Total Newb, Interesting Problem

Printable View

November 15th, 2005, 01:12 AM
ZapSeeker

Total Newb, Interesting Problem

Hi, I'm a total newb and have a few questions I would be very grateful if I could have help finding answers to. If one of them has an answer in another post then I'm really sorry, please provide me a link. Also, there will probably be some stuff that doesn't make sense. Please tell me where.

This is a background, I am a home PC user, using a Pentium Laptop WinXP SP2. I only use the PC for browsing and downloading files from a news server. I currently have reached a "plateau" with my computer studies and want to increase security on my machine and further my knowledge about computer security. I am currently using Panda Platinum 2006 with intergrated firewall after using a few of the free scanners; AVG, TrendMicro that missed quite alot of problems I used to have. The security status of my PC is okay-ish ie. free of viruses, malware etc. (according to ewido, panda, hijack). I know there are still potential vulnerabilites and I want to know how to avoid them being exploited.

First Question: Is there a set of applications/methods that you can give me information on that will do the following and respond quickly that are free/GNU: Information on all inbound/outbound connections (IP adresses etc.) (can these adresses be masked/hidden?), all new processes starting and modification of files, and, crucially for me at this stage; what you think are the most important things to be monitoring to keep my computer secure and what are the default set of measures/applications that I need. Panda slows my machine so much!

Second: I have a friend who studys computer networking and I don't know if it's paranoia talking but I have a suspicion he has tried to/has accessed my computer remotely. I know he has communicated with me using simultanious msn nicks and repeatedly tried to send me files, posing to be a variety of different people. There has been an occasion recently when he came over, went "hey hey look at this" ("look it's superman!" kinda thing) and then did a run command then left my house suspiciously. I think it was "ipconfig". Although I don't think he would go as far as to do anything harmful I don't appreciate being some script kiddies crash test ya' know? I think I have a dynamic IP. Does this work in my favour or can it be predicted. I'd like to be able to match his skills or at least put up a reasonable defence against it and you guys are my liferaft. So there it is... Q3.

Third: What OS should I be using for maximum security and also as a tool for learning how to write code and take my computer studies further. I've never studied professionally although I'm starting a course next year and I want to have as much under my belt as possible before I start. It's a non-specific Access to Degree Level computing course. I'm almost certain this question has been covered before but to be case specific I thought I'd ask.

Fourth: I did find a method for viewing IP adresses using CMD. Thing is I don't really know which is which and what column means what if you know what I mean. How to tell which one is mine and what the changing numbers after each address mean? Someone with a high tolerance and calm disposition may want to answer that one lol.

Well that's the lot for now. Any replys will be greatly appreciated.

Thankyou very much,

ZapSeeker
November 15th, 2005, 01:59 AM
WolfRune

First off, welcome to AO :)

1) Probably your best bet is Process Explorer. Its a handy little app that will allow you to view all the threads currently running on your machine, as well as connections made by those processes.

2) This doesn't really seem like a question, but rather a request to be taught about security. As a relative newb myself, my advice is to read as much as you can, and try to get a machine on your network specifically for the purpose of learning the ins and outs of the O/S, software, etc. Don't expect anyone to spoon-feed you all the answers.

3) This is pretty much based on two things: Personal opinion, and relative skill levels. Generally, Linux is viewed as being somewhat more secure "out of the box" than Windows, but on the other hand, Windows CAN be just as secure in the right hands. I recommend a dual or multiboot with Windows and at least one distribution of Linux, and learn about both - it will hold you in good stead.

4) What method did you use? It sounds like the command "tracert", but that's a really round-about way of getting your local address. If your computer connects directly to the Internet via a modem, use the command "ping". If you have a router connecting to the modem, check your router's status - most half decent routers will show you your "public" address, as well as any DNS servers you are allowed to use.

Good luck!
November 15th, 2005, 01:59 AM
bagggi

hey zapseeker,

start reading, goto forums and look around, most of us learnt a lot of things from there. there is this link" Visit The Discussion Forums" at the bottom of home page. go there.
November 15th, 2005, 02:31 AM
alleyCat

Its worth searching "network basics" to find some tutorials on the basics of networking. I'm sure one of the seasoned AntiOnliners can give you links to tutes on understanding networking and OS.

Some other basic command line tools you can use straight away are ipconfig, netstat and nslookup. Lookup/search for manuals on them and make notes/search on any parts you don't understand. This should give you a starting point to work from.

On your 'friend', if your firewall is configured appropriately, it won't necessarily matter if you have a dynamic IP or not... I would suggest reviewing your firewall logs every so often... and you would see there are a lot of records in that log from systems that have no known motivation to access your system... unlike your 'friend'!!

Many would suggest that you http://www.antionline.com/jargon/RTFM.php and http://www.antionline.com/jargon/STFW.php ...

Similarly, online dictionaries (www.dictionary.com) and translation tools (eg www.freetranslation.com) are invaluable when researching all manner of things.

Cheers, al
November 15th, 2005, 02:54 AM
|3lack|ce

First off, welcome to AO - you'll learn lots here. I congratulate you on a very articulate first post.
Now let me address your questions to the best of my (limited) knowledge:

Quote:

Is there a set of applications/methods that you can give me information on that will do the following and respond quickly that are free/GNU: Information on all inbound/outbound connections (IP adresses etc.) (can these adresses be masked/hidden?), all new processes starting and modification of files, and, crucially for me at this stage; what you think are the most important things to be monitoring to keep my computer secure and what are the default set of measures/applications that I need. Panda slows my machine so much!

This is a very broad question indeed. My suggestion is twofold -
1. Check out the plethorae of open source projects out there and I'm sure you'll find a ton of stuff to use.

2. The more monitoring programs you're running, the more system resources you're eating. The trick is securing your box well enough that you don't HAVE to watch everything all the time. I defer the answer to the 'how' question this statement begs to those who know much more than I.

Quote:

I have a friend who studys computer networking and I don't know if it's paranoia talking but I have a suspicion he has tried to/has accessed my computer remotely. I know he has communicated with me using simultanious msn nicks and repeatedly tried to send me files, posing to be a variety of different people. There has been an occasion recently when he came over, went "hey hey look at this" ("look it's superman!" kinda thing) and then did a run command then left my house suspiciously. I think it was "ipconfig". Although I don't think he would go as far as to do anything harmful I don't appreciate being some script kiddies crash test ya' know? I think I have a dynamic IP. Does this work in my favour or can it be predicted. I'd like to be able to match his skills or at least put up a reasonable defence against it and you guys are my liferaft. So there it is... Q3.

With friends like that, who really needs enemies right? Quit letting him have *any* physical access to your computer at all. This should stop about 90 percent of his successful attacks, so you can then start concentrating on blocking those stupid scripts he's running. Perhaps one day he'll grow up a bit and start writing his own, but somehow I doubt it. (sorry, ZERO respect for skiddies here).

Quote:

What OS should I be using for maximum security and also as a tool for learning how to write code and take my computer studies further. I've never studied professionally although I'm starting a course next year and I want to have as much under my belt as possible before I start. It's a non-specific Access to Degree Level computing course. I'm almost certain this question has been covered before but to be case specific I thought I'd ask.

Not only has it been covered all throughout this forum, it's been beaten to a bloody pulp. Having just switched from Windows to Linux, I'm extremely biased at the moment, so I'm definitely not the right person to answer this question, other than to add this - If you're comfortable enough to discuss switching operating systems, you've probably made up your mind about how insecure Windows really is, and that it's probably not going to change any time soon. That having been said, there's a very few alternatives out there with a decent enough amount of software to make them worthwhile - Linux and Unix to name 2 of them. I chose Linux because it's free, and because I see little or no difference between it and Unix. If you want to learn more about Linux, go check out www.ubuntu.com - they offer it for free and will mail you their cd's for free (for now). It takes a couple months to get the cd's though.

Hope that helped a bit, although I'm quite sure I didn't answer everything as specifically as you requested - suggest you use the 'search' box on the front page of this site and get busy reading ;)

|ce
November 15th, 2005, 03:20 AM
Egaladeist

Excellent first post Zapseeker! Kudos!

Eg ;)
November 15th, 2005, 02:44 PM
Nokia

#1, Yes, open a command prompt and type "netstat -ano" ( without the " s ) This will tell you all active connections you have and to what IP address there are connected to. Keep this open and CTL ALT DEL to open your task manager, go to View, Select Columns amd check the PID box. If you look under the PID section of netstat you will see a number, this tallies in with the PID in your task manager to tell you what process/application has made the connection.
Thats a how yoy can tell what you are connected to and what has made the connection.

If you are unsure about an IP address you are connected to, type nslookup [ip address you are unsure about] in the command prompt window, this will tell you what the ip address is only if it is an internet connected machine.

Or you can download sam spade and use the ip lookup with that.

#2, Dont let him on your box at all, or if you think something untoward is occuring, log off the internet completley, give it 5/10 mins then log back on, you will now have a different ip addy.
As you said you have a dynamic ip address, this goes in your favour against your friend as you can change it when you want/need so unless he has some kind of trojan/RAT installed on your computer he wont know your ip addy unless you tell him or you start a video converstation in msn or send receive/files with him, again using msn.

#3, You have XP SP2 which configured properly is secure enough for a home PC, do you have a firewall running, not just the windows firewall but another one in conjunction with it. Try Zone Alarm if you dont, it is free and is a very good firewall for beginners. You can try Linux for an OS I suppose but I would stick with windows for the time being untill you are a bit more confident with what you are doing.

#4,To find your own IP either double click on your connection monitors by your clock, then click the support tab. This will tell you your IP, subnet mask and default gateway.
As some one has said you maybe using the tracert command in the cmd prompt, this is a tool which will tell you, in order, all computers that your data will pass through to get to a certain computer/server etc. it is more of a connectivity tool than anything else. Try using the "ipconfig /all" command instead.

Welcome to AO and good initial post there old chum, keep it up!
November 15th, 2005, 04:21 PM
The_Captain

I think everything else is relatively well covered so I'll just handle 4 for you.

H:\>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : Mycomputername
Primary Dns Suffix . . . . . . . : something.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : something.local

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-0D-56-99-06-F7
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.70.0.247
Subnet Mask . . . . . . . . . . . : 255.248.0.0
Default Gateway . . . . . . . . . : 10.70.0.1
DNS Servers . . . . . . . . . . . : 10.70.0.7
10.70.0.8

This is a printout of an ipconfig /all command... i'll explain it for ya...

Host Name . . . . . . . . . . . . : Mycomputername
The hostname is the name of your machine. If you're using a windows network (one with DNS) this can be used in place of an IP address for connecting to a computer

Primary Dns Suffix . . . . . . . : something.local
This is the DNS it normally would go on the end of my machine name there for a fully qualified domain name... well internal to my network anyways.

Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
I've never used either of these.

[WINS Proxy Enabled. . . . . . . . : No
WINS was replaced by DNS for Windows (post server 2000 networks) so you don't need to worry about this.

DNS Suffix Search List. . . . . . : something.local
This is what is appended after computer names and such as you're trying to find them in your network allowing you to connnect to a machine just by using it's computer name

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connect
ion
Physical Address. . . . . . . . . : 00-0D-56-99-06-F7
This is your computer's MAC address. Theoretically your machine's NIC is the only one in the world with this. People can of course spoof this though. The first 6 numbers are vendor specific and the second 6 are unique to your machine for that vendor.

Dhcp Enabled. . . . . . . . . . . : No
Were you to be using DHCP this would be enabled. DHCP allows your machine to get an IP address assigned to it as it connects to a network so that you don't have to assign an IP address to each machine yourself. This is possibly the best thing to happen to administrators in the history of computing.

IP Address. . . . . . . . . . . . : 10.70.0.247
Subnet Mask . . . . . . . . . . . : 255.240.0.0
Default Gateway . . . . . . . . . : 10.70.0.1
I grouped these three together because without all three you cannot communicate within your network. The IP address is your logical address on the network. The Subnet mask is the number of bits that are used for your segment. This has to be right on your system, but it is essentially a number used by routers to know where things are going in a network (number of hosts per subnet and such). The default gateway is where your computer is going to be sending its traffic to if it cannot find an IP address on its subnet. This is really where your computer will send most of its traffic since you're probably not using IP addresses by hand.

DNS Servers . . . . . . . . . . . : 10.70.0.7
10.70.0.8
You need DNS servers if you want to communicate out to the internet. Well unless you can remember IP addresses.

This hasn't had much time for editing... feel free to correct or add for content.
November 15th, 2005, 10:28 PM
Kosmograd

lot of "skiddies use" reverse netcat to create backdoor since netcat won't really shows up on AV radar

http://netcat.sourceforge.net/

look of it ... also copies of wincap (i think netcat requires)

http://www.winpcap.org/install/default.htm
November 15th, 2005, 11:55 PM
ZapSeeker

Hi,

Thanks very much for the replys. I've done some of the things described and also been looking around the web. It's amazing some of the stuff I've found and this is just the beggining. I've installed some of the apps off the main page here which have nullified some of the questions I had before. I've also installed Sygate firewall and scrapped the other antivirus/scanner I was using before. I'm using ewido and will use online virus scans. I also ordered the ubuntu cd's and will start learning to use a linux operating system.

I'm going to do some more hunting around of my own and see what I come up with. If I need to I will request your expert advice once again! (Probably sooner rather than later lol)

Again thanks very much,

ZapSeeker