
Ad by
  • 予人玫瑰,手有余香:加拿大新天地工作移民诚聘求职顾问&行业导师!
Ad by
  • 予人玫瑰,手有余香:加拿大新天地工作移民诚聘求职顾问&行业导师!

Those personal firewall products are a bit misleading ... makes me wondering if they just want to grab your attention -- "see, I'm doing something, I worth the money you spent ... "

本文发表在 rolia.net 枫下论坛But don't get me wrong, they are still useful.

Trojan horses cannot be implanted by merely connecting to a TCP/UDP port. For that to work, you have to have a service listening on that port, and that service is having security problems (most notably buffer overflows) that can give remote attacker root (administrator) access. After the attacker gaining root access, they can do whatever they want including implanting a trojan horse.

The warnings from those personal firewalls are most likely happened when someone trying to connect to a well known trojan TCP/UDP port. That means, if you have a trojan planted, and you don't have a firewall to block that port, the attacker can gain control of your machine through the trojan. For example, netbus (a well known back oriffice like trojan) is listening on TCP/12345. When someone is trying to connect to that port on your machine, your Norton firewall will probably put out a warning saying that you are being attacked by netbus trojan. But the fact is, you might not have netbus on your machine listening on TCP/12345.

In unix world, you can control precisely which port(s) to open. But that's not the case with windows. Windows has to open certain ports in order for it to function normally. That's why you need those personal firewalls to block those ports on the Internet side. If you want to share something through some services (HTTP, FTP), make sure to configure you firewall to allow connections only to those ports (eg., TCP/80) and the services are updated with the latest security patches. IIS is notoriously insecure from the default install, and very few ftp servers don't have security problems.更多精彩文章及讨论,请光临枫下论坛 rolia.net

Replies, comments and Discussions:

  • 工作学习 / IT杂谈 / 有了防火墙,一天能挡住上百匹木马, 没防火的主, PC还不成马厩拉?
    • 防火墙挡不住木马。
      • 麻烦你给扫扫盲,说说为什么?多谢!
        • Trojan refers to those programs that get into your computer through legitimate ways (most notably through email attachment) and trick you to run them without knowing the consequences.
          Firewall, on the other hand, can block those attempts to exploit vulnerablities that exist in networking services (HTTP, FTP etc) or problematic tcp/ip stacks. It does not block legitimate traffic.
          • Firewall installed in my computer (Norton symantec)
            sometimes warns me my pc has been attacked by Trojan horse, that gives me an impression that Trojan horse could be planted via TCP/UDP/HTTP and other legitimate ways. I am kind of confused by their warning message then. You name email is one of the legitimate ways to plant a Trojan, other networking activities such as UDP/TCP access could also be used as a way to sneak Trojan horses to the pc?

            I appreciate your time! Thanks.
            • Those personal firewall products are a bit misleading ... makes me wondering if they just want to grab your attention -- "see, I'm doing something, I worth the money you spent ... "
              本文发表在 rolia.net 枫下论坛But don't get me wrong, they are still useful.

              Trojan horses cannot be implanted by merely connecting to a TCP/UDP port. For that to work, you have to have a service listening on that port, and that service is having security problems (most notably buffer overflows) that can give remote attacker root (administrator) access. After the attacker gaining root access, they can do whatever they want including implanting a trojan horse.

              The warnings from those personal firewalls are most likely happened when someone trying to connect to a well known trojan TCP/UDP port. That means, if you have a trojan planted, and you don't have a firewall to block that port, the attacker can gain control of your machine through the trojan. For example, netbus (a well known back oriffice like trojan) is listening on TCP/12345. When someone is trying to connect to that port on your machine, your Norton firewall will probably put out a warning saying that you are being attacked by netbus trojan. But the fact is, you might not have netbus on your machine listening on TCP/12345.

              In unix world, you can control precisely which port(s) to open. But that's not the case with windows. Windows has to open certain ports in order for it to function normally. That's why you need those personal firewalls to block those ports on the Internet side. If you want to share something through some services (HTTP, FTP), make sure to configure you firewall to allow connections only to those ports (eg., TCP/80) and the services are updated with the latest security patches. IIS is notoriously insecure from the default install, and very few ftp servers don't have security problems.更多精彩文章及讨论,请光临枫下论坛 rolia.net
              • Thanks a lot, Dennis. Your explanation is clear and easy to understand. Man, how can you achieve such a beautiful English, admire!
    • pc上如果没有打开共享,没什么危险.
      • 木马不需要你打开共享,就好比是在你的机器上安了个PC Anywhere,可以控制一切。
        • 有木马了,防火墙也没多少用. 没用打开(最好是不安装)共享服务, 防火墙也没多少用.
          • you r wrong. there are tons of attack besides trojan, like port scan, DOS, etc. Even if you are not sharing any files, your computer still could be hacked.
            • As personal computer, need not worry about those 'hacker tools'.
              'port scan' just can find what port are current opend on ur computer, there are only few ports opened on ur pc.
              DOS is useless for home pc...

              there are some tools can scan the 'share' bases on netbios.
      • Even if you don't explicitly share any thing, there are hidden shares like ipc$ and c$, d$ ...
    • 其实没那么严重,上百次只是对你的端口扫描,只要你的端口没开,就没什么实际意义。
      • Windows has to open certain ports in order to operate normally. Try blocking udp/135 on NT4 or udp/445 on Win2k in tcp/ip property then you'll know what I mean.
      • 为什么要对我的断口扫描?
        • 看你的这个门(端口)开没开呀,如果打开,就可以悄悄进去了。
        • 1. See what OS you are running 2. See what port(s) are opened (some of the ports are opened by trojan to allow attacker to gain control)
    • 最新的木马程序都走80端口了,普通的防火墙防不住的。而且个人的机器,除非和你有仇,没有人对它感兴趣,不用担心。
      • For personal computers (esp. those connected to the Internet with cable or adsl), although no one has interest to hack, they can be used to launch DDoS attack.
        And using a worm to install those DDoS agent is trivial task.
        • then how to defend?
          • 1. Keep up with security patches 2. Turn off services you don't want to run (like IIS) 3. Install a personal firewall 4. Avoid using M$ stuff :-)
      • 那怎么办?我现在正在被黑客苦苦追杀,苦于没有招数应对,暂时安装了防火墙,抵挡一阵,如果真的是能走80端口的,有没有绝招挡住?谢谢!!!
        • 先说说你是怎么“被黑客苦苦追杀”的?
          • 每次上网的时候,防火墙总是提醒,有IP地址试图访问我的端口,被拒绝。
        • 最绝的招就是:
        • 再说一个让你担心的吧
          有的木马,是使用ICMP(Internet Control Message Protocol)协议进行数据的发送,原理是修改ICMP头的构造,加入木马的控制字段,这样的木马,具备很多新的特点,不占用端口的特点,使用户难以发觉,同时,使用ICMP可以穿透一些防火墙,从而增加了防范的难度。
          • 关键是不要被植入木马, 这些都是木马和监控者通信的方式, 最简单的是木马发邮件出去, 什么防火墙都没用.
            个人电脑在网上要想安全其实很简单, 把'文件和打印共享'去掉, 把非tcp/ip协议去掉. 再装个防病毒的软件就可以了.
            • 请问c:\windows\下的Loadqm是木马程序吗?还有
            • 请问C:\WINDOWS\SYSTEM\KERNEL32.DLL这个文件是木马程序吗?
              • 都不是
                • 那么这两个程序为什么要与网络连接,每次上网,它们都试图进行网络连接,我禁止它们连接同样对上网没什么影响,那么微软设计它们连网有什么作用,请各位大侠帮忙解答一下!!谢谢!!
                  • loadqm is query manager run by microsoft message service
                  • KERNEL32.DLL应该不会直接访问网络, 但是有些病毒和木马会在注册表中修改KERNEL32.DLL后面的参数来启动自己.
                    • 那么我的机器里的KERNEL32.DLL经常访问网络,是不是已经被植入木马了?我现在已经设定为禁止访问网络,那么如果有木马的话,也不会被偷去资料了,是不是?非常感谢你的答案!!!谢谢!!!
    • All of the reasons is that you installed a firewall!