RE: multicast connection trials from a home machine - is it regular?

["David Gillett" <gillettdavid () fhda edu>]

> > > "1.  Do you have a default gateway specified?"
>
> Not specified by me. This machine is at home, dialups to an 
> ISP, then it's their way to the Net.

  Okay, when you dial up, it should be receiving a gateway
address along with the IP, net mask, DNS, etc.  So it shouldn't
need to go searching for a router.

> > > "2.  Have you installed any of the "routing"* 
> protocols?(OSPF, RIP, etc) [If so, WHY???]
>
> I've not installed anything ----knowingly... If they *are* 
> in this machine, where can I find them? Under which names?

  When you select Properties on a network connection, you'll see
a box which specifies the adapter and a list of components with
check marks beside them.  For a normal TCP/IP connection, there 
will be three components:  Client for Microsoft Networks,
File and Printer Sharing for Microsoft Networks (which you may
want to un-check on the dial-up connection...), and the TCP/IP
protocol itself.
  Some products such as network sniffers or VPN clients install 
additional components, so I can't just say "Blow away everything 
else."  But it doesn't sound like *in your case* you need anything 
else that's listed.

> > > "You do not need them unless your box is acting as a router for a
> complex/dynamic network."
>
> Well, that is what I suspect. That this box was used as a 
> router somehow... by means of an intrusion.
> I'm ready to do a good old Format C:, but I was trying to 
> learn something
> about what was done, prior to erase the clues. I think that 
> this "calling
> multicast" is an abnormal behavior for a *home* Win98 
> machine. The line
> "Owner: Tcpip Kernel Driver" in the firewall log maybe means 
> "something" is trying to go out.

  I don't think I've ever heard of a real intrusion making a 
machine into a router.  (A *proxy*, perhaps, but that's not 
the same thing.)  There's a common suggestion that people
come up with to deploy a machine with one interface on a 
trusted network and one on an untrusted network; us security 
folks advise against that because an intruder *might* turn it 
into a proxy/router (but more likely a proxy...) to bypass the
normal gateway to the trusted network.

  On NT, all you needed to do to make a box a router was to 
check one box in the Network configuration.  (I've actually had
a clueless user DO that, which probably wouldn't have been a 
problem if they hadn't ALSO installed RIP.)  On 2000, you have
to update the registry by hand to do this -- but if your box
was upgraded to 2000 from NT....

David Gillett


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place.  http://www.securityfocus.com/BlackHat-security-basics 
----------------------------------------------------------------------------