# Windows has found CRITICAL SYSTEM ERRORS, on a Linux box.

## dalek

Well, I don't have to ask for to much help but this one has me sort of stumped.  I'm on dial-up and every once in a while I see a little bit of data even though nothing is going on, including email.  I closed everything and even stopped ntp and used Wireshark to capture this.  Can someone tell me what the heck this is?  Is this that little pop up window that pops up on windoze?  I use Bell South, aka AT&T now, and so does my brother.  His windoze XP "claims" someone is trying to hack in and Norton stops it.  Is this true?  Well, before I call out the Special Forces or something, what is this?

```
No.     Time        Source                Destination           Protocol Info

      1 0.000000    20.233.86.7           209.214.144.182       Messenger NetrSendMessage request[Long frame (2 bytes)]

Frame 1 (407 bytes on wire, 407 bytes captured)

    Arrival Time: Aug  1, 2007 06:55:44.988063000

    [Time delta from previous captured frame: 0.000000000 seconds]

    [Time delta from previous displayed frame: 0.000000000 seconds]

    [Time since reference or first frame: 0.000000000 seconds]

    Frame Number: 1

    Frame Length: 407 bytes

    Capture Length: 407 bytes

    [Frame is marked: False]

    [Protocols in frame: sll:ip:udp:dcerpc]

    [Coloring Rule Name: DCERPC]

    [Coloring Rule String: dcerpc]

Linux cooked capture

    Packet type: Unicast to us (0)

    Link-layer address type: 512

    Link-layer address length: 0

    Source: <MISSING>

    Protocol: IP (0x0800)

Internet Protocol, Src: 20.233.86.7 (20.233.86.7), Dst: 209.214.144.182 (209.214.144.182)

    Version: 4

    Header length: 20 bytes

    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

        0000 00.. = Differentiated Services Codepoint: Default (0x00)

        .... ..0. = ECN-Capable Transport (ECT): 0

        .... ...0 = ECN-CE: 0

    Total Length: 391

    Identification: 0x4fcc (20428)

    Flags: 0x00

        0... = Reserved bit: Not set

        .0.. = Don't fragment: Not set

        ..0. = More fragments: Not set

    Fragment offset: 0

    Time to live: 53

    Protocol: UDP (0x11)

    Header checksum: 0x671d [correct]

        [Good: True]

        [Bad : False]

    Source: 20.233.86.7 (20.233.86.7)

    Destination: 209.214.144.182 (209.214.144.182)

User Datagram Protocol, Src Port: 30951 (30951), Dst Port: 1026 (1026)

    Source port: 30951 (30951)

    Destination port: 1026 (1026)

    Length: 371

    Checksum: 0x0000 (none)

        Good Checksum: False

        Bad Checksum: False

DCE RPC Request, Seq: 0, Serial: 0, Frag: 0, FragLen: 280

    Version: 4

    Packet type: Request (0)

    Flags1: 0x78 "Broadcast" "Idempotent" "Maybe" "No Fack" 

        0... .... = Reserved: Not set

        .1.. .... = Broadcast: Set

        ..1. .... = Idempotent: Set

        ...1 .... = Maybe: Set

        .... 1... = No Fack: Set

        .... .0.. = Fragment: Not set

        .... ..0. = Last Fragment: Not set

        .... ...0 = Reserved: Not set

    Flags2: 0x00

        0... .... = Reserved: Not set

        .0.. .... = Reserved: Not set

        ..0. .... = Reserved: Not set

        ...0 .... = Reserved: Not set

        .... 0... = Reserved: Not set

        .... .0.. = Reserved: Not set

        .... ..0. = Cancel Pending: Not set

        .... ...0 = Reserved: Not set

    Data Representation: 100000 (Order: Little-endian, Char: ASCII, Float: IEEE)

        Byte order: Little-endian (1)

        Character: ASCII (0)

        Floating-point: IEEE (0)

    Serial High: 0x00

    Object UUID: 00000000-0000-0000-0000-000000000000

    Interface: Messenger UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc

    Activity: 00000000-0000-0000-0000-000000000000

    Server boot time: Unknown (0)

    Interface Ver: 1

    Sequence num: 0

    Opnum: 0

    Interface Hint: 0xffff

    Activity Hint: 0xffff

    Fragment len: 280

    Fragment num: 0

    Auth proto: None (0)

    Serial Low: 0x00

    Authentication verifier

Microsoft Messenger Service, NetrSendMessage

    Operation: NetrSendMessage (0)

    Server

        Max Count: 10

        Offset: 0

        Actual Count: 10

        Server: SYSTEM

    Client

        Max Count: 35

        Offset: 0

        Actual Count: 35

        Client: ALERT

    Message

        Max Count: 194

        Offset: 0

        Actual Count: 194

        Message:      STOP! IMMEDIATE ATTENTION REQUIRED\n\n   Windows has found CRITICAL SYSTEM ERRORS.\n\n Download Registry Cleaner from: www.key32.com\n\nFAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION!\n\n

    [Long frame (2 bytes)]

```

Oh, I went to the site, www.key32.com, and it says I have 25 system errors.  LOL  This is a Gentoo Linux box by the way.

Thanks much.

 :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy: 

----------

## Rob1n

Yes - this looks like a Windows Messenger alert.  It'll just be a spam or phishing attack.  Since you're not running messenger then there's no real issues - you probably ought to look into installing a basic firewall though.

----------

## Akkara

It appears to be a packet targeted at windows message service that pops up a dire-warning-looking box which directs the user to a website that offers malware (the red click-here link is a .exe which is probably up to no good.)

Edit: I lose the typing speed race  :Smile: 

----------

## dalek

I have iptables installed on here but everything is set to wide open right now.  Iptables always worried me.  I screwed up once and had no internet until I figured out how to open it all up again. I'll have to change that when I get DSL though.

What should I do about my bro's on his XP?  Should I report this to the ISP so they can do something to stop them, you know, like AOL did with the spammer.  It appears that Norton is blocking it on his machine but we all know how windoze is.    :Laughing: 

It's funny, that thing does that a good bit.  I only sent one packet but there was more.

Thanks

 :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy: 

----------

## Rob1n

You can report it to the ISP - I doubt they'll do anything about it though.  You best bet is just to make sure you have a decent firewall (and anti-virus, anti-spyware, etc) to protect against this sort of thing (and Norton wouldn't be my first choice!).  He may want to look at http://www.techsupportalert.com/best_46_free_utilities.htm for some useful protective tools.

----------

## dalek

That sounds like a start.  Now just to help me make sure I am off to a great start with iptables.  Is this the part that says what port it is using and that I would have to block:

```
User Datagram Protocol, Src Port: 30951 (30951), Dst Port: 1026 (1026)

    Source port: 30951 (30951)

    Destination port: 1026 (1026) 
```

I assume that I would want to block ports 30951 and 1026.  Is that correct?

This is my iptables list right now, wide open as I stated earlier.  

```
root@smoker / # iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

root@smoker / #

```

Thanks.

 :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy: 

----------

## roderick

There are many firewall scripts that utilize IPTABLES. I suggest you install one of them instead of configuring iptables manually.

For example: 

```

* net-firewall/quicktables

     Available versions:  ~2.3

     Homepage:            http://qtables.radom.org/

     Description:         a quick iptables script generator

* net-firewall/kmyfirewall

     Available versions:  0.9.6.2-r1 1.0.1-r1 {arts debug elibc_FreeBSD xinerama}

     Homepage:            http://kmyfirewall.sourceforge.net/

     Description:         Graphical KDE iptables configuration tool

* net-firewall/tuxguardian [1]

     Available versions:  ~0.5

     Homepage:            http://tuxguardian.sourceforge.net/

     Description:         An application based firewall for Linux

* net-firewall/tuxfrw

     Available versions:  ~2.61 ~2.62

     Homepage:            http://tuxfrw.sf.net/

     Description:         TuxFrw is a complete firewall automation tool for GNU/Linux.

* net-firewall/knetfilter

     Available versions:  3.5.0 {arts debug elibc_FreeBSD xinerama}

     Homepage:            http://expansa.sns.it/knetfilter/

     Description:         Manage Iptables firewalls with this KDE app

```

There are others out there as well (look at the net-firewall category). For example, shorewall was something I always put on my servers. It is not a GUI, but is quite extensible and has some great documentation online.

No one should have to suffer building a ipchain or iptable from scratch.  :Smile: 

----------

## Hu

 *dalek wrote:*   

> 
> 
> I assume that I would want to block ports 30951 and 1026.  Is that correct?
> 
> 

 

It is a good guess, but no, not exactly.  30951 is an ephemeral port.  It is likely that you will not receive any more Messenger spam with that source port for a long time.  The 1026 destination port is a better candidate for blocking, but best practices say to write rules for things you want to work and then block everything else.  This way, if you make a mistake, it manifests as something not working.  If you try to blacklist "bad" traffic, you will not notice a mistake until someone exploits it.

If you have trouble getting the firewall configured the way you want, or just want someone to review your rules, feel free to post it here.  Running iptables-save -c is a good way to capture all the active rules at once, with traffic counters so you can see which rules are matching traffic.  Depending on how you configured your kernel, you might be missing some functionality that you will need for a good firewall.  If you get errors trying to load the rules, post your rules here and someone can tell you which kernel options you need.

roderick: writing iptables by hand is not so bad.  You get used to it after a while.  :Wink: 

----------

## dalek

I know that I need port 80 open for web browsing, ports 110 and 25 for email if I recall correctly.  What other ports should be open?  I don't currently run sshd or anything here.  I'm not sure what port portage uses for ftp, sync etc either.

I think where I messed up last time was that I put the drop rule at the top as the first rule and it just dropped everything and looked no further for matching rules.  From what I have read, that rule should be last not first.  LOL  It was fun though.  I'm just glad I hadn't saved the rules and that restarting iptables fixed it.

I found a great, I mean GREAT, howto once.  It was super easy to understand but now I can't find it.  I had it bookmarked but now I can't find the bookmark either.  

I'm sleepy right now and I may have to go out of town to meet a "lady friend" so I may start working on that in a few days.  I don't want to start something only to get half way through and have to stop.

I do have webmin installed though.  It has a nice GUI thing for iptables and shorewall.  That may help me some.

Thanks

 :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy: 

----------

## Hu

You need to be able to connect to those ports, yes.  If you are only setting up a filter on inbound traffic, you do not need to open those ports unless you plan to offer those services from your machine to other systems.

----------

