A Hardware and Software Firewall Combination (I got Hacked!)

Hi People,

I was hacked last week for the first time (that I know of) despite my "secure" system.

I was using Windows firewall. I had disabled many unneeded XP services. I had a Belkin router, a F5D7230-4 model.

I was in a chatroom where some people were talking about hacking in a friendly way and I asked if anyone would like to try hacking me. I asked in a friendly way and asked that if anyone had success that they let me know how they did it so I could secure my system better.

Well someone did it and left me a note in a txt document to prove it but they didn't say HOW they did it. And no one would admit to doing it when I asked. They did not do any damage to my data that i am aware of.

So.

I reformatted and reinstalled Windows XP Pro, four times actually.

I installed Zone Alarm Pro although I'm not sure that I have it optimally configured.

I installed Avast antivirus although I'm not sure that I have it optimally configured either.

I Installed The Cleaner by Moosoft which comes with "TC Active" a trojan scanner which also has monitors live processes for Trojans/Worms and other malicious programs and kills thems before they do damage and "TCMonitor" which keeps track of Registry keys, Files and Folders and alerts to any changes.

I Installed Tauscan, another trojan cleaner that comes with TC Monitor..

Basically I don't really know what I am doing. I'll say it again to ward off flames etc. I don't really know what I am doing.

So I bought a "better" wireless router - a Linksys Wireless-G (WRV54G) with VPN! - but after installing it I failed some online port scans at GRC.com and in addition the tech support guy trying to help me a didn't really know what he was saying. After an afternoon of trying to configure it to work with my software firewall I gave up and reverted to the Belkin and Zone Alarm Pro etc.

So my question is this: What is a good hardward firewall in the under $200.00 range and a good software firewall to go with it? How might I best configure this combo? Any comments would be greatly appreciated.

Thanks, Matt

PS: Please reply in this group so that others may benefit as well.

Reply to
matt3000
Loading thread data ...

Let me guess: It was a website chat and you've being using MSIE. Or it was Java-based and you had an outdatet version of J2SE installed? Or it was IRC and you were using mIRC? Or and kind of Instant Messaging and you've been using ICQ/Lite, AIM or Windows/MSN Messenger?

Or you're running various software downloaded from P2P networks?

No firewall could protect against such stupidities.

Reply to
Sebastian Gottschalk

GREAT Guessing Seb!

Umm, It was Yahoo Messenger Chat using YahElite, I was and am using Firefox, I have the latest Java update (1.5.06). My software is all legit, I dont use peer to peer networks and I did not go to any hostile websites.

THANK YOU for all your helpful assumptions, you helped me greatly.

Reply to
matt3000

I have said this to many people over the years. No matter how good your system is protected there is and always will be some one out there who can get in. There is no such thing on this Earth as a 100% totally protected computer. Never ask any one to hack into your PC, it just may be some one who can do it and really F*** things up for you. example personal data loss account name records and the such like. And if any one says it cant be done then go tell that to the American secret servises and how they got hacked. That just one name for starters. Its not the first time that the American defence got hacked. So it wont be to much effort for some one to get into a home PC or even a work`s PC.

Reply to
Wolfgang Fartbubble

I don't this piece of software that well, but this could be the source of the problem.

Yeah, super-old 1.5.0.7. Right before the recent release of 2.0 the most-up-to-date version was 1.5.0.8. (I admit, the Mozilla website is always behind.)

The latest version of Sun Java J2SE is 1.5.09. However, I'm not aware serious and easily exploitable vulnerabilities since 1.5.05.

Well, you could have provided some more details like a network capture of the "attack", a system log as well as and audit log on the relevant files/directories... until then, I have to rely on my magic 8-ball.

Reply to
Sebastian Gottschalk

Well, but you do understand the difference between random errors and systematic errors?

F.E.: I once had a computer been hijacked because of a privilege escalation. The problem was a full Everyone-FullAccess ACL on %windir%. How did that happen? We found out that after some crash, ChkDsk found these ACLs broken and replaced them. Normally an every-week scheduled scan would have picked up these errors, but the attack took exactly the about worst moment of time: right after the scan.

Now this is a random error. Without the error, the system would have been systematically secure.

Bullshit.

That's an easy case: ignorance and lack of proper auditing.

Reply to
Sebastian Gottschalk

On the brighter side, you are not alone.

The IM worms armada

formatting link
Ron :)

Reply to
Ron Lopshire

Gottschalk..

First of all please read my ORIGINAL post more carefully.

I stated: "Basically I don't really know what I am doing. I'll say it again to ward off flames etc. I don't really know what I am doing."

I also stated that I reformatted 4 times. Do you think I have log files etc?

Once again, I stated that "Basically I don't really know what I am doing. I'll say it again to ward off flames etc. I don't really know what I am doing."

I see that you know a thing or two about firewalls but do you know how to READ? Being critical of someone that knows less than you, and openly admits it is not such a good thing.

I ask if you read my post because I DID NOT ASK anything about how I got hacked, i KNEW the logs etc were gone. As far as your magic 8 ball, try responding to what I actually ASKED and you wont need it. Audit log? Huh? Do "Audit logs" survive 4 reformats, should i UNDELETE with file recovery software? Im being sarcastic because these are not things I am asking for help with.

All I am asking is this - What is a good hardward firewall in the under $200.00 range and a good software firewall to go with it? How might I best configure this combo?

Let me restate my question:

What is a good hardward firewall in the under $200.00 range and a good software firewall to go with it? How might I best configure this combo?

Gottschalk - Your original reply was insulting and subsequent posts were not much better. You know more than me about firewalls. If you would like to be helpful please answer the question or please keep your peace.

What is a good hardward firewall in the under $200.00 range and a good software firewall to go with it? How might I best configure this combo?

Thanks, Matt

PS: The people I asked to hack me are good people. They did no damage and they are just messing with me by not telling me how they did it. They said they will tell me on Nov 1st after I figure some things out for myself. I knew they were not bad people and the PC that the hacked into didn't have anything not worth losing anyway. I was intentionally testing my security and now I am attempting to better my security hardware and Software firewalls first.

PPS: The info on latest versions was helpful even though I didn't request it.

Reply to
matt3000

In the last three years of working with a Sorority, the only method that's compromised their machines has been from AOL IM, Yahoo IM, and MSN IM. Also, of all the machines that were compromised, all were running updated and active AVG.

Each user reported that they got a link/file from someone in IM that they knew, and they opened/ran the link/file and that's when it went bad.

Reply to
Leythos

Yea, I always use Firefox and I did not go to any malicious websites. I tend to underplay what I know but I did state that I use Firefox and that I didn't go to and malicious websites in an earlier post in this thread. It WAS freaky to learn of infectious jpgs though, I first heard of that a few weeks ago. It seems that one must be otherwise infected and unpatched in order for it to work but given that I use Firefox (and now im looking for version 2.0) I wasn't unduly concerned and didn't look into it too much further.

Matt

Reply to
matt3000

Leythos,

I NEVER go to strange links that are IM'd to me and in general I am VERY careful about any sites I go to. I know about various active-x exploits, godwill, godmessage are a few older ones that would upload a trojan known as Undetected or any other tiny trojan that the "ahcker" plugged into the code. These days it seems tha the active-x exploit more commonly used is a keylogger for snagging passes etc but Im not up on such things so much these days (Obviously, LOL)

BTW, What is a good hardward firewall in the under $200.00 range and a good software firewall to go with it? How might I best configure this combo?????

Matt

Reply to
matt3000

If you didn't keep any log files, you can't have any serious interest in uncovering the issue. You should have said that earlier, and not posted at all.

Again, you should read yourself what you wrote: You claim yourself that your don't know what you're doing. How should a firewall, which requires in-depth knowledge about networking protocols to provide any real security benefit, help you? And, as it seems that you rather have a problem with client software, how should it help in your scenario?

Reply to
Sebastian Gottschalk

You did. You always do. About any so-trusted normal website includes content from various other servers, most commonly related to adverts. These usually contain all kind of untrustworthy and partitially malicious content.

If you were running Windows XP SP1, just marking a downloaded JPEG file in Explorer would trigger an exploit. However, SP1 means unpatched.

But this isn't related to your problem, as it seems to have been exploited non-interactively.

Reply to
Sebastian Gottschalk

Who cares for Active-X exploits? Active-X itself is an exploit as well, that's why using any Active-X-aware software is already dangerous and using one with a b0rken implementation like MSIE is inherently insecure.

Reply to
Sebastian Gottschalk

Your price range is rather low if you want a really good hardware firewall. See if you can find a used Cisco PIX 501 on eBay.

Once you have a good hw firewall, take your time to understand it and configure it properly. Don't bother with a software firewall--put all of your effort into the hw fw. Which do you think is more secure? Two 5 foot high walls one behind the other, or one 10 foot high wall?

Reply to
sodaant

There are no good soft-firewall products that you can run on your computer that will protect you without you also learning and implementing a secure practice/method structure.

As for Firewall, under $200, there is nothing on the market that I would purchase and install for anyone, that is classified as a firewall, in that price range.

You can get several nice NAT appliances (mistakenly called firewalls) or you could spend about $275 and get a D-Link DLF-700 that will do black/white listing, remove/block content in HTTP sessions, has a REAL DMZ and even support inbound PPTP End-Point connections with user/pw authentication to the device and then rules to allow/block based on the user...

Reply to
Leythos

[snip]

No, Gottschalk can't read. At least not English, or he chooses not to. He's a self proclaimed expert and argues ridiculous points and is then consistently shot down by Leythos and other true experts on the use of firewalls in the field.

Please let us know what your friends tell you. I'm curious as to what they did.

Reply to
Spender

Linksys and NetGear both make good firewalls (okay, NAT routers for the picky, even though the firewall RFC considers anything with SPI to be a firewall.)

Technically you don't need a software firewall if you have a good firewall/router appliance. The only use for a software firewall in that case is to monitor outbound connections (programs phoning home, trojans trying to connect out, etc.)

For purely inbound use, it doesn't hurt to use the Windows firewall. But if your firewall appliance is properly configured, the Windows firewall doesn't help either. If the firewall appliance is configured and working properly, the Windows firewall shouldn't see any action at all.

Also, with most of the newest software firewalls you get a lot of bloat. Many are memory hogs and can slow your system down. But they have a lot of other features now such as pop-up blockers, cookie managers, etc. They are like 20 pound Swiss Army knives. Useful, but hardly realistic.

A good pop-up blocker is nice to have. I still use PopUpCop with it set to disable everything by default (unless I add a site to the white list.) It works great, so I have no fear of using Internet Explorer. And I have intentionally gone to known malicious sites just to test it.

I do use Firefox quite a bit also though (tabbed browsing rocks, though IE

7 is supposed to have it now, I haven't tried it yet. I'll let the general population do the final beta test on that before I ever try it.) Check the Firefox add-ons site. They have some PopUp blocker, Java Script, and other security add-ons.

Of course depending on the IM you are using (web based or stand-alone client), it may be ineffective since you might have already approved the site from which you got hit.

If you are using a stand-alone IM client, do a Google search on other, more secure, clients. I don't do IM, both I believe I have heard there are third party replacements for AOL and Yahoo IM clients.

What happened to the single IM standard they were speaking of years ago anyway? AOL, Yahoo, and Microsoft were supposed to cooperate and come up with a single standard for IM so that a third party client could reach all of them.

If you are using IRC, look for a better client.

Reply to
Spender

YMMD!

Reply to
Sebastian Gottschalk

Technically you also don't need a software firewall if you have no good firewall/router appliance or not any at all.

Bullshit. There's no need for any host-based packet filter for such a simple task.

Maybe, if such would actually exist.

Wrong again. Windows Firewall does care for passively opened sockets.

Well, don't such things belong to the webbrowser? I can hardly imagine that an external filter only seeing the HTTP traffic could be aware of the user's event content, relating user-invoked events (like clicking the mouse button) to wanted popups. Same goes for cookies.

Well, not useful either.

What a nice stupidity.

OUCH! And you wanna preach anything about security?

Seems like you didn't visit the right ones. Or you didn't notice it. In any case, you didn't audit it against the well-known unpatched vulnerabilities to notice that it's trivially insecure.

Well, could it be that these are a necessity because the original clients are all-the-way broken and horrific insecure?

At least Yahoo and Microsoft united their nets, in fabor of the MSN protocol. Anyway, this is all far away from Jabber.

Huh? Are there any broken clients beside mIRC, which is even documented to be inherently insecure when used on non-trustworthy networks?

Reply to
Sebastian Gottschalk

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.