|
|
|||||||
| Applications & Operating Systems Problems with your Operating System? Got an application that's crashing? Find your answers here. |
 |
|
|
Thread Tools | Display Modes |
01-15-2008, 5:09 PM
|
#31 | |
|
The Duke of URL
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
|
Quote:
I was figuring you'd have put the ScrubIT DNS servers into a "front facing" (to the external public internet) ROUTER (many of them allow you to put the DNS servers into their webpage based interface) & then, your INTERNAL AD BASED DNS Server, into your LOCAL AREA CONNECTION! (In fact? I'd wager that'd work... & I am going to try it tomorrow on the job for the heck of it!) APK P.S.=> In any event, good to see you have another way of "creatively" making this work on YOUR workplace LAN/WAN setup, via using VPN's! Thanks again man... apk |
|
|
|
|
01-16-2008, 6:34 AM
|
#32 |
|
The Duke of URL
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
|
MALWARE REMOVAL TOOLS/TIPS/TRICKS/TECHNIQUES (using 100% FREE tools online & OS ones)
HOW TO REMOVE MALWARE (Virus/Trojans/Spyware & some rootkits) - just like NIST recommends in their guides also (a malware removal procedure):
HOW TO REMOVE MALWARE - INTRODUCTION (using 110% free tools, OR ones you have in your OS already natively, to remove malware infestations of ANY kind HOW TO): NOW, after ALL of the above? IF you do find yourself "infested" though, one day?? (Which is going to RARE (if @ all) - Usually, after the above set of steps you can use to secure yourselves, the ONLY way you usually can be reinfected, is to click & run a bogus email attachment, OR, by turning on Javascript & IFrames for instance! (or, allowing shockwave or a bum ActiveX control to run) OR, via a vulnerability in your applications OR Operating System that needs patching (I note this in the init. post of this thread in fact in this latter point now)). YES - It happens! Far more rarely than it had before (using a buddy of mine Jack as an example in fact - I chose him as a tester because he was nearly constantly infested is why & this all worked for he, until he violated javascript usage rules I mentioned above). E.G.-> I have had users violate that/those "rule(s)" from above & that was how they were reinfected - BUT, one tester of mine DEFINITELY gets infected FAR LESS than he used to, by applying the above... this is certain! I.E.-> I have had this setup running Windows Server 2003 (SP#2, fully hotfix patched & hardened per the above as of this date) since early 2003, running "110% bulletproof & bugfree" because of following the rules & suggestions noted above! ANYHOW - Malware infested? TRY THIS SET OF TOOLS & TECHNIQUES: How to clean yourself up? This "toolkit" & process has helped me get thru over a 1,000 spyware/virus clean up calls, & hopefully? It will yourself, as well, so... here goes: ========== 1.) Reboot your system to F8 @ startup "Windows Advanced Options" bootup menu that stops you during the boot sequence. ---- 2.) There, choose "safemode with networking" (via the "Windows Advanced Options" menu you get presented with while tapping the F8 key repeatedly @ system startup). ---- 3.) Once in safemode with networking Windows, download/install & RUN these tools (they are not much to look at, BUT, they do work on MOST threats today & get regularly updated): a. Run IE, use its TOOLS menu, Manage Addons Submenu, & turn off ANY BHO etc. objects that you do NOT absolutely NEED, or know what they are (many malwares in the form of bogus toolbars or BHO (browser helper objects) often hide here). ALSO, GREAT NEW POINT EDITED IN NOW (01/13/2008) per Delightus14 @ Neowin forums: ALSO CLEAN OUT YOUR WEBBROWER CACHES & %temp/tmp% temp. ops locations so no maladies exist there also awaiting re-awakening by accident You do this via Internet Explorer (using IE as an example, it is the same idea in Opera/FireFox/Netscape/Mozilla etc. too) via its Tools menu, Internet Options submenu, & on IE options screen, use the "Browsing History" group in IE7, & delete things as necessary from IE's browser caches etc. & for OS + app level %temp% & %tmp% environmental values' areas? Type SET @ a DOS prompt to see where you located those, & burn their contents via DEL commands, OR via explorer.exe/MyComputer filemanagement. b. Run msconfig.exe, & stall out ANY apps you do NOT absolutely NEED to run (many malware start here in fact). If you do NOT know the name of the program & what it does? Look it up on GOOGLE... same with BHO's above in IE. c. DOWNLOAD & INSTALL SpyBot 1.51x d. DOWNLOAD (OPTIONAL - use ONLY if Spybot for example, cannot remove a malware) ComboFix (don't run it yet - there is no installer, it IS its own install + run package) COMBOFIX MAY HAVE SOME "MINOR SIDE EFFECTS" though, & here are 3 I have noted, & HOW to fix them: 1.) IE homepage: No big deal to "fix this". You go to Start Button -> CONTROL PANEL (use CLASSIC VIEW, it's easier imo) -> Internet Options -> General Tab & HOMEPAGE (here is where you change that). 2.) System Time (rightclick on timeclock in lower righthand side of your screen, & from its POPUP menu, use the Date/Time tool) 3.) Desktop wallpaper (easy to fix: Rightclick on Desktop, use properties menu, & the desktop tab, change your background wallpaper there) e. DOWNLOAD (OPTIONAL - use ONLY if Spybot for example, cannot remove a malware) SmitFraudFix (which also has its own LSP (layered service provider fix I have heard tell), BUT, againL Don't run it yet - as AGAIN -> there is no installer, it IS its own install + run package) An alternate here, is LSPFix.exe... ---- 4.) Clean out your rig, running SpyBot, first (most of the threats today are SPYWARE related, or TROJANS, more than std. typical traditional viruses by the way). ---- 5.) Then, run ComboFix (this will reset your webbrowser homepage & background desktop wallpaper, you will have to reset these, & possibly your date/time clock in Windows too). (OPTIONAL - use ONLY if Spybot for example, cannot remove a malware) ---- 6.) Then, run SmitFraudFix (or, as an alternate, LSPFix) (OPTIONAL - use ONLY if Spybot for example, cannot remove a malware) ---- 7.) Reboot to "normal Windows" (no F8 stuff this round) - it MAY hesitate/be slower this bootup though, because SpyBot/ComboFix/SmitFraud do a 2nd look type check on bootup many times... so, be prepared for this part. ---- 8.) Then, once in normal Windows again, scan with your AntiVirus solution (now fully updated hopefully & if not, do update it first & then scan). Good suggested FREE one, is AVG AntiVirus (I suggest this one, because it is free + complete w/ mail protection too that's decent enough, & just in case your antivirus solution is expired... if it is not expired, update the one you use. Keeping another around for a "2nd Dr.'s Opinion" is NOT a bad idea, BUT: ONLY RUN 1 OF THEM, "resident" (meaning runnings its background application & file scanning engine, usually implemented as a service + trayicon app). IMO, NOD32 is the best performer all-around in terms of antivirus programs. av-comparatives & vb100 tend to 2nd me here as well. * @ that point? You probably will have 'caught the culprits', OR, @ least have the name + location of any threats they could NOT eliminate... & here is where it gets REALLY "fun"... ========== NOW, when you CAN'T remove a virus using "script kiddie automated tools" like those noted above (not putting them down calling them that because they ARE somebody's hard work & freely given time as well... but, they ARE that, because they're only automating what YOU can do, yourself, with other tools like msconfig/IE manage addons, & more tools like Process Explorer + regedit & explorer.exe (OR even Recovery Console) can allow YOU to do, yourself, albeit slower... the nice part about the automated killers like the tools I mention above, is that they operate FAR FASTER than human beings do). ANYHOW - IF you can get its name, & location on disk say, via a report from AVG or other programs you use for this? Boot your system from the OS install CD, & go to RECOVERY CONSOLE! There, switch to the folder that houses it using CD (almost like DOS one, but uses .. ONLY, to switch to ancestor folder roots really (instead of \ etc. et al))! Then, once you are in its folder, fry it then (nothing will be loading & thus, locking it, there) using the DEL command -> DEL filename. **** It's THAT, or using Process Explorer in UserMode/Ring 3/RPL3 operation... You would do a suspending the calling process via right click popup menu options for this it offers! Once the calling process is suspended (& many times, also the called or DLL injected library as well), you can delete ANY potential offending injected DLL/lib virus-trojan-spyware-malware being called by said parent process, on disk. (This ia assuming this is a lib loaded virus/spyware/trojan/malware etc., not a standalone .exe type) That's done via watching loaded DLL's that ANY app may have loaded presently (For that, you would have to use ProExp's CTRL+D keystroke shortcut, with the lower pane view present/visible, & set like that) IF there is one and this thing doesn't launch by itself from one of the registry RUN areas or startup groups that is... Using Process Explorer can help! (Again, especially if this is being run by "DLL Injection" (like an OLEServer being injected into a process via CLSIDs, shell extensions, or being run by rundll32.exe OR svchost.exe, process hosting executables that can spawn either .exe OR .dll/lib based ones)). **** The easier/simpler route? My first suggestion: Use Recovery Console, once you have its name & location on disk... DEL command will take care of it, lickety-split, no-$heet. TO INSTALL RECOVERY CONSOLE AS A BOOTUP MENU OPTION: 1.Insert the Windows XP CD into the CD-ROM drive. 2.Click Start, and then click Run. 3.In the Open box, type d:\i386\winnt32.exe /cmdcons where d is the drive letter for the CD-ROM drive. 4.A Windows Setup Dialog Box appears. The Windows Setup Dialog Box describes the Recovery Console option. To confirm the installation, click Yes. 5.Restart the computer. The next time that you start your computer, "Microsoft Windows Recovery Console" appears on the startup menu. (Alternately, you may bootup from your XP/Server 2003/VISTA install media, & run it there (via bootoptions menus choices then)) Then once you are booted & logged into it, use: FixMBR & DEL (filename) Once in the folder/directory (via CD dos command) where those rogue files are, burn them, in RC... using DEL. NOTE/IMPORTANT: You MAY have to use SECPOL.msc & give yourself rights to folders other than %windir% & its subordinates though, if the rogue files aren't underneath Windows itself... because RC's default ACL to those things is just %windir% & its subordinate folders only. Start in Left-hand side pane of secpol.msc -> Security Settings -> Local Policies -> Security Options (now right-hand side pane of secpol.msc) -> Recovery Console: Allow Floppy Copy and Access to all drives and folders APK P.S.=> Rootkits & how to blow THOSE out? Guess what your "best pal" is, yet again?? Ah, you guessed it - RECOVERY CONSOLE & FixMBR command! HOWEVER - FixMBR ONLY works on (only) BOOTSECTOR ORIGINATED TYPES though... There are other kinds (driven by drivers &/or kernel mode API 'hooking' & more)... Soon, & I am NOT the only person theorizing this (because I saw BIOS flash code @ rootkit.com over more than a year back no less & IMMEDIATELY said "oh boy, here comes bios flashing malware")?? Soon you'll have BIOS flashing attacks via malwares (virus/trojans/spywares) & rootkits too (as rootkits typically ride "under the OS" or make themselves invisible to it, via interception of even kernel mode API calls, doing something called "hooking')... How so?? Well, an example (a legit program I built this year for the fine Sci-Fi series from the BBC in the UK, called "Dr. Who" (longest running Sci-Fi show there is, huge fan here since the 1970's in fact)): ---------------------------------------------------------------------- APK Doctor Who ScreenSaver 2008++ version 1.0: ---------------------------------------------------------------------- http://www.drwhodaily.com/community/...?showtopic=386 ---------------------------------------------------------------------- I store its .avi it plays back, INSIDE of the .scr executable, as a 'resource' I point to & playback from RAM, not disk, via a child thread (it's multithreaded design)... That said - now, consider this: Since ASUS & GIGABYTE have tools that 'flash' your BIOS, that now operate inside Windows itself? Well, what is stopping a "blended/combined package" threat malware from using not only "std. attack methods" but, also using rootkit techniques too! (Once more - means a "malware type" that literally "rides beneath the OS" literally, from out of the BIOS, or from a bootsector spawning (only kind I know how to kill in fact, via Recovery Console FixMBR) or, via kernelmode API intercept hooking (ability to 'fake out' what API's do or report back to you in laymen's terms)) What is stopping malware makers from doing the SAME thing I do in that program above to 'disguise' their evil machinations? Well... Not much! Especially considering you can not only store .avi files, but pretty much anything, including a BIOS IMG file & a "Plug-N-Play" driver to make this happen! (PnP drivers = A driver that can start from usermode/Ring3/RPL3 where you run programs from, vs. Ring 0/RPL0/kernelmode where most drivers traditionally run from)... Food for thought... you get one of these types (afaik not here YET)? OR, rootkits of other kinds (not bootsector killable, but instead memory resident)?? Backup your data, & "repave" is the typical recommendation... I have no idea how I would kill one, & afaik? Nobody else does either, aside from starting fresh, OR trying to "overwrite" your current setup w/ a backup (assuming it is clean too, & that might NOT be a good assumption)... apk Last edited by APK; 05-27-2008 at 8:07 AM. Reason: Adding in HOW to install Recovery Console as a BOOTUP.INI menu option... apk |
|
|
|
|
02-21-2008, 7:36 PM
|
#33 |
|
The Duke of URL
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
|
Cool: Stopped in to check post viewcount, @ 1,062...
As regards the "Russian Business Network" (RBN) who has been @ the heart of MANY online attacks (or, things like Zlob trojan & IDTheft related attacks, etc. et al)? Use this information to protect yourselves, from them.
(RELIABLE/REPUTABLE SOURCE USED = http://www.spamhaus.org/rokso/eviden...kso_id=ROK7465 ---- FIRST OF ALL - Note, I use "0.0.0.0" vs. "127.0.0.1" (That is simply because iirc, the zero's based one leads to a NULL port type of request, rather than your "loopback adapter" (i.e.-> YOUR OWN MACHINE fielding requests) for a couple of reasons (which it took me some time to come up w/ & testing as to which is "better" to use)). SECONDLY, 0.0.0.0 is SMALLER than 127.0.0.1, & thus, parses + loads FAR faster, & is smaller on disk is why - AND, in RAM once loaded: THUS, I am logically concluding that 0.0.0.0 is better to use period for HOSTS file blocks - same function, & @ LESSER cost, nearly all the way around (less diskspace, faster loadspeed, less memory occupancy, & etc. et al). A MORE EFFICIENT STRUCTURE! ---- USING NOTEPAD.EXE ADD THIS LIST TO YOUR CUSTOM HOSTS FILE (usually located in %windir%\system32\drivers\etc subfolder-subdirectory): # === START OF KNOWN RUSSIAN BUSINESS NETWORK/RBN MAPPINGS + AFFILIATED KNOWN SERVERS === 0.0.0.0 rxpharmacy-support.com 0.0.0.0 ns3.cnmsn.com 0.0.0.0 thecanadianmeds.com 0.0.0.0 officialmedicines.com 0.0.0.0 psxshop.com 0.0.0.0 10000xing.cn 0.0.0.0 222360.com 0.0.0.0 adslooks.info 0.0.0.0 bnably.com 0.0.0.0 eqcorn.com 0.0.0.0 familypostcards2008.com 0.0.0.0 freshcards2008.com 0.0.0.0 happy2008toyou.com 0.0.0.0 happysantacards.com 0.0.0.0 hellosanta2008.com 0.0.0.0 hohoho2008.com 0.0.0.0 kqfloat.com 0.0.0.0 ltbrew.com 0.0.0.0 mymetavids.com 0.0.0.0 obebos.cn 0.0.0.0 parentscards.com 0.0.0.0 postcards-2008.com 0.0.0.0 ptowl.com 0.0.0.0 qavoter.com 0.0.0.0 santapcards.com 0.0.0.0 santawishes2008.com 0.0.0.0 siski.cn 0.0.0.0 snbane.com 0.0.0.0 snlilac.com 0.0.0.0 tibeam.com 0.0.0.0 tushove.com 0.0.0.0 wxtaste.com 0.0.0.0 yxbegan.com 0.0.0.0 iframedollars.biz 0.0.0.0 NS1.RBNNETWORK.COM 0.0.0.0 NS1.4USER.NET 0.0.0.0 NS1.EEXHOST.COM 0.0.0.0 NS1.AKIMON.COM 0.0.0.0 NAME1.AKIMON.COM 0.0.0.0 NS2.RBNNETWORK.COM 0.0.0.0 NS2.4USER.NET 0.0.0.0 NS2.AKIMON.COM 0.0.0.0 NS2.EEXHOST.COM 0.0.0.0 NAME2.AKIMON.COM 0.0.0.0 RUSOUVENIRS.COM 0.0.0.0 RBNNETWORK.COM 0.0.0.0 NS1.INFOBOX.ORG 0.0.0.0 NS2.INFOBOX.ORG 0.0.0.0 NS1.RUSOUVENIRS.COM 0.0.0.0 NS2.RUSOUVENIRS.COM 0.0.0.0 NS1.RUSOUVENIRS.NET 0.0.0.0 NS2.RUSOUVENIRS.NET 0.0.0.0 SBTTEL.COM 0.0.0.0 AKIMON.COM 0.0.0.0 AKIMON.NET 0.0.0.0 EEXHOST.COM 0.0.0.0 NS1.EEXHOST.COM 0.0.0.0 NS2.EEXHOST.COM 0.0.0.0 NS1.4USER.NET 0.0.0.0 NS1.AKIMON.COM 0.0.0.0 NS1.EEXHOST.COM 0.0.0.0 NAME1.AKIMON.COM 0.0.0.0 NS1.RBNNETWORK.COM 0.0.0.0 NS2.4USER.NET 0.0.0.0 NS2.AKIMON.COM 0.0.0.0 NAME2.AKIMON.COM 0.0.0.0 NS2.RBNNETWORK.COM 0.0.0.0 NS2.EEXHOST.COM 0.0.0.0 VALUEDOT.NET 0.0.0.0 ns0.valuedot.net 0.0.0.0 ns1.valuedot.net 0.0.0.0 1000WATT.BIZ 0.0.0.0 2SOVKA.NET 0.0.0.0 AIDEN-GROUP.COM 0.0.0.0 AKIMON.COM 0.0.0.0 ALEKC.NET 0.0.0.0 ANDREY-STUDIO.INFO 0.0.0.0 AUTOKUBAN.INFO 0.0.0.0 AVIATRAVELAGENCY.COM 0.0.0.0 AVTOMOBILEY.NET 0.0.0.0 BAGATITSA.COM 0.0.0.0 BAIKERGROUP.COM 0.0.0.0 BALTICDOORS.COM 0.0.0.0 BALTMONOLIT.COM 0.0.0.0 BRIGADA-EL.COM 0.0.0.0 CARPRIVOZ.COM 0.0.0.0 CHILLERU.COM 0.0.0.0 CVETOVODSTVO.COM 0.0.0.0 E-GOLD-CHANGER.COM 0.0.0.0 ELECTRONOV.NET 0.0.0.0 FASHIONER.BIZ 0.0.0.0 FFFFFF.ORG 0.0.0.0 FIFACUP06.INFO 0.0.0.0 FISHTORG.COM 0.0.0.0 FKGARANT.COM 0.0.0.0 FOTORETUSH.COM 0.0.0.0 FREGATSOFT.COM 0.0.0.0 FROLROMANOFF.COM 0.0.0.0 FULLVER.INFO 0.0.0.0 GAKKEL.COM 0.0.0.0 GARANTSERVICE.ORG 0.0.0.0 GDEDENGI.INFO 0.0.0.0 GLAZKI.NET 0.0.0.0 GOLD-DRAGON.INFO 0.0.0.0 GORODM.COM 0.0.0.0 GRAYZI.NET 0.0.0.0 GRIFFINFLY.COM 0.0.0.0 HEAT-ENERGO.COM 0.0.0.0 HITEMA.NET 0.0.0.0 HYIPREVIEW.INFO 0.0.0.0 HYIPSMAP.COM 0.0.0.0 ILOXX.ORG 0.0.0.0 IMYA.INFO 0.0.0.0 INFODOSKA.COM 0.0.0.0 INTERNETWORLDBOOK.COM 0.0.0.0 KLIMATA.NET 0.0.0.0 KOMOV.NET 0.0.0.0 KOSMETICHKA.NET 0.0.0.0 LIDTRADE.COM 0.0.0.0 LIFE-RU.ORG 0.0.0.0 LPSPB.COM 0.0.0.0 M-OST.NET 0.0.0.0 M-UNLOCK.COM 0.0.0.0 MAMRU.COM 0.0.0.0 MAPSERV.COM 0.0.0.0 MASTERDOKS.COM 0.0.0.0 MIRMED.COM 0.0.0.0 MOOSEMUSE.COM 0.0.0.0 MOREPRODUCT.NET 0.0.0.0 MUSEMOOSE.COM 0.0.0.0 NESTRONICS.COM 0.0.0.0 NESTRONICS.NET 0.0.0.0 NOFUN.INFO 0.0.0.0 OIL-GAS-MINERALS.COM 0.0.0.0 OKOSHKA.NET 0.0.0.0 OPTIMUS.BIZ 0.0.0.0 OTKRITKI.NET 0.0.0.0 OTKRITOK.NET 0.0.0.0 PARALLELSIXTY.COM 0.0.0.0 PASSOMONTANO.COM 0.0.0.0 PETROBALT.NET 0.0.0.0 PHARMACY-MD.COM 0.0.0.0 PISKUNOV.NET 0.0.0.0 POIGRAI.INFO 0.0.0.0 PROETCONTRA.ORG 0.0.0.0 PSOLAO.ORG 0.0.0.0 ROSEL.INFO 0.0.0.0 SBTTEL.COM 0.0.0.0 SECONDAPPROACH.COM 0.0.0.0 SMARTSOFTLINE.COM 0.0.0.0 SMESHNOY.COM 0.0.0.0 SQUAREDREAM.COM 0.0.0.0 STROIINFORM.COM 0.0.0.0 STROYBRIGADA.COM 0.0.0.0 TANK-HOBBY.COM 0.0.0.0 TECHNONORDIC.COM 0.0.0.0 TELEUNITED.NET 0.0.0.0 TEPLOCOM.COM 0.0.0.0 THERMOCAUTERY.COM 0.0.0.0 TIARU.COM 0.0.0.0 TRADEFINANS.COM 0.0.0.0 TRADEFINANS.NET 0.0.0.0 TRAININGS-TRIUMPH.ORG 0.0.0.0 TSAR-SUVENIR.COM 0.0.0.0 UEFACUP08.INFO 0.0.0.0 UMNIKSOFT.COM 0.0.0.0 UNDERCOOLED.NET 0.0.0.0 VALIDBIT.COM 0.0.0.0 VERESC.ORG 0.0.0.0 VOROLAIN.COM 0.0.0.0 WHITENIGHTSHOSTELS.COM 0.0.0.0 WORLDFONDS.NET 0.0.0.0 XRUST.NET 0.0.0.0 YAHOCHU.COM 0.0.0.0 Z-GROUP.INFO 0.0.0.0 ZDRAV.INFO 0.0.0.0 ZHESTOV.NET 0.0.0.0 ZOOSPB.COM 0.0.0.0 goldenpiginvest.com 0.0.0.0 goldenpiginvest.net 0.0.0.0 pharmacy-viagra.net # === END OF KNOWN RUSSIAN BUSINESS NETWORK/RBN MAPPINGS + AFFILIATED KNOWN SERVERS === Also - You can (AND SHOULD) verify your HOSTS file location, because it CAN be moved (& some virus/spywares do so, like QHosts) by using regedit.exe & going here: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters & checking to see it has NOT been misdirected from C:\WINDOWS\SYSTEM32\DRIVERS\etc (Unless you KNOW that YOU move it, as I do!) I move mine INTENTIONALLY to another disk here that is less used & faster on seeks! That is just so it init.'s faster since the HDD is not contending with other programs loading etc. or data loading etc. - mine's on an SSD (solid-state ramdisk, for access-seek gains for example). ---- FOR FIREWALL BLOCKING RULES (or IE "restricted zones" lists (in IE options), OR possibly IP Security Policies usage): I.P. address block for Russian Business Network: 81.95.144.0/20 #SBL43489 (81.95.144.0 - 81.95.159.255) And the address blocks for its equally corrupt cousins at Intercage, Inhoster, and Nevacon: 85.255.112.0/20 #SBL36702 (85.255.112.0 - 85.255.127.255) 69.50.160.0/19 (69.50.160.0 - 69.50.191.255) 194.146.204.0/22 #SBL51152 (194.146.204.0 - 194.146.207.255) Lastly/Optionally - You should block all IPs starting with these if you do not care about Russia and China: 193. 194. 195. 213. 217. 62.64. 62.76. (AND, A few major Internet providers that provide services to RBN including) Tiscali.uk SBT Telecom Aki Mon Telecom Nevacon LTD Frame Cash 76service Noc4Hosts APK Last edited by APK; 04-07-2008 at 3:50 AM. |
|
|
|
|
03-13-2008, 7:57 AM
|
#34 |
|
The Duke of URL
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
|
Russian Business Network/RBN mappings for HOSTS files, & more
So you all know WHY I put up info. on the "RBN" (Russian Business Network) in my last post above?
Well, I strongly suspect "they're @ it again" & here is why: Cyber-attack launched from 10,000 web pages: http://itnews.com.au/News/71994,cyberattac...-web-pages.aspx "A single entity is likely to be behind this attack, since the malicious code on all these pages came from the same server in China." (AND, the "RBN" is KNOWN to 'hop between' China & Russia regularly, as needed, & I suspect they are the ones behind this, but the article offers NO discrete IP Address ranges or IP's so, we have to wait on the specifics, but it is a GOOD guess based on their prior track record w/ Zlob, which I see nearly every day @ times on the job)... APK Last edited by APK; 04-07-2008 at 3:50 AM. Reason: My 1st post had the IPAddress-To-URL equation in the WRONG ORDER initially, now corrected PLUS some 202, 203, 210-212 octets wrong too, all correct now... apk |
|
|
|
|
03-14-2008, 11:06 AM
|
#35 |
|
The Duke of URL
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
|
Why the SPECIFIC info. on "RBN" (Russian Business Network)?
"New NEWS": Well, it appears I was correct in my "assumption/guess" above (about my suspecting the "RBN being @ it again") 2 posts up, which are NOW verified, per this quote from the above source:
SECOND MASS HACK EXPOSED: http://www.itnews.com.au/News/72214,second...ck-exposed.aspx AND, the source I used for this list: http://ddanchev.blogspot.com/2008/03/more-...ame-attack.html And, the salient portion that notes that my suspicion was correct: "if you look at the IPs used in the IFRAMEs, these are the front-end to rogue anti virus and anti spyware tools that were using RBN's infrastructure before it went dark, and continue using some of the new netblocks acquired by the RBN" So, with that said? Here are those URL's from the list above, albeit altered to 0.0.0.0 equations, for your CUSTOM HOSTS FILE, that shuts out RBN (these appear to be their newly acquired domains list) & the servers they use: START OF LIST TO ADD TO YOUR CUSTOM HOSTS FILE FOR BLOCKING OUT BAD SITEs/ADBANNERS THAT MAY BE INFECTED ETC.: 0.0.0.0 do-t-h-e.com 0.0.0.0 rx-pharmacy.cn 0.0.0.0 m5b.info 0.0.0.0 hotpornotube08.com 0.0.0.0 hot-pornotube-2008.com 0.0.0.0 hot-pornotube08.com 0.0.0.0 adult-tubecodec2008.com 0.0.0.0 adulttubecodec2008.com 0.0.0.0 hot-tubecodec20.com 0.0.0.0 media-tubecodec2008.com 0.0.0.0 porn-tubecodec20.com 0.0.0.0 scanner.spyshredderscanner.com 0.0.0.0 xpantivirus2008.com 0.0.0.0 xpantivirus.com 0.0.0.0 bestsexworld.info 0.0.0.0 requestedlinks.com END OF LIST TO ADD TO YOUR CUSTOM HOSTS FILE FOR BLOCKING OUT BAD SITEs/ADBANNERS THAT MAY BE INFECTED ETC.: FOR THOSE INTERESTED (or, those that need actual IP addresses to add to firewall rules tables OR IE restricted zones etc.), here are the actual IP addresses of the bogus servers: do-t-h-e.com (69.50.167.166) rx-pharmacy.cn (82.103.140.65) m5b.info (124.217.253.6) hotpornotube08.com (206.51.229.67) hot-pornotube-2008.com (206.51.229.67) hot-pornotube08.com (206.51.229.67) adult-tubecodec2008.com (195.93.218.43) adulttubecodec2008.com (195.93.218.43) hot-tubecodec20.com (195.93.218.43) media-tubecodec2008.com (195.93.218.43) porn-tubecodec20.com (195.93.218.43) scanner.spyshredderscanner.com (77.91.229.106) xpantivirus2008.com (69.50.173.10) xpantivirus.com (72.36.198.2) bestsexworld.info (72.232.224.154) requestedlinks.com (216.255.185.82) Also - These you won't be able to block via HOSTS file filtering methods, but still can be blocked via other means (IE restricted zones, firewall rules tables, etc. et al): 89.149.243.201 89.149.243.202 72.232.39.252 195.225.178.21  * Enjoy, stay safe, & keep surfing! APK Last edited by APK; 04-07-2008 at 3:51 AM. |
|
|
|
|
03-18-2008, 5:31 AM
|
#36 |
|
The Duke of URL
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
|
I was correct that it was the "RBN" @ it again, so, more info.!
The "RBN"'s still @ it (per earlier in this guide/last page)
& Gaining more servers to attack folks with online! (Per my earlier posts on how to add to a HOSTS file & their IP addresses above - this gent is whom I got this info. from & he's a fairly noted security researcher + ontop of them & their activities online it seems, use him for a resource, excellent so far (proved me right in my guess above too, albeit far later than I guessed it was they, lol (pretty obvious if you follow security trends & news though to be honest)): http://ddanchev.blogspot.com/ He has more servers there (updated list is why) vs. my own above... if you're into your online security? Refer to it & add his lists to your HOSTS file too (or, email me for mine to save time if you wish, many have). APK Last edited by APK; 04-07-2008 at 3:51 AM. |
|
|
|
|
03-23-2008, 1:34 PM
|
#37 |
|
The Duke of URL
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
|
Securing Adobe Acrobat Reader .pdf's vs. JavaScript Exploits
For users of Adobe Acrobat Reader (of any version or patch level today - safety hint):
Since it has been attacked so much recently (via its ability to place javascripting into its .pdf document format, & javascript that bears truly "ill will")? Well, update to the latest/greatest version... HOWEVER, if you don't trust that, as I do not, FULLY? (I say this, & simply because browser makers have been trying that left & right since "time immemorial" online, & more of those types of attacks pop up of differing nature that evades new patches vs. it, keep popping up regardless of the patches!) Plus, like I had stated earlier in this guide? I suggested turning off using javascript for EVERY SITE online, in your webbrowser (& only keep it for ones that demand it (or, become useless w/out it, like many shopping &/or banking sites - this lessens the possibility of being poisoned by bad adbanner OR site code & also lessens the attack surface area + limits the possibles to the sites you left javascript on for, ONLY))?? Try this FOR ADOBE ACROBAT READER ALSO: TURN OFF JAVASCRIPT USAGE IN ADOBE ACROBAT READER! Simply to be safe vs. attacks in it that are javascript-based in nature! ---- Use Adobe Acrobat's EDIT menu PREFERENCES submenu Javascript section (in left-hand side column of options) & uncheck "Enable Acrobat Javascript" in the right-hand side option for that. ---- What boggles MY mind, moreso in webbrowsers &/or email programs though (as far as javascript is concerned)? Browser makers are working on speeding up its processing, first, rather than securing its weak/exploitable DOM (document object model) behind it. Speeding up javascript in webbrowser programs, for example? WELL - That's only speeding up how FAST you can be infected by misuse of javascript then, really, & this is all (not good!). (AND, anyone reading here now can simply take a read over @ SECUNIA.COM &/or SECURITYFOCUS.COM & see that a GOOD 95% of today's attacks are hitting users via the indiscriminate use of javascript (misuse of it) on every website they go to). ---- Imo @ least, but, one based on the data in this guide (plus that from security websites I noted above)? Javascript should be turned off by DEFAULT in a webbrowser! Why?? Well, because most times, if a site needs it??? The site errs out & signals the user javascript is required. Turn it on @ that point, IF you absolutely NEED it to be running (& only then, for useful tasks you wish to perform online, such as data access like you see on shopping &/or banking websites) I mean, hey: Even adbanners have been abused this way & proofs of that abound in this guide no less. In fact, when I noted this over @ slashdot? I was "modded down" for it, & just for telling the truth to javascript (& other scripting languages) developers... just for telling the truth! Boggles the mind. Secure that DOM behind javascript first, for security, AND ONLY THEN, work on speeding it up afterwards. That's not how it's being done though, unfortunately. ---- 10 Forces Guiding the Future of Scripting: http://developers.slashdot.org/comme...1&cid=25362703 ---- Another bonus (for speed this time though, not security), also exists in turning off javascript processing in webbrowsers: Speed. I.E.-> You're not using CPU cycles processing scripts that you probably don't actively directly use, yourself (such as ARE needed on e-commerce/shopping + banking websites, where you DO need it mostly to do actual useful tasks), & you're also not "hauling in" data from other servers (slowing you down even moreso, if not compromising your system (such as have been seen the past 4++ yrs. now or so, in bad adbanners that house javascript misuse)) that you don't really need, or want, around on your webpages you view... APK P.S.=> That assures you are "bullet-proofed" vs. Adobe Acrobat malware/bad javascript containing contaminated .pdf documents via bogus javascript in them for exploiting you online today! NOW - the only hassle here is that SOMETIMES, there is so much javascript in them, ADOBE MAY "nag" a lot about it, & should have a feature to turn that off (imo @ least)... So, evidence as to WHY one should do this to Adobe Acrobat Reader (until it's patched vs. this type of thing): Critical Vulnerability In Adobe Reader: http://it.slashdot.org/article.pl?sid=08/11/05/2042211 (Dated 11/06/2008, 8 months after I noted this here no less - if/when Adobe secures THIS particular exploit in their program? Turning off javascript processing (enabled by DEFAULT in that program no less, mind you) can help protect vs. other exploits like this one, in the future, that misuse javascript)... ---- Turning off javascript in this program, & also webbrowsers + email programs simply assures you that you are "bullet-proofed" vs. Adobe Acrobat malware/bad javascript containing contaminated .pdf documents via bogus javascript in them for exploiting you online today! NOW - the only hassle here is that SOMETIMES, there is so much javascript in them, ADOBE MAY "nag" a lot about it, & should have a feature to turn that off (imo @ least)... apk Last edited by APK; 11-06-2008 at 7:52 AM. Reason: Adding in evidence of javascript misuse in Adobe Acrobat Reader (for exploiting vulnerabilities in its DOM to the detriment of end users), which surfaced again 8 months after I posted it here... apk |
|
|
|
|
03-23-2008, 2:15 PM
|
#38 |
|
The Duke of URL
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
|
Add-Remove Control Panel Applet - KNOW YOUR INSTALLED APPS!
USE YOUR "ADD-REMOVE" CONTROL PANEL APPLET!
This is important - as MANY 'malware/trojans' actually DO use since they realize folks do NOT regularly check this area. IF you don't recognize a ware? Look it up on GOOGLE (or altavista/yahoo, etc.) to find out if it is MALWARE or not, &/or IF you need it @ all (if you don't? It's "dead weight" & taking up space on your disks & slowing you down only). APK Last edited by APK; 04-07-2008 at 3:53 AM. |
|
|
|
|
03-23-2008, 4:52 PM
|
#39 |
|
Xtreme Owner & Admin
|
Nicely done APK
__________________
-Mntsnow- Live & Enjoy Life like there is no tomorrow! |
|
|
|
|
03-23-2008, 10:37 PM
|
#40 | |
|
The Duke of URL
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
|
Thank you
Quote:
I'd say the same to you, OR, anyone who does so... because WHO gets the TRUE GAINS here, in doing that?? Well... YOU DO, in that you get to surf safer online, AND F A S T E R as well, as a nice "side-effect"/bonus! APK |
|
|
|
|
|
03-31-2008, 3:47 PM
|
#41 |
|
The Duke of URL
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
|
SECURE TELNET SERVICES + Telnet Groups/Users also... apk
SECURING THE TELNET SERVICE & USER GROUPS:
And, a Mr. Markuss Jansson on his point on TELNET service (tlntsrv.exe iirc). http://www.markusjansson.net/exp.html Turn Telnet NTLM logings off -> Run: telnet.exe --> Type (and press enter): unset ntlm He also has more on things like "EFS" (encrypting filesystem) which I omitted, & both Mr. J.'s site & the GOVERNMENT ones I note, also cover it too (or, supplement points I made with more alternatives etc.). APK P.S.=> I list MORE security techniques for securing telnet, here (did this years ago circa 1997-2002, & it's cited in 2001 here @ Neowin, by searching TELNET on that page) to supplement this technique: ================================= APK "A to Z" Internet Speedup & Security Text! ================================= http://www.neowin.net/news/main/01/1...-security-text ================================= Which goes into that point on TELNET & many others (including more speed tuneups, services cutoffs for speed + security in DETAIL & far more also to supplement this post here)... apk Last edited by APK; 04-07-2008 at 3:54 AM. |
|
|
|
|
03-31-2008, 6:16 PM
|
#42 |
|
XPC's Mac Guy
|
I'm lost... what exactly are you doing in this ongoing thread?
Whatever it is, it sure makes me glad to own a Mac! But still, I would be curious to know what is up the IPs and stuff your posting
|
|
|
|
|
03-31-2008, 8:07 PM
|
#43 | |||
|
The Duke of URL
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
|
Quote:
Quote:
QUESTION: Do MacOS X webbrowsers support javascript & iframes? How about javascript in Adobe Acrobat .pdf documents?? If so - you're not 100% safe man! HOWEVER, because you run a Mac? Well, you do have 1 "advantage" though: It's called "SECURITY by OBSCURITY"... Which simply means that since there are LESS Mac users out there, you have FAR LESS CHANCE of being attacked (for now @ least)! See - virus/spyware/malware/trojan/rootkit creators, today, aren't interested as much in just "raising hell" or knocking your system offline. They are AFTER MONIES! So, think about this - IF you were say, a writer of these machinations, & after making a buck from the doing of it, wouldn't YOU chase after the LARGEST BLOCK OF USERS (potential victims in other words) POSSIBLE? Sure you would... & who are those folks? Windows users! (The ones I am trying to help out, via this post's points, ontop of those from CIS Tool). Quote:
Most folks can literally "Cut & Paste" the lists I put up above (using what is in between the dotted/dashed lines around said IP Address/URL equations) by inserting it into your HOSTS file (& yes, even Macs have those, & in fact, are based on the OS that had them first iirc, in BSD, which is where MS got their IP stack from in fact (it IS, the "best in the business" from the BSD folks)). The "RBN" = "The Russian Business Network"... they're a criminal organization that is KNOWN to hop between Russia & China, as needed, to attempt to rob others online (or, worse). Look them up on GOOGLE or ALTAVISTA - you'll see what I mean (they've been @ it for years, & are the source of many attacks inclusive of those generated by WEB BROWSERS that use JavaScript/IFrames/Adobe & more) APK Last edited by APK; 04-07-2008 at 4:08 AM. |
|||
|
|
|
|
03-31-2008, 9:47 PM
|
#44 |
|
XPC's Mac Guy
|
OK Yeah, I think I've heard of them before. I'll check it out. Thanks for the info.
PS: My dad has run a Mac since day 1, never had a virus, never had spyware, nothing, nada. I bought a PC and in 3 days of normal, everyday surfing I had 300 and some virus/trojans/spyware, etc. I think I'm pretty much safe but I'll be sure to post if I do get something and you guys can rub it in my face! |
|
|
|
|
04-01-2008, 5:43 AM
|
#45 | |
|
The Duke of URL
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
|
Quote:
Mac's are NOT "110% bulletproof" by design... & their default security policy is NOT as "strong" as it could & SHOULD be either (same with most any BSD variant ancestor of theirs as well). It's only REALLY the fact that they are less utilized than Windows PC's are, that keeps them safe from groups like the RBN & others (out to steal your money, not just screwup your rig), since Macs are less used, they have "security-by-obscurity"... people like that write their exploits once, to attack the biggest block of users they can in other words & that's Windows users! APK P.S.=> Question: Webbrowsers on MacOS X (such as Opera, IE, FireFox/Mozilla, & Safari)... they use javascript &/or IFrames, right? Do you think that since they do, they are IMMUNE to attacks via those 2 "features" in a modern webbrowser program?? apk |
|
|
|
|
|
04-01-2008, 6:22 AM
|
#46 |
|
The Duke of URL
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
|
MacGuy: This illustrates my point... VERY current
Apple's Security Patch Process Gets Worse While Microsoft's Gets Better
http://www.informationweek.com/news/...d=nl_IWK_daily Swiss researchers suggest that the revived popularity of Apple's products may have left the company unable to keep up with security risks. By Thomas Claburn InformationWeek March 31, 2008 05:00 PM Apple has been getting worse at dealing with security vulnerabilities while Microsoft has been getting better, according to a research paper published by Swiss security researchers. In "0-Day Patch Exposing Vendors (In)security Performance," presented last week at the Black Hat conference in Amsterdam, Stefan Frei, Bernhard Tellenbach, and Bernhard Plattner of the Computer Engineering and Networks Laboratory at the Swiss Federal Institute of Technology analyzed Apple's and Microsoft's security practices over the past six years and found that Microsoft has been getting better at responding to security issues while Apple has been getting worse. During the period studied, between 2002 and 2007, Microsoft had 658 high- and medium-risk vulnerabilities, compared with 738 for Apple, the paper says. The revived popularity of Apple's products, the researchers suggest, may have left Apple unable to keep up. "Comparing the number of unpatched vulnerabilities per vendor for the period since January 2002 we observe a striking difference between Microsoft and Apple," the report says. "On average, Microsoft succeeds to keep the average number of unpatched vulnerabilities below 20 at a steady number. On the opposite, Apple seems unable to stabilize the number of unpatched vulnerabilities in recent years. We observe a steady increase in recent years for Apple. It seams [sic] that Apple's security processes and resources cannot cope with the side-effects of the increased popularity of their products." ----- As you can see, NOW THAT MacOS X is gaining in popularity? It is getting tougher for the Apple folks to keep up on patches... if it keeps getting more popular? The "security-by-obscurity" effect & illusion of safety on a Mac gets less & less... Illustrating my point. APK P.S.=> Again/also: IF you'd like a list of current Apple flaws for security. see here: http://secunia.com/product/96/?task=statistics_2008 116 security advisories exist for Apple MacOS X, this year alone... apk Last edited by APK; 04-01-2008 at 6:44 AM. |
|
|
|
|
04-07-2008, 3:55 AM
|
#47 |
|
The Duke of URL
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
|
"Checks & Balances" time + evidences of accuracy, etc./et al
"Checks & Balances" (accuracy check of this article by "pros" (still, test for yourselves, because a simple certification doesn't a security-pro make)), Part 1
I also "took the liberty" of contacting a "security-pro" (in Don Parker of "SecurityFocus.com" fame)! This is in regards to my outline/article/guide here, & here were HIS thoughts/opinions on its content @ this point: ********** Hello apk, I don't see any real downsides to what you posted. The only thing is that you need to remember the audience that it is you are trying to reach. If your goal was to hit the newbies as it were then you may have missed the mark a bit. Beyond that, it looks fine to me. --Don ********** That's so you guys all reading here have SOME idea this stuff is SOLID, & works, & 'passes muster' with the "top geeks" (lol, no offense intended, but lacking a better expression here is all - because mere certifications do NOT an 'expert make', as in the fellow I note above, because iirc, that is ALL he has going for him afaik & to myself @ least? THIS IS NOT ENOUGH, certs are not the same as full degrees, & not by a LONG shot in this field) in the arena of computer security! So, test for yourselves, via CIS Tool - to be sure... -------------- Also - Do please check this page out, for even more security points: http://csrc.nist.gov/itsec/download_WinXP_Home.html Especially the downloadable guide for security there to supplement this one's points, it is named -> SP800-69.pdf ---- The PDF file guide above from NIST (in association w/ the U.S. Gov't. on securing PC's no less), like my guide here also? That also lists a "6.32 Removing Malware" section as well! So, that is in response to 'my naysayers' from various forums that cricized me for listing such a guide here! (In fact, many of them were MS-MVP mods too no less, but many on many forums would NOT cite "why" or yield specifics I asked for as to WHY I SHOULD NOT LIST SUCH A GUIDE in this article's content... well, experts in this area appear to agree with myself, as it IS part of "securing a computer" in knowing HOW TO REMOVE INFESTATIONS, as I do, like THEY do as well!) Anyhow/anyways - The .pdf guide from NIST either tend to reinforce my own, OR, go beyond in some cases! E.G.->
That's for some things I did not cover well imo, here (OR RATHER, well enough earlier), & to supplement my guide (both have good ideas & they both work). APK Last edited by APK; 05-22-2008 at 10:32 PM. |
|
|
|
|
04-07-2008, 3:57 AM
|
#48 |
|
The Duke of URL
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
|
"Checks & Balances" + evidences of effectiveness (part deux)
http://img297.imageshack.us/img297/2240/52041100vo6.png
 That's an example of where your score (for users on Windows XP SP #2 no less fully hotfix patched as of this date) can be @ scoring-wise, on the CIS Tool benchmark test gauge of Windows Security, after following its suggestions for security-hardening your systems. A 90.112 score... & that was AlexStarFire's score from the 3dguru.com forums, once he applied it to his home system ("stand-alone", non-HOME or WORK-LAN system, online on the public internet), which is way, Way, WAY up from its initial default score of 46.xxx/100... * Here is an example of a user named Thronka, who employed it to security-harden the endpoints on his LAN/WAN setup @ work, who is also enjoying it successfully as well, albeit this time, in a BUSINESS environs (as I have it as well, for both HOME standalone machine online today, & also on the job): http://www.xtremepccentral.com/forum...ad.php?t=28430 APK P.S.=> I hope you guys also employ it thus as well - it starts with reaching just 1 person, & then, by example? Others start to apply it also, & then things start to change "for the better", because by securing yourself, & maybe even setting up your pals & families machines' this way? You lessen the possibility of "spreading the diseases" out there online today... apk |
|
|
|
|
04-07-2008, 3:57 AM
|
#49 |
|
The Duke of URL
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
|
CONCLUSION: Done, @ LAST (imo, so far @ least)
I spoke too soon, found MORE STUFF today (especially for those of you that utilize a CUSTOM HOSTS FILE for BOTH speed & SECURITY)... see below!
APK Last edited by APK; 05-17-2008 at 7:52 PM. |
|
|
|
|
04-07-2008, 10:37 AM
|
#50 |
|
With XPC Since 2003!
|
APK, thanks for such a great guide. This would, and should, be an inspiration to such security measures.
Also, the pc that has "tweaks": IS STILL GOING! NO PROBLEMS! Only time I have done anything was to remove the hdd and image over to a new one because the hdd was dying.
__________________
One guy said drugs will intensify your personality. To that I said "Yes, but what if your a moron?" |
|
|
|
|
04-07-2008, 12:00 PM
|
#51 | ||||
|
The Duke of URL
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
|
Hey "T- man", nice to see you again & also for the "good news" on your end too!
Quote:
----- Quote:
NEW BOTNET DWARFS STORM: http://it.slashdot.org/it/08/04/07/1421228.shtml IS out there, right now in fact! (& has even "busted its way into" 50 'Fortune 500's' out there... lol, man: A REAL TESTAMENT to "network admins/engineers/techs NOT doing their jobs" imo, or that they're just "paper MCSE's" (hate to say that, but I think YOU know how THAT goes & have seen it yourself in others in our field too)... or, just POSSIBLY, the fact they're overworked (& what-not, w/ downsizing + outsourcing in our field etc. et al)). PLUS - you have the "RBN" (Russian Business Network) out here today wreaking havoc too (I actually posted this guide on 1 site I KNOW they operate out of, & they burnt it, lol... & another, they still leave it on though, I wonder why).. Personally? I wager it's RBN behind this new botnet too... just on a hunch, but, my hunches so far, per the above?? HAVE proven correct so far (just lucky on my part I think though). ----- Quote:
Been running my system this way, as this guide notes, for almost 7 yrs. now & NO hassles (this has allowed me to build a truly GREAT system, fully customized & performance tuned + SECURITY HARDENED). Best of ALL possible worlds: F A S T E R, & far more secure too! ----- Quote:
You can BUILD on a system that "stands the test of time" (&, attacks!) * ENJOY MAN, you deserve it... especially for your contributions to this thread! APK P.S.=> I've actually contemplated starting a small business based on this post's concepts in fact... you never know, mainly because of this: http://www.itpro.co.uk/information-m...e-attacks.html Security? It's BIG NEWS today, & a BIG TREND in business + home environs (not just computers either as I am certain you know)... it's a 'crazy-world' out here today, & "we're the sane ones in it", imo @ least, by doing what this guide entails! (I actually had people COMPLAIN about this post on other forums, "english grammar/writing style" stuff only though - off topic, as this is NOT about getting a grade in English class, but securing your system - was tough to believe, but... you can lead a horse to water, but, can you make him drink it?)... apk |
||||
|
|
|
|
04-30-2008, 1:36 PM
|
#52 |
|
The Duke of URL
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
|
Applications Level Security Testing Tools List
More security tools/info. (04/28/2008), for APPLICATION LEVEL SECURITY:
(I.E.-> For checking for apps you have that may be security vulnerable OR have been patched vs. said vulnerabilities, etc.): ---- SECUNIA PSI (checks for outdated OR apps that are known to be insecure):  https://psi.secunia.com/ NEW VERSION (released very recently too). A good program, by a trusted & WELL-KNOWN security-oriented website online (I tried version 1 earlier on last year, it needed work. This one is solid though, so far @ least, imo!) (It works, & sometimes catches things FILEHIPPO UPDATE CHECKER below, won't - good "2nd Doctor's opinion" etc.) ---- FileHippo's Update Checker (checks for outdated OR apps that are known to be insecure, supplement's PSI above):  http://filehippo.com/updatechecker/ Decent program as well, & good to use as a supplement to the SECUNIA PSI Tool as well (from a well-known file downloads site also in filehippo). (It works, & sometimes catches things SECUNIA PSI above, won't - good "2nd Doctor's opinion" etc.) ---- Windows Vulnerability Scanner:  http://www.pspl.com/download/winvulscan.htm Nice program for checking Microsoft Operating Systems &/or Ms-Office versions vs. missing security patches, & it works, very well! ---- APK Registry Cleaning Engine 2002++ SR-7:  http://www1.techpowerup.com//downloa...oglehappy.html * Yes, "shameless plug" on MY part on the last one, but, it does have "security benefits"... (& more than potentially useful forensics ones, because it shows you what files a user calls upon via its lists (it does check recently used filelists, but, will also list those files the user attempted to delete (this assumes he may have been attempting to hide them)))... it is 100% proven SAFE on all 32-bit versions of Windows (see its description & feedback by users on the download page) 9x-VISTA as well)). APK |
|
|
|
|
04-30-2008, 5:45 PM
|
#54 | |
|
The Duke of URL
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
|
Quote:
* Analogs exist for them too, so, if you guys know of any GOOD ones? Well, have @ it, & SHARE your experiences w/ tools of this nature (per the screenshots of ones I posted above)... & Thanks! APK |
|
|
|
|
|
05-17-2008, 7:48 PM
|
#55 |
|
The Duke of URL
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
|
Great Source for data for a CUSTOM HOSTS FILE!
A great site that Mr. Dancho Danchev "turned me onto", for making additions to your CUSTOM HOSTS FILE (mentioned earlier on in this guide in STEP # 5) via his security blog... here:
http://mtc.sri.com/ Why? Well - it keeps an updated listing of sites & servers that are KNOWN TO BE MALICIOUS! APK Last edited by APK; 05-17-2008 at 7:54 PM. |
|
|
|
|
05-17-2008, 7:53 PM
|
#56 |
|
The Duke of URL
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
|
Conclusion (spoke TOO SOON above, lol), but now? I think it's done, @ last... for now
To all interested/reading:
I think this is it guys, I know of NO MORE to secure a Windows System... & again - IF any of you have ponits to add, please do so, but, I only ask that you keep it @ a technical computer security level (per my 1st initial post here's "P.S." section @ its termination). * Where are my manners? MODS/ADMINS: Thanks for making it a "5 star guide" here folks... ... &, enjoy a F A S T E R, and S A F E R online experience via this guide, by all means! (15 times now, in 5 months online (since Dec 2007 to date of this post), this post has been made either an "ESSENTIAL GUIDE", or "STICKY/PINNED THREAD", or was rated 5/5 stars etc) ... Good to see, it must be working for folks (& that's all a guy could hope for! Especially myself this year, as my "New Year's Resolution" was "DO A GOOD DEED" (& imo @ least, this qualifies)) * So.... that all "said & aside" - ENJOY A FASTER & SAFER Windows based system of modern variety (2000/XP/Server 2003 & even VISTA) online today (especially TODAY!)... APK P.S.=> Don't miss the post above this one either, I JUST ADDED IT TODAY (date of this post 05/17/2008) & it's "great stuff" for a reference that is REGULARLY UPDATED, especially for those of you that maintain a CUSTOM HOSTS FILE for both speed, & SECURITY, especially online today (in the "era of the poisoned DNS server, bogus site javascripts, & IFrame attacks + bum adbanners too")... apk Last edited by APK; 05-17-2008 at 11:47 PM. |
|
|
|
|
07-03-2008, 2:15 PM
|
#57 |
|
The Duke of URL
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
|
APK Hosts File Grinder 4.0++
For those of you interested in using custom HOSTS files (for BOTH added security & added speed online)?
"APK Hosts File Grinder 4.0++" http://www.thenewtech.com/forums/chi...8/index33.html ---- The application above has been built by myself, for folks just like YOU, & of course, myself! ---- It allows you the end-user, the ability to:
It has allowed me to: A.) Take valid HOSTS file data EVERY known & respected HOSTS file there is (noted from the wikipedia link above, & also from SRI, Shadowserver, Dancho Dancheve's Blog, SpyBot S&D, Spamhaus, Phishtank, + others also, such as my own research into this area), & integrate them FIRST into a HUGE 20mb file, & then via normalization, reducing its size to 12mb on disk (removing repeats which they will have between one another & sometimes inside of themselves even), reduce its size that way (1/2 the intial size almost from all that date), first... B.) It has also made a 12mb SUPER-COMPREHENSIVE custom HOSTS file out of an intially 20++ mb sized one, from the sources above... allowing the SAME function as they offer (because their HOSTS FILES' many times using 127.0.0.1, or, 0.0.0.0 formats, instead into a MORE EFFICIENT ONE, of 0<singlespace>URL<cr+lf>)... thus, MASSIVELY reducing its size on disk & in RAM once loaded into your local DNS cache, yet offering the SAME function! C.) Create a CUSTOM HOSTS FILE loaded with FULLY alphabetized entries into your HOSTS file (so it is easy to search thru, even via notepad.exe). ----- * It can do the same for you as well, should you be interested in such a tool... if you are? Email me, here: apk4776239@hotmail.com APK P.S.=> General statistics on its, while in operation: 700k-5900k memory occupancy prior to load of HOSTS file data... ( & up to 167mb IF a "huge" hosts file (like 1 million++ line entries) is used) Its runtimes (noted above) will vary, depending on the size of the HOSTS file being processed (should NOT exceed 3 hrs (&, for most folks, since they do NOT have files of such size in their HOSTS file? Heh, it will be the "blink of an eye" on most all sections (scrub, add/remove entries - validate entries, normalization-removal of repeated items, & save to disk) up to 2 minutes or so) PLUS - It was built in the MOST efficient & fastest code combination I know of (Borland Delphi 7.x, Win32 API, & Inline Assembler code) (Especially for this type of string processing (of which Delphi alone in math & strings often MORE THAN DOUBLED (sometimes, tripled) the speed of both MSVB & MSVC++ in, in (of all places) Visual Basic Programmer's Journal Sept./Oct. 1997 issue "INSIDE THE VB COMPILER" issue)) + A truly "SUPER-EFFICIENT" algorithm, on each area of processing (especially normalization, taken down from DAYS time over 1 million++ records, to only 3 hours time max, if no repeats exist... if repeats? Far, FAR faster!) Which speaks worlds alone right there... this app makes FAR shorter work of this, than does using ping.exe (for speedup of sites), MsAccess (via SQL Select Distinct queries work, & the potential import/export hassles it can have (leaving trailing spaces &/or quotes for example, bloating files on export)), & notepad.exe (good luck normalizing one using its Edit-Replace menus is all I can say... especially IF you have a BIG hosts file)... apk
__________________
"I'm here to help you, I'm Reese: Sgt. TechComVN38416 (assigned to protect you) - You've been TARGETTED FOR TERMINATION!" Last edited by APK; 07-14-2008 at 11:33 PM. |
|
|
|
|
07-14-2008, 5:27 PM
|
#58 |
|
The Duke of URL
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
|
YET ANOTHER REASON TO LIMIT USAGE OF JAVA/JAVASCRIPT, etc.
Researcher to demonstrate attack code for Intel chips:
http://www.infoworld.com/article/08/...l_chips_1.html SALIENT/PERTINENT EXCERPT: ---------------------------------------------------- "Kaspersky says CPU bugs are a growing threat, with malware being written that targets these vulnerabilities... Security researcher and author Kris Kaspersky plans to demonstrate how an attacker can target flaws in Intel's microprocessors to remotely attack a computer using JavaScript or TCP/IP packets, regardless of what operating system the computer is running." ---------------------------------------------------- * Now can anyone see WHY I recommended turning off Java/Javascript (& other browser addons/extension languages) for "every site you use under the sun" + IFrames etc.? Personally, this one's pretty bad, worse than what is out there/here now, worse than rootkits even in some ways... However, I also think worse are on the way even moreso... (... & I mentioned the architecture they could possibly use, quite "terminator-like", for rootkit delivery systems & such here earlier. Especially ones that can flash your BIOS, &/or other updateable PROMS (mainly because if usermode tools from vendors like ASUS + GIGABYTE & doubtless others can do it, from inside Windows, so can malwares & same way (via drivers & bios img files)) APK P.S.=> There are more examples inside this guide, & of this SAME type of idea (crank off the java/javascript etc. et al & ONLY keep it active on sites you ABSOLUTELY need it for, to have the site function properly - lessening your potentially attackable surface online basically).. heck, even adbanners have exploits of this nature in them lately... The examples I put in this guide ARE far older too, dating back 1-3 yrs. but the point is only here, again, & moreso (far more dangerous this time, imo @ least)... apk
__________________
"I'm here to help you, I'm Reese: Sgt. TechComVN38416 (assigned to protect you) - You've been TARGETTED FOR TERMINATION!" Last edited by APK; 07-14-2008 at 10:26 PM. Reason: Adding detail, & mention of even worse possible threat architecture (from earlier in this thread)... apk |
|
|
|
|
07-14-2008, 9:30 PM
|
#59 |
|
With XPC Since 2003!
|
I recently, months ago when you finally got this guide done, had authorization to try this on simple work station for kids. My client, who paid me an ungodly amount of money to do this, has been PROBLEM FREE FOR MONTHS! I haven't even had a follow up call which is unusual.
Now I don't recommend this for the average joe, but it if can work for a kids PC it can work for anything! Now, i substituted OpenDNS and activated the Adult Content filter with them for this kids computer. I know its not perfect, but will catch over 99.5% of said sites. APK, I am going to try some of these ideas, with another OS (aka Solaris) and see how well this goes. If I find soemthign worth knwoing with that OS, I will let you know.
__________________
One guy said drugs will intensify your personality. To that I said "Yes, but what if your a moron?" |
|
|
|
|
07-14-2008, 10:52 PM
|
#60 | |||||
|
The Duke of URL
Join Date: Dec 2007
Location: In a discrete point in the Space-Time Continuum
Posts: 90
iTrader: (0)
|
Hey Thronka, long time no see, but new stuff here now too...
"HUGE REPLY" (You might want to read a few of the posts since you last replied, decent info. in them, imo @ least - I have added a couple, one MAY 'pique your interest', or not... see my p.s. @ the end, if your eyes don't fall outta the sockets reading this reply, lol!)
Here goes: Quote:
... &, I know: Same result(s) has/have 'gone down' here too, w/ testers AND customers of mine... I.E.-> Folks get this ONCE, they never need to call back. (Sometimes, I have to 'iron-out' some HOSTS file stuff, but once they know how to edit it themselves, which they see me do? They can read, learn, & understand it everytime, easily... after all, anyone can use notepad.exe + directions in one!) ----- NOW, back on track - adults? Especially YOUNG adults?? They're worse... I would think so @ least, based on testing of my own w/ folks (teens thru 30's ages), thusfar. Why? Well, to be BLUNT about it??? Ahem - Well... Folks like "Pr0n" & that is "terminator-ville" for their systems, eventually (for those that D/L .exe files & such from them that is - & let's face it, folks DO). I know this, & for a fact (well, from a small sampleset of data, but... point's there, especially about "human nature"), I have a tester who KNOWS how he hosed himself recently, & same way... .exe off a pr0n site. So... His using the MALWARE REMOVAL SECTION in this thread??? He knows how to clean himself, & NEARLY everytime now, himself... if not eventually to do so & He is becoming QUITE "expert" @ using Process Explorer even... 'creatively' no less imo! E.G.-> He's using its 'suspend' &/or restart features like a pro @ this point... he's NO 'computer-jock' either, just a guy! Although, an avidly INTERESTED one (makes ALL the diff. imo). Quote:
I would... & heck, if I wrecked things my parents worked for, or had others do so? Kids DO respect their parents monies, time, & work, largely... I would hope @ least. (In fact, bit "off-topic"? I had that happen in gradeschool, got in my first fight, lol, & knocked around 3-4 kids who broke the glasses my parents worked hard for... they ended up bleeding & crying, bigtime - because I respected my parents') Anyhow... My tester's experience simply proves that folks CAN learn & moreso, understand the principals... this stuff is NOT "rocket-science", by any means... there is far more difficult stuff in this field than understanding IP & threats online in other words, & this level of know-how is NOT "unlearnable", even by 'normal folks'... Especially IF they're interested! Speaking from my perspective, once you "get into this" side of this field? It's cool stuff... fun, too! ----- NOW - I have QUITE recently seen a 'trend' towards "running naked" as it is called lately! ('Streaking' lol, the oldsters here will know what THAT is)... That's the term being used lately/apparently, for running w/out protection, period, online (well not completely, read on)... NOW - I have actually done it, successfully for months now (no antispyware/no antivirus - only firewalls in software + hardware & other stuff in this thread)... completely CLEAN still... So... Do I knock folks "going naked" lately?? No, not if they do something even CLOSE to what this guide largely entails... not even ALL of it, but 90% would do it I think! I think you can STAY COMPLETELY CLEAN, just by using the right HOSTS file alone I think & hardware + firewall software layered (& other stuff I mention here in fact). Do I keep antivirus/antispyware online? YES - for manual scans, only (once I update them). Do I "run them resident" (drivers + polling trayicon apps, etc.? NO, not anymore - call it "experimentation"). ----- Of course - folks do NOT always want to KNOW how to "do it themselves" & can afford to toss $150++/hr. for this type of work (or more)! Hey - I know, I've billed that kind of hourly before, for work of this nature (even less work to be blunt about it, far less, for FAR more than that U.S. Dollar amount above). There are times I don't do my own oilchanges or cash washes even... no energy etc. & I pay others... you know? That happens too... Quote:
----- Heck, I had "known security gurus" & others 'into' this area tell me that I "may have missed the mark" bringing this type of thing to "ordinary users", but... That said & aside... well, that does NOT seem to be the case, judging by the results you are seeing, that I myself see & enjoy, & others that have tried this too! (Where the "experts" (for whatever that term means, purely relative) go wrong here, imo? Is that THEY (experts) ALREADY largely know & practice MUCH of this, if not ALL of it... it's folks that do NOT know about this level of securing themselves, that need to... this provides that opportunity I suppose for they) Then again, I'd wager based on what my main tester told me, this is true: "You're giving away their 'trade secrets', they'll try to stop you doing this or showing others how to, because it's their monies on the line'... this? I do NOT doubt, for 1 second... strongly based on YOUR results on this "kids machine" you noted as your latest example, in fact. ----- However, lol, again: I still think ADULTS would be worse, bending rules & what not (far worse than little kids, 2-10 e.g., would be imo)... but, depends on the age of the kids I would guess... teens would be worst imo, but again, what do I know about children? Quote:
Quote:
Icing on THAT "industry best practices" cake... & your results on your business networks, home PC's, & client rigs + even kids machine now??? Just more SOLID proof this method & set of tools etc. et al, work... good to see, & good to see you using it creatively too! APK P.S.=> Now, I consider you a LOT more "tech saavy" @ this point, than "avg. joe" as you term the phrase... & what MIGHT 'interest you some'?? Is that new HOSTS machine/engine I built above... if you have time, take a read, etc. & if you want a copy? Email is the way... apk
__________________
"I'm here to help you, I'm Reese: Sgt. TechComVN38416 (assigned to protect you) - You've been TARGETTED FOR TERMINATION!" Last edited by APK; 07-16-2008 at 6:44 AM. |
|||||
|
|
|
|
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
