XP Pro - How'd I get hacked

[Anna]

Usually I reimage my workstations behind a router. Today, I needed a pc
directly connected to the net and imaged it without being protected by a
router.

After an 1 hour install of XP Pro, when the pc booted up for the first time,
the home page was changed, porn was loaded throughout the favorites and on
the desktop. Needless to say, the pc is now being imaged behind a router
and I'll load a firewall before exposing it to the net.

I'm just surprised that someone was able to detect my pc so quickly and
modify it beyond recognition.

Anna

 

[Detlev Dreyer]

After an 1 hour install of XP Pro, when the pc booted up for the first
time, the home page was changed, porn was loaded throughout the
favorites and on the desktop. Needless to say, the pc is now being
imaged behind a router and I'll load a firewall before exposing it to
the net.

If the router has a built-in firewall, there is no other firewall
necessary. You may want to consult the router's manual.

I'm just surprised that someone was able to detect my pc so quickly
and modify it beyond recognition.

Well, these 'wise guys' usually scan IP ranges. No big problem to find
an unprotected/unpatched system.

 

[Leythos]

Usually I reimage my workstations behind a router. Today, I needed a pc
directly connected to the net and imaged it without being protected by a
router.

Bad move, but you already know that.

After an 1 hour install of XP Pro, when the pc booted up for the first time,
the home page was changed, porn was loaded throughout the favorites and on
the desktop. Needless to say, the pc is now being imaged behind a router
and I'll load a firewall before exposing it to the net.

You're lucky it took an hour. If you are on a high-speed connection you
could have been compromised in under 20 seconds.

I'm just surprised that someone was able to detect my pc so quickly and
modify it beyond recognition.

Don't look at it as "someone", it was an infected computer, spamming the
world, looking for anything it can reach. When you figure that more than
50% (my guess) of all home users PC's are compromised, it's a wonder you
made it the full hour.

I have a number of public IP's, and we average about 30 probes per
minute from infected computers on our ISP's (and others) network.

If you are going to restore a computer you need to do it behind a NAT
device or with the cable disconnected while you install all of the
drivers, updates, etc.. from your CD's that you've pre-made for this.

 

[Anna]

I image a pc almost every few days and I've heard of this happenning, but
never had it happen to me only because I usually image behind a router.

I was just amazed at how fast I did get compromised. It may have taken less
then an hour, but it was an hour after I started the image that I came back
to the pc and saw all of this. So you're probably right, it was probably a
lot faster, especially since I'm on high speed cable.

I just finished reimaging the pc again, setup a software firewall and hooked
it up to the net without the router. All is well, but will have to ensure
that firewall never gets shutdown.

 

[Detlev Dreyer]

Don't look at it as "someone", it was an infected computer, spamming
the world,

Could be either one. If it's "someone", they use bots for spamming any-
way. For the victim, this makes no difference.

 

[Leythos]

I just finished reimaging the pc again, setup a software firewall and hooked
it up to the net without the router. All is well, but will have to ensure
that firewall never gets shutdown.

I would suggest that you put the machine behind a router, there is no
excuse for leaving a system connected directly to the internet. If you
are providing services then consider a firewall appliance or port
forwarding, but do not leave a generic Windows computer connected
directly to the internet. You, in my opinion, are just asking to get
hacked again.

 

[Torgeir Bakken \(MVP\)]

Usually I reimage my workstations behind a router. Today, I needed a pc
directly connected to the net and imaged it without being protected by a
router.

After an 1 hour install of XP Pro, when the pc booted up for the first time,
the home page was changed, porn was loaded throughout the favorites and on
the desktop. Needless to say, the pc is now being imaged behind a router
and I'll load a firewall before exposing it to the net.

I'm just surprised that someone was able to detect my pc so quickly and
modify it beyond recognition.

Hi

November 30, 2004
Unprotected PCs Fall To Hacker Bots In Just Four Minutes
http://www.techweb.com/wire/security/54201306

WinXP SP1 without any firewall protection had the poorest showing.

 

[PA Bear]

Also see:

Before You Connect a New Computer to the Internet
http://www.cert.org/tech_tips/before_you_plug_in.html
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE)

Posting and You
http://www.trials-shack.co.uk/posting.html

 

[Anna]

I would suggest that you put the machine behind a router, there is no

excuse for leaving a system connected directly to the internet.

Respectfully, I disagree with you. Having a hardware router is a luxury
that some people have, but many still do not. I can think of so many people
that do not have their machine behind a hardware firewall.

I believe Microsoft recognizes this fact and for this reason has included a
software firewall in SP2.

Out of curiosity, I've left this pc attached directly to the net, but as I
mentioned in an earlier post, behind a software firewall. It is doing fine
and has not been compromised since being installed this afternoon.

 

[Leythos]

Respectfully, I disagree with you. Having a hardware router is a luxury
that some people have, but many still do not. I can think of so many people
that do not have their machine behind a hardware firewall.

So is having a firewall application. Until you get the OS on-line you
can't get the firewall application to install it, so, for the vast
majority of users - it's a catch-22. The only way to get SP2 Firewall or
another is to purchase one in a box or to go on-line to get it.

I believe Microsoft recognizes this fact and for this reason has included a
software firewall in SP2.

Out of curiosity, I've left this pc attached directly to the net, but as I
mentioned in an earlier post, behind a software firewall. It is doing fine
and has not been compromised since being installed this afternoon.

Yes, and I recall you stating that you did everything to set it up and
secure it BEFORE you connected it to the internet. Had you only owned
one machine, would you have been able to download your personal firewall
BEFORE you got hacked?

While many may not be able to afford a router/NAT, almost every
DSL/Cable modem has the built-in ability to provide NAT for you. What we
really need is for residential accounts to have NAT enabled on their
internet connection device (cable/dsl) by default and require them to
ask for a Public IP when needed.

Your typical home user is going to go to Best Buy or Dell and get a PC,
connect it, and get hacked while downloading the Windows Updates, if
they even know enough to start the update process. NAT at the border
would save them.

What people should be considering is how much time they waste fixing,
guessing, cleaning their systems, how much that time is worth in $, and
then realizing that the $40 cost of a router with NAT would have paid
for itself many times over - and that doesn't include the cost of the
stolen information from their computers.

 

[Anna]

That's true, most people need to connect to the net to install their
software such as a firewall.

All my software is on CD so I installed it prior to connecting to the net.

 

[Torgeir Bakken \(MVP\)]

So is having a firewall application. Until you get the OS on-line you
can't get the firewall application to install it, so, for the vast
majority of users - it's a catch-22. The only way to get SP2 Firewall or
another is to purchase one in a box or to go on-line to get it.

Hi

Actually, Windows XP has always had a software firewall included, the
major difference for the SP2 version is that it is default enabled,
and more configurable.

E.g. for my parent's computer that came with WinXP SP1, I enabled
the builtin firewall before I put the computer on-line.

 

[David Candy]

It was on by default if one used the wizards. But not if configuring through the other, older, and more common ways (like ISP's ins files).

 

[Torgeir Bakken \(MVP\)]

It was on by default if one used the wizards. But not if
configuring through the other, older, and more common ways (like
ISP's ins files).

Hi

That is not what I experience.

I just installed WinXP Pro (SP1) with a original Microsoft retail CD,
using the standard installation wizards.

When the OS installation was finished, the "Internet Connection
Firewall" setting under the network connection was not enabled. Also,
when looking at the ICF service with services.msc, the startup type
was Manual, and it was not running.

Then, when I manually selected the "Internet Connection Firewall"
setting under the network connection, the ICF service was
automatically configured to Automatic startup, and started.

 

[David Candy]

Via the wizard. It's a per connection setting. But old code doesn't. I posted what steps did and didn't set it years ago. I'll try a search but I think firewall is too common.

From memory the Create A New Connection wizard in Network Connections turned on the firewwall.

 

[Leythos]

Hi

Actually, Windows XP has always had a software firewall included, the
major difference for the SP2 version is that it is default enabled,
and more configurable.

E.g. for my parent's computer that came with WinXP SP1, I enabled
the builtin firewall before I put the computer on-line.

But most home users don't know this method, they just connect ALL the
cables (as instructed) and then get hacked before their updates are
installed.

 

[Incognitus]

So is having a firewall application. Until you get the OS on-line you
can't get the firewall application to install it, so, for the vast
majority of users - it's a catch-22.

XP RTM has a firewall, it's not a catch-22.

The only way to get SP2 Firewall or
another is to purchase one in a box or to go on-line to get it.

As I said, XP RTM has a firewall.

Yes, and I recall you stating that you did everything to set it up and
secure it BEFORE you connected it to the internet. Had you only owned
one machine, would you have been able to download your personal firewall
BEFORE you got hacked?

Yes, by using the firewall in XP.

Your typical home user is going to go to Best Buy or Dell and get a PC,
connect it, and get hacked while downloading the Windows Updates, if
they even know enough to start the update process. NAT at the border
would save them.

So would the firewall that comes with XP RTM.

 

[Mike]

If the router has a built-in firewall, there is no other firewall
necessary. You may want to consult the router's manual.

I have normally run Win2K with Norton Internet Security. I am replacing that
machine with XP Pro. Even though I have a router/firewall in front, I liked
the way NIS would monitor both incoming and *outgoing* packets (as well as do
popup blocking, and site specific permissions).

Will the builtin XP firewall offer the same feature or should I install Norton
Personal Firewall on it as well?

 

[Alex Nichol]

After an 1 hour install of XP Pro, when the pc booted up for the first time,
the home page was changed, porn was loaded throughout the favorites and on
the desktop. Needless to say, the pc is now being imaged behind a router
and I'll load a firewall before exposing it to the net.

I'm just surprised that someone was able to detect my pc so quickly and
modify it beyond recognition.

Typically one minute for an attack to get in, if you do not have a
firewall up and Blast etc protection in place. I recommend having the
SP2 CD around (or slipstreamed into your install CD_ and get it in place
before connecting to the Net *at all*

 

[Bruce Chambers]

I have normally run Win2K with Norton Internet Security. I am replacing that
machine with XP Pro. Even though I have a router/firewall in front, I liked
the way NIS would monitor both incoming and *outgoing* packets (as well as do
popup blocking, and site specific permissions).

Will the builtin XP firewall offer the same feature or should I install Norton
Personal Firewall on it as well?

WinXP's built-in firewall is adequate at stopping incoming attacks,
and hiding your ports from probes. What WinXP SP2's firewall does not
do, is protect you from any Trojans or spyware that you (or someone else
using your computer) might download and install inadvertently. It
doesn't monitor out-going traffic at all, other than to check for
IP-spoofing, much less block (or at even ask you about) the bad or the
questionable out-going signals. It assumes that any application you
have on your hard drive is there because you want it there, an therefore
has your "permission" to access the Internet. Further, because the
Windows Firewall is a "stateful" firewall, it will also assume that any
incoming traffic that's a direct response to a Trojan's or spyware's
out-going signal is also authorized.

ZoneAlarm, Kerio, or Sygate are all much better than WinXP's
built-in firewall, and are much more easily configured, and there are
free versions of each readily available. Even the commercially
available Symantec's Norton Personal Firewall is superior by far,
although it does take a heavier toll of system performance then do
ZoneAlarm or Sygate.

--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH