From owner-freebsd-questions Tue Jul 6 10:20:50 1999 Delivered-To: freebsd-questions@freebsd.org Received: from ns.clientlogic.com (ns.clientlogic.com [207.51.66.75]) by hub.freebsd.org (Postfix) with ESMTP id C2EA414C84 for ; Tue, 6 Jul 1999 10:20:48 -0700 (PDT) (envelope-from ChrisMic@clientlogic.com) Received: by site0s1 with Internet Mail Service (5.5.2448.0) id <3DAY4A15>; Tue, 6 Jul 1999 13:20:48 -0400 Message-ID: <6C37EE640B78D2118D2F00A0C90FCB4401105A7B@site2s1> From: Christopher Michaels To: 'Rami Soudah' , FreeBSD-Questions@FreeBSD.org Subject: RE: WinNuke Date: Tue, 6 Jul 1999 13:22:51 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG You just need to firewall off ports 137-139 (tcp AND udp), you won't have to worry about winnukes anymore (although if you are properly patched you shouldn't have to worry anyway). -Chris > -----Original Message----- > From: Rami Soudah [SMTP:rsodah@index.com.jo] > Sent: Saturday, July 03, 1999 2:38 PM > To: FreeBSD-Questions@FreeBSD.org > Subject: WinNuke > > Greetings, > > Last night I had a situation: > NukeNabber2.9b at the Win box was crashed > due to a port-scanning via nmap from the BSD box with the message: > > "Exception EStackOverflow in module > NUKENABBER.EXE at 00004AEC > Stack Overflow." > "This program has preformed an illegal operation and > will shutdown." > > at that time I was Offline (not connected to the > internet) > > I did nmap , to know which ports are still open > bash-2.02$ nmap 192.168.0.2 > Starting nmap V. 1.51 by Fyodor (fyodor@dhp.com, > www.dhp.com/~fyodor/nmap/) > Open ports on metro (192.168.0.2): > Port Number Protocol Service > 53 tcp domain > 129 tcp pwdgen > 137 tcp netbios-ns > 138 tcp netbios-dgm > 139 tcp netbios-ssn > > > Network: ISP-modem-BSD-Win > > In the Log File of nukenabber, I found the following: > [07/02/1999 10:14:43] Connection: EARTH (192.168.0.1) on port 137 (tcp). > > [07/02/1999 10:14:53] Connection on port 137 (tcp) timed out waiting for > data. > [07/02/1999 10:14:53] Port 137 (tcp) is now disabled for 60 seconds. > [07/02/1999 10:16:40] Port 137 (tcp) is re-enabled. > [07/02/1999 10:18:37] Connection: EARTH (192.168.0.1) on port 53 (tcp). > [07/02/1999 10:18:46] Connection on port 53 (tcp) timed out waiting for > data. > [07/02/1999 10:18:46] Port 53 (tcp) is now disabled for 60 seconds. > [07/02/1999 10:20:34] Port 53 (tcp) is re-enabled. > [07/02/1999 10:20:34] Disconnect: on port 129 (tcp). > [07/02/1999 10:20:34] Port 129 (tcp) is now disabled for 60 seconds. > [07/02/1999 10:20:34] Disconnect: on port 138 (tcp). > [07/02/1999 10:20:34] Port 138 (tcp) is now disabled for 60 seconds. > [07/02/1999 10:20:34] Connection: EARTH (192.168.0.1) on port 0 (tcp). > [07/02/1999 10:21:36] Port 138 (tcp) is re-enabled. > [07/02/1999 10:21:36] Port 129 (tcp) is re-enabled. > > > Could someone tell me why thats happend? > Do I need NukeNabber to protect the Win box from WinNuke? > Which FireWall rules do I have to set up at my rc.firewall to protect > the > Win box from nuke and to close the open ports? > > > -pons > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message