| View previous topic :: View next topic |
| Author |
Message |
dalek
Veteran
Joined: 19 Sep 2003
Posts: 1353
Location: Mississippi USA
|
 Posted: Wed Aug 01, 2007 12:14 pm Post subject: Windows has found CRITICAL SYSTEM ERRORS, on a Linux box. |
 |
|
Well, I don't have to ask for to much help but this one has me sort of stumped. I'm on dial-up and every once in a while I see a little bit of data even though nothing is going on, including email. I closed everything and even stopped ntp and used Wireshark to capture this. Can someone tell me what the heck this is? Is this that little pop up window that pops up on windoze? I use Bell South, aka AT&T now, and so does my brother. His windoze XP "claims" someone is trying to hack in and Norton stops it. Is this true? Well, before I call out the Special Forces or something, what is this?
| Code: | No. Time Source Destination Protocol Info
1 0.000000 20.233.86.7 209.214.144.182 Messenger NetrSendMessage request[Long frame (2 bytes)]
Frame 1 (407 bytes on wire, 407 bytes captured)
Arrival Time: Aug 1, 2007 06:55:44.988063000
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 407 bytes
Capture Length: 407 bytes
[Frame is marked: False]
[Protocols in frame: sll:ip:udp:dcerpc]
[Coloring Rule Name: DCERPC]
[Coloring Rule String: dcerpc]
Linux cooked capture
Packet type: Unicast to us (0)
Link-layer address type: 512
Link-layer address length: 0
Source: <MISSING>
Protocol: IP (0x0800)
Internet Protocol, Src: 20.233.86.7 (20.233.86.7), Dst: 209.214.144.182 (209.214.144.182)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 391
Identification: 0x4fcc (20428)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 53
Protocol: UDP (0x11)
Header checksum: 0x671d [correct]
[Good: True]
[Bad : False]
Source: 20.233.86.7 (20.233.86.7)
Destination: 209.214.144.182 (209.214.144.182)
User Datagram Protocol, Src Port: 30951 (30951), Dst Port: 1026 (1026)
Source port: 30951 (30951)
Destination port: 1026 (1026)
Length: 371
Checksum: 0x0000 (none)
Good Checksum: False
Bad Checksum: False
DCE RPC Request, Seq: 0, Serial: 0, Frag: 0, FragLen: 280
Version: 4
Packet type: Request (0)
Flags1: 0x78 "Broadcast" "Idempotent" "Maybe" "No Fack"
0... .... = Reserved: Not set
.1.. .... = Broadcast: Set
..1. .... = Idempotent: Set
...1 .... = Maybe: Set
.... 1... = No Fack: Set
.... .0.. = Fragment: Not set
.... ..0. = Last Fragment: Not set
.... ...0 = Reserved: Not set
Flags2: 0x00
0... .... = Reserved: Not set
.0.. .... = Reserved: Not set
..0. .... = Reserved: Not set
...0 .... = Reserved: Not set
.... 0... = Reserved: Not set
.... .0.. = Reserved: Not set
.... ..0. = Cancel Pending: Not set
.... ...0 = Reserved: Not set
Data Representation: 100000 (Order: Little-endian, Char: ASCII, Float: IEEE)
Byte order: Little-endian (1)
Character: ASCII (0)
Floating-point: IEEE (0)
Serial High: 0x00
Object UUID: 00000000-0000-0000-0000-000000000000
Interface: Messenger UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc
Activity: 00000000-0000-0000-0000-000000000000
Server boot time: Unknown (0)
Interface Ver: 1
Sequence num: 0
Opnum: 0
Interface Hint: 0xffff
Activity Hint: 0xffff
Fragment len: 280
Fragment num: 0
Auth proto: None (0)
Serial Low: 0x00
Authentication verifier
Microsoft Messenger Service, NetrSendMessage
Operation: NetrSendMessage (0)
Server
Max Count: 10
Offset: 0
Actual Count: 10
Server: SYSTEM
Client
Max Count: 35
Offset: 0
Actual Count: 35
Client: ALERT
Message
Max Count: 194
Offset: 0
Actual Count: 194
Message: STOP! IMMEDIATE ATTENTION REQUIRED\n\n Windows has found CRITICAL SYSTEM ERRORS.\n\n Download Registry Cleaner from: www.key32.com\n\nFAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION!\n\n
[Long frame (2 bytes)]
|
Oh, I went to the site, www.key32.com, and it says I have 25 system errors. LOL This is a Gentoo Linux box by the way.
Thanks much.
_________________
My rig: Gigabyte GA-970A-UD3P mobo, AMD FX-8350 Eight-Core CPU, ZALMAN CNPS10X Performa CPU cooler,
G.SKILL 32GB DDR3 PC3 12800 Memory Nvidia GTX-650 video card LG W2253 Monitor
60TBs of hard drive space using LVM
Cooler Master HAF-932 Case |
|
| Back to top |
|
 |
Rob1n
l33t
Joined: 29 Nov 2003
Posts: 714
Location: Cambridge, UK
|
| Posted: Wed Aug 01, 2007 12:22 pm Post subject: |
|
|
| Yes - this looks like a Windows Messenger alert. It'll just be a spam or phishing attack. Since you're not running messenger then there's no real issues - you probably ought to look into installing a basic firewall though. |
|
| Back to top |
|
|
Akkara
Bodhisattva
Joined: 28 Mar 2006
Posts: 6702
Location: &akkara
|
| Posted: Wed Aug 01, 2007 12:24 pm Post subject: |
|
|
It appears to be a packet targeted at windows message service that pops up a dire-warning-looking box which directs the user to a website that offers malware (the red click-here link is a .exe which is probably up to no good.)
Edit: I lose the typing speed race  |
|
| Back to top |
|
|
dalek
Veteran
Joined: 19 Sep 2003
Posts: 1353
Location: Mississippi USA
|
| Posted: Wed Aug 01, 2007 4:44 pm Post subject: |
|
|
I have iptables installed on here but everything is set to wide open right now. Iptables always worried me. I screwed up once and had no internet until I figured out how to open it all up again. I'll have to change that when I get DSL though.
What should I do about my bro's on his XP? Should I report this to the ISP so they can do something to stop them, you know, like AOL did with the spammer. It appears that Norton is blocking it on his machine but we all know how windoze is. 
It's funny, that thing does that a good bit. I only sent one packet but there was more.
Thanks
_________________
My rig: Gigabyte GA-970A-UD3P mobo, AMD FX-8350 Eight-Core CPU, ZALMAN CNPS10X Performa CPU cooler,
G.SKILL 32GB DDR3 PC3 12800 Memory Nvidia GTX-650 video card LG W2253 Monitor
60TBs of hard drive space using LVM
Cooler Master HAF-932 Case |
|
| Back to top |
|
|
Rob1n
l33t
Joined: 29 Nov 2003
Posts: 714
Location: Cambridge, UK
|
| Posted: Wed Aug 01, 2007 8:24 pm Post subject: |
|
|
| You can report it to the ISP - I doubt they'll do anything about it though. You best bet is just to make sure you have a decent firewall (and anti-virus, anti-spyware, etc) to protect against this sort of thing (and Norton wouldn't be my first choice!). He may want to look at http://www.techsupportalert.com/best_46_free_utilities.htm for some useful protective tools. |
|
| Back to top |
|
|
dalek
Veteran
Joined: 19 Sep 2003
Posts: 1353
Location: Mississippi USA
|
| Posted: Thu Aug 02, 2007 12:18 am Post subject: |
|
|
That sounds like a start. Now just to help me make sure I am off to a great start with iptables. Is this the part that says what port it is using and that I would have to block:
| Code: | User Datagram Protocol, Src Port: 30951 (30951), Dst Port: 1026 (1026)
Source port: 30951 (30951)
Destination port: 1026 (1026) |
I assume that I would want to block ports 30951 and 1026. Is that correct?
This is my iptables list right now, wide open as I stated earlier.
| Code: | root@smoker / # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@smoker / #
|
Thanks.
_________________
My rig: Gigabyte GA-970A-UD3P mobo, AMD FX-8350 Eight-Core CPU, ZALMAN CNPS10X Performa CPU cooler,
G.SKILL 32GB DDR3 PC3 12800 Memory Nvidia GTX-650 video card LG W2253 Monitor
60TBs of hard drive space using LVM
Cooler Master HAF-932 Case |
|
| Back to top |
|
|
roderick
l33t
Joined: 11 Jul 2005
Posts: 908
Location: St. John's, NL CANADA
|
| Posted: Thu Aug 02, 2007 3:37 am Post subject: |
|
|
There are many firewall scripts that utilize IPTABLES. I suggest you install one of them instead of configuring iptables manually.
For example:
| Code: |
* net-firewall/quicktables
Available versions: ~2.3
Homepage: http://qtables.radom.org/
Description: a quick iptables script generator
* net-firewall/kmyfirewall
Available versions: 0.9.6.2-r1 1.0.1-r1 {arts debug elibc_FreeBSD xinerama}
Homepage: http://kmyfirewall.sourceforge.net/
Description: Graphical KDE iptables configuration tool
* net-firewall/tuxguardian [1]
Available versions: ~0.5
Homepage: http://tuxguardian.sourceforge.net/
Description: An application based firewall for Linux
* net-firewall/tuxfrw
Available versions: ~2.61 ~2.62
Homepage: http://tuxfrw.sf.net/
Description: TuxFrw is a complete firewall automation tool for GNU/Linux.
* net-firewall/knetfilter
Available versions: 3.5.0 {arts debug elibc_FreeBSD xinerama}
Homepage: http://expansa.sns.it/knetfilter/
Description: Manage Iptables firewalls with this KDE app
|
There are others out there as well (look at the net-firewall category). For example, shorewall was something I always put on my servers. It is not a GUI, but is quite extensible and has some great documentation online.
No one should have to suffer building a ipchain or iptable from scratch.
_________________
If God were a pickle, I'd still say "no pickle on my burger".
http://roderick-greening.blogspot.com/ |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23091
|
| Posted: Thu Aug 02, 2007 4:38 am Post subject: |
|
|
| dalek wrote: |
I assume that I would want to block ports 30951 and 1026. Is that correct?
|
It is a good guess, but no, not exactly. 30951 is an ephemeral port. It is likely that you will not receive any more Messenger spam with that source port for a long time. The 1026 destination port is a better candidate for blocking, but best practices say to write rules for things you want to work and then block everything else. This way, if you make a mistake, it manifests as something not working. If you try to blacklist "bad" traffic, you will not notice a mistake until someone exploits it.
If you have trouble getting the firewall configured the way you want, or just want someone to review your rules, feel free to post it here. Running iptables-save -c is a good way to capture all the active rules at once, with traffic counters so you can see which rules are matching traffic. Depending on how you configured your kernel, you might be missing some functionality that you will need for a good firewall. If you get errors trying to load the rules, post your rules here and someone can tell you which kernel options you need.
roderick: writing iptables by hand is not so bad. You get used to it after a while.  |
|
| Back to top |
|
|
dalek
Veteran
Joined: 19 Sep 2003
Posts: 1353
Location: Mississippi USA
|
| Posted: Thu Aug 02, 2007 6:02 am Post subject: |
|
|
I know that I need port 80 open for web browsing, ports 110 and 25 for email if I recall correctly. What other ports should be open? I don't currently run sshd or anything here. I'm not sure what port portage uses for ftp, sync etc either.
I think where I messed up last time was that I put the drop rule at the top as the first rule and it just dropped everything and looked no further for matching rules. From what I have read, that rule should be last not first. LOL It was fun though. I'm just glad I hadn't saved the rules and that restarting iptables fixed it.
I found a great, I mean GREAT, howto once. It was super easy to understand but now I can't find it. I had it bookmarked but now I can't find the bookmark either.
I'm sleepy right now and I may have to go out of town to meet a "lady friend" so I may start working on that in a few days. I don't want to start something only to get half way through and have to stop.
I do have webmin installed though. It has a nice GUI thing for iptables and shorewall. That may help me some.
Thanks
_________________
My rig: Gigabyte GA-970A-UD3P mobo, AMD FX-8350 Eight-Core CPU, ZALMAN CNPS10X Performa CPU cooler,
G.SKILL 32GB DDR3 PC3 12800 Memory Nvidia GTX-650 video card LG W2253 Monitor
60TBs of hard drive space using LVM
Cooler Master HAF-932 Case |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23091
|
| Posted: Fri Aug 03, 2007 4:03 am Post subject: |
|
|
| You need to be able to connect to those ports, yes. If you are only setting up a filter on inbound traffic, you do not need to open those ports unless you plan to offer those services from your machine to other systems. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
