Security Basics mailing list archives
RE: multicast connection trials from a home machine - is it regular?
From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 16 Apr 2003 08:56:12 -0700
"1. Do you have a default gateway specified?"Not specified by me. This machine is at home, dialups to an ISP, then it's their way to the Net.
Okay, when you dial up, it should be receiving a gateway address along with the IP, net mask, DNS, etc. So it shouldn't need to go searching for a router.
"2. Have you installed any of the "routing"*protocols?(OSPF, RIP, etc) [If so, WHY???] I've not installed anything ----knowingly... If they *are* in this machine, where can I find them? Under which names?
When you select Properties on a network connection, you'll see a box which specifies the adapter and a list of components with check marks beside them. For a normal TCP/IP connection, there will be three components: Client for Microsoft Networks, File and Printer Sharing for Microsoft Networks (which you may want to un-check on the dial-up connection...), and the TCP/IP protocol itself. Some products such as network sniffers or VPN clients install additional components, so I can't just say "Blow away everything else." But it doesn't sound like *in your case* you need anything else that's listed.
"You do not need them unless your box is acting as a router for acomplex/dynamic network." Well, that is what I suspect. That this box was used as a router somehow... by means of an intrusion. I'm ready to do a good old Format C:, but I was trying to learn something about what was done, prior to erase the clues. I think that this "calling multicast" is an abnormal behavior for a *home* Win98 machine. The line "Owner: Tcpip Kernel Driver" in the firewall log maybe means "something" is trying to go out.
I don't think I've ever heard of a real intrusion making a machine into a router. (A *proxy*, perhaps, but that's not the same thing.) There's a common suggestion that people come up with to deploy a machine with one interface on a trusted network and one on an untrusted network; us security folks advise against that because an intruder *might* turn it into a proxy/router (but more likely a proxy...) to bypass the normal gateway to the trusted network. On NT, all you needed to do to make a box a router was to check one box in the Network configuration. (I've actually had a clueless user DO that, which probably wouldn't have been a problem if they hadn't ALSO installed RIP.) On 2000, you have to update the registry by hand to do this -- but if your box was upgraded to 2000 from NT.... David Gillett --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-security-basics ----------------------------------------------------------------------------
Current thread:
- multicast connection trials from a home machine - is it regular? ruben (Apr 15)
- RE: multicast connection trials from a home machine - is it regular? David Gillett (Apr 15)
- Re: multicast connection trials from a home machine - is it regular? ruben (Apr 16)
- RE: multicast connection trials from a home machine - is it regular? David Gillett (Apr 16)
- Re: multicast connection trials from a home machine - is it regular? Jan Falkenreck (Apr 16)
- RE: multicast connection trials from a home machine - is it regular? David Gillett (Apr 17)
- Re: multicast connection trials from a home machine - is it regular? ruben (Apr 16)
- Re: multicast connection trials from a home machine - is it regular? James-lists (Apr 16)
- Re: multicast connection trials from a home machine - is it regular? GSimmonds (Apr 17)
- <Possible follow-ups>
- Re: multicast connection trials from a home machine - is it regular? Chris Berry (Apr 17)
- RE: multicast connection trials from a home machine - is it regular? Cushing, David (Apr 17)
- RE: multicast connection trials from a home machine - is it regular? David Gillett (Apr 15)