XP Exploit.

This was originally posted in the tutorials section by mistake, and I've moved my lil post over to here, after deleting the old one, so that people can still see it.

After having been recently invited to a war game, a hacker contest online, I decided to play and sharpen my skills on defending computers, and try to pick up the latest tricks for cracking them. I had no idea what I was going to learn.

I managed to pick someone's IP Address, and did a quick port scan, just to see if anything had been left open. Either they had a very bad firewall, or none at all, because Port 80 had been left wide open.

I decided to connect to it, just to see if they had been using it as a web server. Lo and behold, they had. It was being used as a Microsoft® web server, and the owner of the machine had no idea!

After some quick research, I discovered that this was not limited to his machine. Virtually all computers running Windows XP I ran into had this port open, and the same site was on each of them.

Microsoft had left open the biggest security risk since allowing Remote Registry Changes in Windows 2000 (which lets you login and change the entire computer around very easily, from another computer).

A few days later, I was talking to Angel about this, and we realized how easy it would be for someone with just a little bit of Visual Basic coding skills it would take to take total advantage of this.

Here's the basic outline:

A hydra, a virus that sends itself out through the internet and networks, using FTP, websites,
and e-mail, begins to spread over the internet, using computer's address book.

Once downloaded, this hydra will send itself off to every e-mail address it can find, and then will set the computer to download from an FTP server every night, an entire new website.
What this means is that, someone can set up tens of thousands of free web servers on Windows XP machines, without the user even knowing it, and update it with no problem.
Or, if the writer of this hydra was a little bit more malicious, it could be set to download viruses, pornography, or all kinds of nasty files.

The worst part is, this bug is on home computers, which means that there is no Administrator to simply close port 80.

The solution? Firewalls and Anti-virus software. This can also be fixed by going into Control Panel> Administrative Options>Services and disabling Web Server, along with any other services you don't feel are needed. You can also get to this area by going to Start>Run>msconfig>services Unchecking things here will stop them from starting up again when you reboot your computer.

Angel and I are going to be watching this bug closely, and looking for other ways to both exploit, and solve, this problem.

While yes, the idea would work. Is anyone going to start sending around source code that is going to connect back to their ftp server to download the code. I'm pretty sure even script kiddies are smarter than that. Secondly how many XP machines are you really going to hit. We have two XP pro-machines running in our apt. Both run webservers. My roommates is on sparadically (sp??) while mine is permanent. Neither is MS Webserver, and neither had the MS Webserver running after the initial install. Oh i'm sure you'd find a fair ammount, but if that's the case you'll find a fair number of 2K Pro Servers that probably have an ftpd or httpd enabled. In the how ever many hundred XP Pro install i've done, I've never seen the MS Webserver active my default. I'm sure their are a fair number out there, but I wouldn't call it a *big* security risk.

If you're getting into writing some code to do something malicious why not just write a few lines of code to make a computer share the HDD w/out a password, then you could upload the files yourself and not have to leave an identifier (ftp server address) that will point back to you.

IMHO I wouldn't forsee this as being an overly big problem.

You keep saying "You" a lot, as if I plan to write this code....why? I thought I had made it abundantly clear by now, even by pointing out the fix for this, that I do not do such things.

Also, if someone WERE to do this, it wouldn't necessarily need to point back to THEIR FTP server, just A FTP server. If they got access to one, boom.

The idea of this article was to convince people to make sure they have services turned off, if they haven't already. Nothing more. Don't take it as anything more.

Oh..also in one comment in which I was negged for this, it said "you're admitting hacking?" ....Show me where I admit to malicious hacking. In the war game? To which I was invited to, and was instructed to try and find vulnerabiilties in order to learn about this sort of thing...and then secure machines as I have just done?

If I miscommunicated, please tell me. Otherwise, read the posts more carefully.

Mobius: You didn't miscommunicate - some people simply mis-read..... ;)

There is one teeny little, (ok...godawful huge), hole in your scenario.

What is the purpose of all these free web sites popping up at random addresses across the internet? Who's going to locate them and register them so they can have DNS point to them, 'cos without the DNS they aren't really publicly available? Who is going to list them all as they come up so others can use them if no DNS is available? What about all those machines on dial-up whose IP changes each time they dial in - or the DSL people whose IP rotates at a horrendous rate?.... You would lose contact with those sites almost immediately.

I can see that there may be a hole but the scenario you describe has no useful purpose nor does it really have any malicious purpose...... It's just kind of a "what if"..... which doesn't really make it a big security issue.....<s>