A Budget
Last Updated:
Looking for
Computer Support Help?
Check Out My Resume!
|
|
Hosted By...
|
|
|
|
A Budget Last Updated: Looking for Computer Support Help? Check Out My Resume! |
|
|||
| |||||
Update At Last night, we had been discussing this very possibility. Savage, where I live, has three different school districts ripping it up. We're on the eastern side of Savage (heck, less than a mile from the city limit, frankly), so we're in the Burnsville/Savage/Eagan school district. On the south side of town, where the new high school is in Savage (and still called "Prior Lake High School" - can't wait for the vandals to get that straightened out), there's the Savage/Prior Lake school district (though Savage is outnumbered about three-to-one in that district). Lastly, over on the western edge of town, there's the Shakopee/Savage school district. This morning the scroll on the bottom of the screen kept getting longer and longer. First Prior Lake closed. Then Shakopee. Understandable, as both are definitely more rural in nature. Burnsville? The stated policy of Burnsville (unofficial, of course) is that they would much rather remain open because the parents are going to end up going to work anyway - better to have the kids at school than at home, so the theory goes. Then Lakeville (south of Burnsville) closed. Is it possible? Could it be? The names churned through to the "Z's" (Zumbrota-Mazeppa), and started over. Alma, Avery ... Baldwin, Barron, Belle Plaine, Blooming Prairie, Blue Earth, Buffalo Lake/Hector, Burnsville, Butterfield - wait a minute, what was that? Burnsville? Burnsville CLOSED? Yup. So I sent my daughter back to bed (wouldn't you know that on a day she could stay in bed she'd be up early?), did the same for Jack, and did a naughty thing - Ran Ann to the bus. I came home and went to work on the driveway. When I started, it was mostly eight inches thick - where I'd driven on it. Where I hadn't, we had about eighteen inches. So I shoveled edge to edge top to bottom - or nearly so. Then my neighbor came along with his snowblower and finished off the last foot or two of the driveway (and I, more the fool, stepped back to watch just as he bore into a pile of snow with the chute set wrong - and I acquired an entire faceful of snow). Oh well - considering the last foot or so was actually the deepest, it did help. Now I've got four-foot high banks on the sides of the driveway, about fourteen inches throughout the rest of the yard, and two kids screaming their heads off upstairs. Oh, my, won't this be fun. The children are out back, playing with the dog, and enjoying their "free day". Traffic is apparently so bad that a friend of ours (with a four-wheel-drive pickup which is quite stable in this weather - he's got sand tubes in the bed) took well over a half hour just to get a half-mile down a busy street - which goes through the business district of Burnsville and dumps onto 35W and 35E (County 42, for you locals) - since he's got to go another forty miles to get to work, he bagged it and came home. As to the football game, I do hear tell that there was a half-time show - I recall looking at a friend of ours and rolling my eyes when all the noise started. I've turned into my father. I did recognize some half-wit rewrite of the lyrics to "Oh Mickey" - but then again, it seems pretty apparent to me that most rap music is derrivative. Though I'm a bit confused - CBS was willing to showcase Phil Simms' inability to speak English (which, considering he is a college grad, makes me cringe all the more), nudity (the aforementioned "Janet's Boobie"), and bad taste in bucketloads (given the number of advertisements that included bathroom humor or erectile dysfunction), but they wouldn't run a political ad? Gee - and I thought my family values were pretty good - apparently they're all screwed up. Here come the kids... Oh, phew - is there anything worse than "wet dog" for a smell?
[Link]
WWWTHESTICHERY.COM
[Link]
[Link] I'm not exactly sure when the whole "decency versus freedom of speech" thing took over, but I missed the boat when we said "yes, certainly, prohibiting speech of any kind is censorship." I'll gladly defend your rights to sell your Penthouse, Hustler, and Debbie Does Donkeys magazines - so long as those magazines and others like them aren't shoved in the faces of ten year olds. I like the occasional well-proportioned nude girl - who (male) doesn't? Oh, OK, there's that segment of you who are more happy with the buck-nekkid men - fine. Whatever. But do I want that shoved in the face of my children? No - wait, let me rephrase that - HELL NO. I was fortunate - my children, and my friend's kids, were downstairs playing Playstation rather than watching the game - so only consenting adults were given the view of Janet Jackson's boobie. I read today of the feeble explanations that it was a "costume malfunction." Right. Lessee - Wacko Jacko's sister Boobie says she was supposed to have a red lace bra on. I see. Where the heck was it? In her trailer? Frankly, folks, I know of no brassiere which has removable cups. Doesn't mean they don't exist (and yes, I've led a sheltered life, though thanks to Robin Williams, I do know what a "Prince Albert" is - and I can guarantee you that I will never have one), just that I'm woefully niave when it comes to feminine undergarments. In a larger sense, though, what the heck happened to the halftime show? Two years ago there was Bono and the names of the victims from September 11th. I remember a B2 flyover. I remember many halftime shows that showed more skin and were less flagrantly disgusting than yesterday's. What changed? Is it me? Perhaps my taste have - admittedly, I'm not at all a fan of the crap-music type shows they put on yesterday. But did Janet Jackson have to go rubbing her rear end all over this Timberlake jerk? Did "Kid Rock" have to put a hole in a flag and wear it like a poncho? I do understand the need to test boundaries - hell, I do it all the time. But what I fail to understand - or perhaps accept - is that the fine folks from MTV felt the need to put that sort of behavior on display for everyone. When did MTV become the arbiter of good taste - or taste at all? Between the halftime show and the prevalence of bathroom humor and erectile dysfunction, I was glad to see the truly simple dysfunctional displays of an idiot running a racecar down a football field. Don't know what for, don't care - all I do know is that the NASCAR junkies got their fill, this time without wet tee shirts. I see where the FCC is considering fining CBS - and each of it's more than 200 affiliates - the maximum allowable fine for this sort of indecency - $27,500. On the one hand, my wife is yelling that I'm being unreasonable - fining the affiliates for carrying the most popular program they'll have on their air for three straight years is probably unfair, she says. Certainly, says I - but fining a company that conservatively took in nearly a half-billion dollars in advertising revenue (assume the pre-game, postgame, and during the game, figure the average of two hours (out of seven) as advertising time (a bit low, I grant you), and then assume the average of $2.25 million per 30 second spot, and I get $540 Million dollars. Tear off the local affiliate take, the public service announcements, and the like, and you might be looking at $300 million for the network. Okay. Just for simple dumb math fun, it would take over 10,900 $27,500 fines to come close to that $300 million. If you assessed the $27,500 fine against each of 200 legal entities, they could be hit over 50 times before you'd eat up all of that $300 million. Economically, it made great sense for CBS to encourage Janet Jackson to bare her breast (or to get that Timberlake idiot to do it for her). Today, I'm talking about boobs instead of a last-second win. Do I think that someone somewhere isn't chuckling all the way to the bank? Well, freaking DUH. Aside from the fact that Janet did seem to be the most normal of the Jackson clan (which is a bit like winning “Best Grooming” at the asylum), you’ve got this Timberlake character who, I’m told, has all the class of ... well, I can’t really think of a good one - scumbag is entirely too nice for this kid. I guess it’s true. I’ve become my father. I just wish there was something more I could do to get my point across. CBS was willing to run bathroom humor, toilet jokes, and erectile dysfunction ads, and yet they won’t allow a serious question about paying for the deficit. They’ll show boobs, but not, it seems, bores. Sad, isn’t it? |
Update At 2235
[Link] Short version - if you can, block all traffic to OEM-builder.biz NOW. I mean RIGHT NOW. If you've got Windows, drop to a dos box, do a search for the HOSTS file, and add in a line
127.0.0.1 www.oem-builder.biz 127.0.0.1 www.oem-expert.biz And save it - then reboot. That might prevent any traffic from OEM-Builder.biz and their friends from infecting your box. Out of left field this morning I thought "you know, I haven't run a netstat -a in a while. Let's see what's up." There, in the output, was...
Active Connections Proto Local Address Foreign Address State TCP lola:0 LOLA:0 LISTENING TCP lola:1113 LOLA:0 LISTENING TCP lola:4444 LOLA:0 LISTENING TCP lola:1028 LOLA:0 LISTENING TCP lola:1112 LOLA:0 LISTENING TCP lola:1112 www.oem-builder.biz:1113 ESTABLISHED TCP lola:1113 www.oem-builder.biz:1112 ESTABLISHED TCP lola:4444 www.oem-builder.biz:1356 TIME_WAIT TCP lola:4444 www.oem-builder.biz:1358 TIME_WAIT TCP lola:4444 www.oem-builder.biz:1360 TIME_WAIT TCP lola:4444 www.oem-builder.biz:1362 TIME_WAIT TCP lola:4444 www.oem-builder.biz:1365 TIME_WAIT TCP lola:1260 LOLA:0 LISTENING TCP lola:137 LOLA:0 LISTENING TCP lola:138 LOLA:0 LISTENING TCP lola:nbsession LOLA:0 LISTENING UDP lola:1260 *:* UDP lola:nbname *:* UDP lola:nbdatagram *:*(Lola is the computer I'm using). I've updated Norton, I've scanned the machine with MyDoom and Novarg removal tools - that's not it. I've updated Spybot S&D and scanned - other than the usual complaints about cookies, the only thing it found was a registry key which tries to run IIS. Um, well, it might try to, but there's an executable required. And right where that executable needs to be is a file - which has the same name as that executable - and is about four bytes long - and is read-only. Does that make it fool-proof? Hell no. Nature keeps improving on the fool - I know, I are one. I've used the HOSTS file to block access to www.oem-builder.biz - with no luck. Let's see. Switch to "Pournelle Mode" (TM Dr. Pournelle) - real-time (sorta) notes start here. Remove the block on the OEM-Builder thing in hosts and reboot - no point in making it tougher for me than for them. All right - rebooted. Now, let's see. Ping OEM-Builder.biz. WTF?
HOSTS # 127.0.0.1 www.OEM-Builder.biz # 127.0.0.1 www.OEM-expert.bizAnd yet when I ping them, I hit the localhost port. Huh? Lessee. Mr. Beland had some suggestions. Telneting to their ports - no joy. Try telnetting to my own - likewise, no joy. Browser connection to their ports? Nope. To mine? Neither. Browser connection to my local host port alone? Nothing. Connection refused on all of them. Okay, I feel a bit better about this. Let's reboot again. We're back. This makes no sense. Now I've got an intermute connection running (lovely, more crappy spyware), but the oem-builder.biz connection is gone. Wait, it's back. Nope, gone. WTF? All right - four ports open to oem-builder. This is ridiculous. I'm going to post this, turn off the modem, and get some sleep. Anyone have any ideas, e-mail me... |
Update At 1300 But the infection continues. I can shut off the cable modem and stop their jerky works, download the occasional lot of e-mail, and hope against hope that something will suddenly scream for my help - but that's a bit too optimistic. I expect that I'll end up going off-line until I can get a decent firewall put together (Special to Matt - no, the box I was going to use for our little project won't boot from CD. Next?), and so that bites big-time. I guess what sickens and disgusts me the most is the fact that I will not be able to extract a pound of flesh from the little creep halfway around the world who has commandeered my computer. It eases my mind a little to think of this rude little man who has spent many hours downloading and tweaking hacker toolkits from the internet, learning a bit of English along the way, and now he can fire electrons across the globe and into my machine at will, making me and my computer a part of his twisted little plot. Wonderful. I'd like to kick him in the crotch, knock his tobacco-stained half-rotted teeth down his throat, or really, REALLY introduce him to an angry American - but that's never going to happen. He'll get away with it. And he'll do it because of three things - first is that he's international, and governments have a wonderful way of tangling right and wrong up in international treaties. The second is that it's a small crime. It's just one PC. One box - one tool. Because it happens to be the way I relate the most to the world around me, through news, through education, through research, through hundreds of other ways - it's my way to get out to the rest of the world. And now it's crippled, likely beyond repair. The third thing? Well, he'll get away with it because I can't see any way to tap into his feed and send him a boatload of shit that would make him roll over and die. If I could, I'd send him every single nasty virus or trojan or backdoor kit - but I can't do that. As this is liable to be my last post for a while, here's a couple of tips I'm borrowing from a security report I was writing when this started - how ironic. E-mail is the single most dangerous application running on most computers today. Primarily because with the growth in "social engineering skills" many hackers have learned, it's no longer just pictures for Anna Kournikova or dirty jokes which are dangerous - it's even messages you expect to be safe. If you get unexpected messages from known-good sources, do not assume they are good. If you're using broadband, shut off the modem - disconnect it if you can't reach the power supply. Only then should you open your suspicious e-mails. If they don't appear to be legitimate, check the headers. This can be done quickly and easily in most mail clients. If you do catch an infection, don't panic - but DO shut off the infected machine. One machine is easier to rebuild than an entire network. If you are a large or growing organization, consider installing firewalls within your network as well. The internal firewalls should be between your clients and your servers (though firewalls could also be used between departments or workgroups), and can be more permissive. But be certain to have a trained professional review the logs regularly. Some trojans and infections announce themselves loudly and obviously. The "Melissa" Virus, for example, was very fast-acting. It could bring down moderate to large networks (over a thousand nodes) in less than a minute. Some infections or trojans are far, far more subtle. One or two additional message streams of a low-bandwidth variety could send all your corporate information out to a third-party interloper before you realize it - so careful review of message and system logs is CRITICAL. Once you have been compromised, be prepared - you are now "low-hanging fruit". If you had a previous firewall, purchase a second - and place it in line behind the first. Disable all remote maintenance of your firewalls, if at all possible. Yes, it's a hassle to walk over to another computer connected directly to the firewall for maintenance. It's a bigger hassle - and expense - to rebuild all of your computers or start a new business. Tighten your security, change (if possible) your procedures to insure that you do not experience additional penetrations - and expect that you will be the target of a growing group for many months to come. Clients that are penetrated once and fail to do a complete "hardening" of their environment will come under attack again, and most likely will succumb - because the attacker knows your methods, your procedures, and how lax you are on security. One firm was compromised just weeks after installing a new firewall - that wasn't configured properly. The server was rebuilt, the firewall reconfigured - and the firm was compromised again. The server was rebuilt. The firewall reconfigured - this time, by a consultant's "firewall expert". The firewall expert failed to reset the device to force it to reload from the basic program the firewall contained onboard - and thus missed a buried program that waited to compromise the firewall again when it was reconfigured. The fourth time, the client experienced several thousand dollars in massive bandwidth overcharges - because their server had become quite well-known as a storage place for various pieces of illegal or pirated software. After this compromise, they purchased a new firewall - and failed to reset the administrative password out of the box. Finally, after six separate incidents, the firm brought in a consultant who managed the security hardening process - and in the end, the firm managed to stay in business - barely. Don't let it happen to you. It's been fun and I will miss this - Be well. |
Update At 0800 (but not really) How do I know NETSTAT.EXE is clean? Well, about a year back I copied off to CD a set of files for "just in case" events. NETSTAT.EXE being one of them. At the time (he says, ruefully), I figured I'd save the tools - not drivers and the like. And of course, my system backups exclude the exe, com, dll, vxd, and other bits and bobs which might be now infested with this pesthole. Anyway, the Netstat.exe program on CD checks against the netstat.exe on my hard drive - they're the same byte size, and more importantly, I've got an old program called CRC (Cyclical Redundancy Check) which I've used for about ten years now to compare one copy of a file to another - while the byte size could be faked, the CRC check cannot. NETSTAT.EXE is clean - and (you did know you could do NETSTAT -A 5 and have it loop, right, and repeat every five seconds - or set the interval to what you want) for the last hour the loop has been completely clean. No Intermute NOR OEM-Builder. And yes, I'm running e-mail. But not Firebird - yet. And there we go. Mozilla Firebird comes up, and OEM-Builder appears. Fuckers. Is this the fault of Mozilla? Hardly. I'd guess given the level I'm seeing, it's coming in at a much lower point in the system - probably network drivers or something. All right, let's have some fun. Yup. I unload the browser, the trojan connections go away. Port 4444 says open, though. I load a different browser (Netscape 7.1), and it comes back. So it's using something underneath the standard TCP/IP connection. I swear this all sounds familiar - but I'm missing something obvious. I've got to be. Right? All right. More later...
[Link] All right. Through the gracious assistance of Rick Hellewell, (who really needs to remember to change his current page - Rick - I've got a batch file. Yes, I know. :-> Step 1, it creates a new batch file to upload the specific week's pages. Step 2, it tips me into edit to edit my current page. Step 3, it uploads the new stuff. I type "makelog 2004 02 02" and it will do all of that - let me know if you'd like a copy, and yes, you can hard-code your password if you want), I've got a clue. Effing Blaster. Of course. That's why the symptoms sounded familiar. However, the MacAfee removal tools don't find it - nor does the removal tool from Symantec. Perhaps not Blaster, then, but a variation on it? It opens port 4444, all right - so I need to find out what does that. I have been able to nail it down to the fact that this thing operates ONLY when I've got a browser active. On bootup, I can do anything else - and no connection to OEM-Builder.biz exists. Once I fire up a browser, there it is. So it looks like I'm going to be looking at the underlying pieces that make a browser work. Interesting. I see that certain applications written in Java may be able to manipulate the OS's TCP/IP connection. Granted, this reference is from an open-source mailing list, but still. Very interesting. If I kill off the PSPCCARD process in the "Close Program" window (Win98 lacking anything as robust as the Task Manager), the connections to Oem-builder.biz close. Port 4444 is still open, but the rest are closed. What freaking fun. Guess it's time to Google port 4444 trojans. Well, according to this list it could be CrackDown, Oracle, Prosiak, Swift Remote. None of those check out - so it's possible that the executables ARE here but under a different name. None of the mentioned registry keys are in my registry (or modified to be something else), so there's that. But the simovits site might not be a particularly reliable one, as there's all of this 1999 stuff in it - gee, five year old trojan lists? I'm thinking there's something more recent. We'll google port 4444 some more here.
[Link] I am essentially off-line, however. Why? I can't, in good conscience, walk away with my computer running and let it do various things that this Chinese-based server makes it do. I'm an advocate for personal responsibility. And if I'm not responsible for the actions of my computer (even though some asshole did it to me), how can I blame others? How can I tell you to clean up your backyard when mine's got an open cesspit in it? So that plays a part in it. The other part is a fair bit of paranoia - what ELSE can they do once they open the door? A lot, I'm sure. I've no doubt that if I leave my cable modem on for hours at a time, what little hard-drive space I have left will be eaten alive, and all sorts of other exploits will be foisted upon me. And that's a small part of the bigger issue. And no, I don't blame the entire nation of China for this - the odds are pretty good that someone over there does know something (even with my hosts block removed, the ping to oem-builder.biz on my machine still resolves to 127.0.0.1 - localhost. Nice work, that). The problem I do have is that there's a substantial chance (almost a certainty) that they'll get away with this. But not on my machine, not if I can help it. In the mean time, sorry, I can't respond to e-mail. Norton says it's scanning - what good that does, I don't know. I don't want to mail you folks anything with an attachment that might infect you, so I'll be holding my tongue on that part until I get this cleaned up (or replaced).
[Link] Until a month later, I got another Amazon.com shipping notice. Hmmm. I was more careful with this one - used the old "properties, details, message source" trick in Outlook Express to view the message text. When I saw that it, too, was from an OEM-type domain (this one was OEM-Expert.biz), I got a bit more worked up, sent e-mail out to Amazon (telling them to get their people on it) and OEM-Expert (which bounced), and got back to work. And then, yesterday morning, checked the ports. What irritates me beyond belief is the fact that I did not open what appeared to be dangerous e-mail. I did what any other person would do - "What? I didn't order that! Oh, some a-hole spamming. How lovely." But in those few seconds, I got hit.
[Link] Kerio Personal Firewall? Well, it gets seven stars (out of ten) - we'll try that. It says it does port blocking - could be just what I need. Okay, it needs a reboot. Fine. Reboot's over, I'm back up. Boy, this thing is paranoid. It wants to know about everything in your startup routine. I like that. Problem is I'm betting that my start-up routine is hiding the compromised application. Well, let's try configuring it. Hmmm. No mention of a port list. Can I block UDP? Specific TCP Ports? Lovely. No mention. Effing great. It just blue-screened on me. Off with the cable modem then, until I can reinstall ZoneAlarm. All right, let's fall back a bit. DCOM is the underlying vulnerability, if I recall correctly, of the Blaster worm and it's variants. I'm guessing these jerks aren't smart enough to write an entirely new worm. Lovely. Microsoft's not going to tell me what files DCOM uses. As I don't need nor want DCOM on this machine, I'd gladly remove the DCOM-specific crap. Plan K, I guess. Out to the "trash heap" in the garage. All rightie. Pentium 166MX with two network cards, and Coyote Linux Firewall. We shall see what we shall see. It's 1335 here (1:35 pm), but I'm going to keep slugging away at it. I'll keep you posted, I guess...
[Link] My daughter's Girl Scout troop now has nine girls in it. They'd been losing one a year for the past few years, and this year picked up two girls - one new girl, and one who transferred from another troop. Rhiannon was the top seller in her troop (tied, anyway) in her first year, came in second two years ago, and third last year. Part of the downward spiral in that regard was due to her father not having a workplace to lay out the sheet, and part was due to just general economics - and the first year she was in a daycare where they let her set the sheet out on the front desk and pick up about 70 orders just like that. This year, Rhiannon sold 130 boxes. Certainly respectable, and an improvement over last year. However, she came in about sixth in her group. The two new girls topped the list - one with 305 boxes, the other with 255. On the whole, the troop sold about 1500 boxes. So far, so good, right? Wrong. At $3.50 a box, the troop made a whopping $72 this year. Roughly a nickle a box. The rest of the money goes to the Girl Scout council. Ouch.
[Link] Suggestions, guesses, or hunches to the usual address.
[Link] I'm beating my head on the wall right now because I've just downloaded and installed the Sygate Personal Firewall on the recommendation of Mr. Richard Sherburne (whose e-mail address I won't publish here, thereby increasing the poor man's spam accumulation). This is what I needed a month or more ago. Blocking by ports, by protocol, even by time - slick. Too bad the little $%!#$%^$%~@#ers in China got here first. They've managed to bypass the firewalls I've installed (four today), and they're still getting out. Obviously, there's some infested thing in my startup routine that shields itself from the Norton AntiVirus, the firewall, and all the rest. It's a slick little piece of work. That I do have to hand them. Too bad it couldn't come with their heads. Wait a minute. When I boot, I load a couple of things. One of them is Ad-Subtract - I've been running it for about two years now. I checked for updates on it the other day, and no, there weren't any. But it's from Intermute - which explains the connection to Intermute.com. But here in the Registry is a key that says port 4444... What? I'm going to go through the registry here and reboot, and see what happens. If I don't come back for a few weeks, you'll know why... Here goes nuffin... Wait a minute. Before I go - I shut off AdSubtract and all of that. And port 4444 is closed.
C:\WINDOWS>netstat -a Active Connections Proto Local Address Foreign Address State TCP lola:1031 LOLA:0 LISTENING TCP lola:1033 LOLA:0 LISTENING TCP lola:1037 LOLA:0 LISTENING TCP lola:137 LOLA:0 LISTENING TCP lola:138 LOLA:0 LISTENING TCP lola:nbsession LOLA:0 LISTENING UDP lola:1031 *:* UDP lola:1033 *:* UDP lola:nbname *:* UDP lola:nbdatagram *:* No jumping up and down yet... Reboot and see what happens, grasshopper...
[Link]
Active Connections Proto Local Address Foreign Address State TCP lola:1027 LOLA:0 LISTENING TCP lola:1043 LOLA:0 LISTENING TCP lola:1045 LOLA:0 LISTENING TCP lola:1034 LOLA:0 LISTENING TCP lola:1046 LOLA:0 LISTENING TCP lola:1043 64.94.110.12:80 CLOSE_WAIT TCP lola:1045 crl.verisign.com:80 CLOSE_WAIT TCP lola:137 LOLA:0 LISTENING TCP lola:138 LOLA:0 LISTENING TCP lola:nbsession LOLA:0 LISTENING UDP lola:1027 *:* UDP lola:1034 *:* UDP lola:nbname *:* UDP lola:nbdatagram *:* I'm no longer sure it's a DCOM problem. Reader Rick Helscher wrote to tell me about the DCOMBobulator that Steve! Gibson! has on his web site - yes, I like Mr. Gibson, but I'm thinking a wee bit less in the caffiene department for the man, OK? Anyway, DCOMBob says I'm clean - the ports are "Stealth" (which might not mean anything if they're being used by a particularly smart trojan, it might know not to reply). The DCOM stuff is all patched, shut down, and safe - so who knows. Don Armstrong wrote with a long list of suggestions - and yes, Spybot S&D is my main anti-spyware tool - I added AdAware on the theory that a software firewall and Antivirus software didn't block this thing from getting in, I might as well try two or more trojan/adware scanners. Oh, Ouch. There's an article with my name in it - not on it, in it (or if not in it, it certainly could be - which is not - repeat NOT - a good thing). Ah. But if I fire up Mozilla, there's those pesky OEM-Builder.biz folks again. Active Connections Proto Local Address Foreign Address State TCP lola:1027 LOLA:0 LISTENING TCP lola:1043 LOLA:0 LISTENING TCP lola:1045 LOLA:0 LISTENING TCP lola:1835 LOLA:0 LISTENING TCP lola:1034 LOLA:0 LISTENING TCP lola:1046 LOLA:0 LISTENING TCP lola:1832 LOLA:0 LISTENING TCP lola:1832 www.oem-builder.biz:1835 ESTABLISHED TCP lola:1835 www.oem-builder.biz:1832 ESTABLISHED TCP lola:1043 64.94.110.12:80 CLOSE_WAIT TCP lola:1045 crl.verisign.com:80 CLOSE_WAIT TCP lola:137 LOLA:0 LISTENING TCP lola:138 LOLA:0 LISTENING TCP lola:nbsession LOLA:0 LISTENING UDP lola:1027 *:* UDP lola:1034 *:* UDP lola:nbname *:* UDP lola:nbdatagram *:* I give. I'm going to bed. |
Update At 0810 And that's how she'll always be remembered. Sadly. I cannot for the life of me understand the sort of animal that would do something like that to a little girl. I don't WANT to understand that kind of thinking. Perhaps I'm just paranoid. But when the news of Jacob Wetterling's abduction broke, and he became national news for a time, to many of you, it was a "where's that". To me, it was far, far too close to home. I'd driven those streets as a college kid - marched them in the marching band in High School. Watched the same parades as a little kid. Every day, my father went through St. Joe to go to his work. Jerry Wetterling's head was on a billboard, some eight or ten feet high, which we'd go past every morning when I lived at home and went to College. Wetterling Chiropractic was a common name. And when something like that happens near you, at that age (I was just 26 when Jacob was snatched), you don't forget it. It burns it's way so deeply into you that you never, ever, ever let your children out of your sight unless they're with someone you trust who has the same fears you do. One of Rhiannon's best friends lives about a block away. It'll be a long time before I'll let her ride down there on her bike without watching her every inch of the way.
[Link] If anyone has any advice, I'm more than open to listening...
And for the record, below are screen shots of the Sygate firewall applications list. I'm blocking a couple of applications because I just don't think they should be running - any other input, you know where to send it.
[Link] And yes, this is here for testing/checking purposes. Next, we shut off the modem and filter the report... For the record, I created a simple batch file.
@ECHO OFF IF NOT %DEBUG%!==! ECHO %DEBUG% :HEAD ECHO RUNNING NETSTAT... TIME < ENTER.KEY | FIND "urrent" >> NETSTAT.LOG NETSTAT -A >> NETSTAT.LOG TYPE NETSTAT.LOG GOTO :HEAD :DOOR Simple, really. Now to plunge through Netstat.log...
[Link] On the home - or old-home - front, I just got a call from my mother. Long-Story-Short - she underwent Chemo about a year ago for a tumor in her thigh - the chemo and radiation killed it off, and left her with a bone strength of about 20% in that area. With care, the doctors felt it would grow back solid as before. She's been having some trouble with her leg, so she went to the doctor this morning. She'd just gotten home and taken off her coat when they called to tell her "get back her, yer leg's busted." Yeah, like that. And words to that effect. Now, to really put the cherry on top of the whipped cream on the Sundae, tomorrow was supposed to be (though I wasn't told) Dad's homecoming from the nursing home - he'd managed to recover to the point where he was at least as mobile as before the broken hip - took over three months, but still. So once we find out what the deal is with Mom's leg, then we figure out what to do about dad. Puts the rest of this in a rather better perspective, I think. And as to "the rest of this" I did discover something. This morning I fired up e-mail and a browser and started the above batch file to create a log. After a half-hour I shut off the modem, stopped the batch file, and with some massaging, I imported the information into an Excel Spreadsheet. I modified each line to include the time the report was from, the information on each line, and then where I was unsure as to what sort of destination I had, I also checked a neat little page on DNS Stuff's web site to look up by IP. And learned more. So, what have I learned?
I think that does most of it. The only thing left is this unholy mess. I'm still working through it, but I might as well see if anyone else has a thought... As usual, guesses, hunches, and abuse to the usual spot.
[Link] Today stinks - on ice - and at forty below. Trust me on this one. As I write this (8:45 pm), mom's about 15 minutes away from going under the knife - again - for tumors in her leg. Sounds like they'll be setting it and digging around for any more potentially cancerous bits. What fun. Two of my sisters and one of my brothers-in-law are on their way up there now - or actually probably there, so I've left instructions to have them call if/when they know something. On the one hand, I suppose the immediate surgery is good. It means they've found something which they need to fix (bad), but they're of the opinion that once it's fixed, life will improve. Rather than "oh, well, nothing we can do." The person I really feel for is my father. Here he was all geared up to come home - and now he's back in limbo. That's got to hurt. Add to that the part about Dad not being at his best when he's waiting, and, well, there you have it. On the virus front, I've made little progress since this afternoon. Once Mom called, the day kinda spiraled downhill rapidly. Tough to concentrate on anything when you're sitting here worrying. This, too, shall pass. Did I mention it's snowing - again? Probably not.
[Link] First, Mr. Peter Thomas reminded me about the Sysinternals site - where I downloaded my new pocket nuke, TCPView. Excellent tool. The web site tells you all about how useful the tool is for viewing various TCP/IP connections. What they neglect to tell you is that TCPView, when used in conjunction with a background batch file running Netstat constantly, updates multiple times per second - and you can kill individual connections. Yes, my friends, that's right - you can stomp them flatter than cockroaches. While not a permanent solution, it is fairly effective in allowing me to swat the damned connections from oem-builder.biz. So, grasshopper, we're getting closer to your funky little mess. The a-hole who put together this little trojan were pretty sneaky - but they aren't perfect. They've got some sort of blocker running so that I cannot determine the true IP address of OEM-Builder.biz. I know not why - I do know that when I look through the Whois server for the BIZ TLD, I get no hits for the OEM-BUILDER.BIZ site - it says it doesn't exist. When I try to ping oem-builder.biz, on my machine it returns a connection to 127.0.0.1 - and yes, I've remarked out the line in the hosts file. So, I watch the TCPView utility - any time any port attempts to connect to localhost, I kill the connection. Typically, I get anything up to an hour before it tries to contact me again. And I connect to his port 1031. Interesting, if stupid, information, I suppose. It's a whole lot more fun to do this than just sit there and growl, I guess. On the other front, Mom is through surgery, resting comfortably. She's got another hardware store in her thigh, she can't do any more MRI's, and we're not quite sure what to do about Dad's homecoming tomorrow - but Mom's doing well, which is the important part. So things are improving. I'm still not going to leave the cable modem on day and night, though... |
Update At 0730 I mentioned earlier this week of my frustration in dealing with this infestation. TCPView's ability to slap down connection attempts is the perfect solution to all of this - I can imagine some poor fellow sitting behind a computer swearing each time I smack down his remote connection. I know that it's likely not something anyone's actively doing - given the number and range of IPs I've seen attempting to connect, there's no one fellow controlling this in real-time, it's just an automated thing. It is the joy of having the tool to be able to do SOMETHING to these fine folks which gives me great, great pleasure. Indeed. I can hope, however, that I've introduced into their lives and "work routine" enough noise to make them wonder. If I could only send them a wee little gift that would blow up in their faces - nothing to wipe their hard drives, just a little worm of my own that would send to each connected box a notice saying "your computer has been infected by a trojan!" Let's see if I can keep a list going of the bastards who tried to get into this computer this week... This should be most fun. Lessee. There's an IP that ends up somewhere in the "Broadwing.net" range of IPs - Broadwing has one of those poorly-designed sites which requires your acceptance of cookies before they'll tell you anything - what a pile of crap. Then there's the fine folks running the computers at IXC-Investors.com. Clearly, they've got something that's horribly compromised - how can I tell? Well, this little trojan obviously installed one of it's own "HOSTS" files, and there are a number of sites (OEM-BUILDER.BIZ for one) which I cannot ping, connect to, Tracert to, or pull up a browser window. Actually, I can ping, the problem is I get to the localhost port on my own machine. So much for being brilliant. And Google's webcrawler hasn't hit this site yet - last week's mention of OEM-Builder.biz hasn't been added to their index yet - and nothing mentions oem-builder.biz on the internet. Now, being the naturally suspicious type, I'd expect a few mentions of a web site SOMEWHERE. Heck, even the site's home page SHOULD mention it - if you're reputable... And just so this site doesn't become one-dimensional, check out this site. Why? Because I said so. If that craftsmanship doesn't interest you, sorry, climb into the hole, we'll fill it up for you - you just haven't noticed - yer dead. On the list of "To-Dos" for the day - Rhiannon has a school thing, I need a haircut, we need to do some house cleaning, Jack and Rhiannon want to build at least one snow fort (like the raw materials are gonna be a problem), and there's a good chance we'll be spending at least some time in Downtown St. Paul, looking at a big pile of ice. We promised the kids.
[Link] But I should back up. Today, after posting the above, I hauled ass across Burnsville and dropped her off - er, dropped RHIANNON off at her school function, and returned home. I spent perhaps 20 minutes working down here on the 'puter, and then my wife hollered me up - seems my son had started working on his snow fort as we'd previously discussed. Of course, being the overgrown child I am, I went out to help. My assistance consisted of (I don't believe I actually did this) shoveling a portion of my yard down to bare grass, nearly, so he could have a good-sized fort - I'd guess it about six by ten or so. It's to the south of the driveway, just about five feet from the edge of the street. I shoveled the area out, took plenty of snow from the driveway, then started clearing off the dead car. In the end, he's going pretty good - chin-high walls on the short sides, and walls he can barely see over on the taller side - and they're thick enough (and far enough back from the road) that we don't need to worry too much. After that, Ann picked up Rhiannon, returned home, and then went off to do "caffee tolk" with her lady friends - returning home some two hours later. We then prepared for battle.
Due to yours truly forgetting the digital camera, we'll see how things turn out with el-cheapo. Anyway, we staggered through the block-long line to get our tickets - then another block-long line up, and back down the block, to get into the line to get into line to get into the Ice Palace itself. Once there, well, yeah, it was cool.
So we wandered there, we wandered through Rice Park and saw more magnificent carvings (including one that Ann says was a merry-go-round and I insist was a palm tree - made out of ice), then we saw snow sculptures, then I twisted my knee (everything everywhere was covered about an inch deep in loose dirty snow. So we got back to the car, back out of town, and home - to find the digital camera sitting on the couch. Oh, and I did manage to make a much better pen today. Not yet perfect, but much, much closer. Tomorrow? Church, more school stuff, housecleaning, want ads, and a whole lot more fun. And before I forget, some of the port activity from this morning can be found here. |
Update At 2130
Tools Needed
Here the traffic pops up a lot to start with, and then dies off. I don't even think that checking the mail after a while brings the trojan back to life. I'm still shutting the modem off when I'm not using it, but sooner or later I'll dig this one out.
[Link] Last night, after typing the final update for the day, I remember looking at my watch to check the time, putting it into the "Updated At" section, saving, uploading the page, and turning off the cable modem. I then sat up with a start and looked again at the time - 12:52. Or 0052 - yes, my good friends, I slept in this chair for well over an hour before realizing it. I toddled upstairs, dropped my clothes, set the alarm for 7:25, and fell into bed, nearly instantly asleep. Some eight hours later (yes, 12:52 am + 8:13 is 9:05 am) I awoke with a bit of a start - looked at the clock, and then said "well, there goes 9 am mass" - Rhiannon had choir. So instead of making church, we did a lick or three of cleaning (well, closer to "a" than "three" truth be told) and then ran off - Rhiannon to her school thing, Jack and I to haircuts, Ann and the boys to the grocery store to finish off that portion of the exercise, back to get Rhiannon, back to the haircut place for a Rhiannon cut, past our old x 2 apartments (two in the same complex), then to the meat market, then home. I put the finishing touches on Ann's Valentines Day present and gave it to her a bit early (it's a "perfume pen" which she can use to show off around the office, and maybe get me sales), we had dinner, and now, that brings you up to date. Tomorrow's my last chance to prepare for the interview on Tuesday, so that'll be done. And did I mention that it's snowing?
[Link] I've reinstalled it, and discovered a wonderful, wonderful tool. I'm on a web site I don't usually visit, and there are flashing, blinking ads. I right-click, and select "Block ads from..." and hit refresh. Viola. They're gone. Doesn't get any easier than that. |
Copyright information here..
I tossed on shorts, a pair of heavy-duty socks, sweatpants, a flannel shirt over my tee shirt, a fleece zip-up sweater over the flannel shirt, and added a pair of jeans to the ensemble, topped off with my Rabbit-Fur-Russian hat and Parka - the kids and their mother similarly bundled, we set off to Downtown St. Paul for a closeup look at the Ice Palace. Those of you so inclined may be able to see the thing tomorrow during the NHL All-Star game, because on Monday, it comes down.
Imagine this - take your average really clear ice cube. Square it off. Enlarge it to about eighteen inches across by 36 inches long by ten inches thick. And use about 27,000 of them. Including one with a fish frozen right in it. Seriously.
