Wednesday, October 27, 2004

So my Windows system was compromised...

So finally it happend.

I recently got my self a broadband/DSL router with a lot of features. Wireless, printerserver, ethernet-hub, etc. I am still amazed about the stuff you can buy nowadays. And this thing isn't even sophisticated, by other peoples standards.

But what it has as well, is a built-in firewall. So I have a firewall. I fired that thing up, set up my broadband connection, enabled the firewall, switched on some default rules. As I use webmail, I even blocked POP3 and SMTP ports. And voila, I feel a lot saver.

Now comes the second part. Reinstalling Windows. As you can never know, if your Windows is rooted, once it has been connected to the internet without "protection", your only option is to reinstall (And once you’re rooted, there is NO way of knowing that you’re rooted – A good root kit covers its tracks so that it is essentially undetectable). I have been trying to stay up to date with all MS patches, but even then there is a chance that somebody made an exploit BEFORE the patch was released. So I want to remove any parts of my Windows, before reinstalling. For this, I have a second Windows install, just for these little things. I boot into this "backup" windows. But wait, I want to check my emails. I start the browser, start checking mails, but suddenly the internet connection goes dead. I open the admin web-site for the router, to check the state of the connection (Gee, the router even has a built-in webserver!). And here is what the status windows has to say:

10/27/2004 20:26:21 **SYN Flood** 192.168.2.xx, 4072->> 167.204.187.xx, 135 (from PPPoE Outbound)
10/27/2004 20:26:21 **SYN Flood** 192.168.2.xx, 4071->> 167.204.187.xx, 135 (from PPPoE Outbound)

A system I have used once some month ago to get into the internet, has been infected. So I need delete that windows installation as well...

Cmdr. Ferraday : If there's one thing that cannot happen on board a submarine by accident... is both ends of a torpedo tube open to the sea at the same time!
David Jones : You cross-connect the hydraulic manifold to the outside door mechanism so the indicator reads shut when the door is actually open. The same sort of electrical cross on these two panels, and the open position reads green when it should flash red. Then you plug up the inlet to the test cock with chewing gum, sealing wax, anything... just so that it shows a dribble. And then you open the tube, and Good Night.
From Ice Station Zebra

No comments: