update
does not work with firefox, but they are fairly safe
accessing microsoft.com

So you being inappropriate and talking out of your arse
again sebastian.
--
Jim Watt
http://www.gibnet.com

Jim Watt

halimtan wrote:
> Hi, just wondering if anbody can help. I have a w2k server running
> java applications for the past 4 years. No problems at all. Past 3
> days we experienced program crashes etc. When the server is cold-
> booted, an error says "At least 1 service or driver failed during
> system startup". When I do a "netstat -a" I get a scroll of listening
> ports, dont know how many, must be several thousands. Is the server
> hacked? I have ZoneAlarm (free version) installed. What do I do now?
> Can I close these ports manually or via ZoneAlarm? Thanks all.

If you do not have a real firewall, they are trying to break into your
system within minutes of power up. At least use a router...

Rick Merrill