Printable View
Ah, but only locally. The default setting for "Allow Remote Administration" is "disabled" therefore one would need to be at the local computer to alter any settings.Quote:
Originally posted here by DeadCr0w
That's true but the thing is it can be changed if he didn't change the default 1234 password.
Hi :)
I've owned 3 or 4 netgears myself over the years they
use telnet which is insecure it's possible a Hacker could sniff your
password. Netgear Routers have a serial cable administration feature
I'd recommend logging in your router with a serial cable to do any
configuration & disable any network administration if you want to
lock Hackers out. Only upgrade the firmware on your
router if your having major issues if it's working fine
leave it alone ;)
Doc
This may sound stupid, but what is security event viewer? Does it come standard with XP? And how do I access/use it? Thank you.
The event viewer is where the OS logs some information. You can access it by going to
start -> control panel -> admin tools -> event viewer
or
start -> control panel -> admin tools -> computer management
I like the computer management because you can access all your basic admin tools there. If you really want to customize your own... look into mmc. You can put whatever snapin you want in there.
There are three logs in a standard install of NT, 2k and XP, but depending on what you are running on it... there could be more. eg: domain controller, exchange server, DNS server, etc.
The first is the application: This is where general application info is. If a program crashes, it will most likely be logged here. The error messages are good for helping you troubleshoot.
The second is the security: This is not enabled by default and you have to enable security auditing. Well, you could write half a book about auditing... if not a whole one.
Tony Bradley has written a short tutorial on his site about it here. The computer access auditing that is. That is basically how to enable it... You can audit pretty much everything. Failed logins, success logins, object access, etc.
The third is system: This is where you would find out what is going on with the system. What services are being started, crashing, etc. This is also very useful for troubleshooting.
Each entry has an Event ID: If you goto www.microsoft.com/technet and type in event id: <number> it will most likely come back with some good insight on why a problem is happening and how to fix it. Many times events relate to each other... so piece together the puzzel. By defalt, the logging doesn't take up that much space. In fact... you could completely overwrite your logs by rebooting a couple of times. I would recommend you to increase the size of the logs. If you have the space that is.
The joy of troubleshooting! ;)
Here is m$'s "overview" of the event viewer.
Here is another one about the event viewer that is a little better. Look at the pretty pictures... :p
There are several more... search for em.
Many thanks to all who have posted.
Heres that latest. I ran a full virus scan which thankfully turned up nothing. I rearranged the system folder to show icons by the last time they were modified. I appears nothing was modified as of yesterday.
I'm not going to let this go, and I am going to get to the bottom of this as I'm almost proof positive that something has happend. I will kepp you all posted with any new developments
Thanks for the info phishphreek80
I think we might be running round the wrong bush here guys. We might be good at security issues but what I might suggest is getting the latest UT patch.
Unreal did have some pretty funky vulnerability problems in early versions.
Try googling these issues.
Another good site for finding out what event's mean... http://www.eventid.net/
11)Logon Process Name: Winlogon\MSGina
Just to add to the superb info that Phish handed to you, the attacker would have rebooted your box eventually anyway. The MSGina.dll file that is mentioned above is tied to this CVE:
SecurityTracker Alert ID: 1005986
CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)
Updated: Jan 24 2003
Original Entry Date: Jan 24 2003
Impact: Denial of service via network
Exploit Included: Yes
Version(s): Windows 2000 Terminal Server, Windows XP
Description: A denial of service vulnerability was reported in the Windows Terminal Server in the Microsoft Graphical Identification and Authentication DLL (MSGINA.DLL). A remote authenticated user can cause the system to reboot.
It is reported that a remote authenticated user that can access a Windows Terminal Server via RDP or ICA and access the filesystem can cause the server to restart.
The remote authenticated user can place a read lock on the %SYSTEMROOT%\SYSTEM32\MSGINA.DLL file and then open a new connection to the server via RDP or ICA to trigger a warning dialog ("msgina.dll failed to load"). The warning dialog reportedly allows the remote authenticated user to click a "Restart" button to cause the server to reboot.
According to this report, Windows 2000 Terminal Server is affected. Another user has reported that Windows XP is also affected.
The vendor has reportedly been notified.
Impact: A remote authenticated user with access to the filesystem can cause the server to reboot.
Hope this helps!
:p
RASMAN & CHAP are Windows XP/NT services - no threat
MSGina.dll is 'usually' used by Symantec for PCAnywhere - no threat
Dell8200$ is the normal computer name for Windows XP/NT - no threat
From what I saw in the original messages....you are NOT owned; and your inability to
connect to the game server could be simply - OPEN THE CORRECT PORT on your router.