Firewall Advice

claireG

Over the weekend I started having PC problems. Specifically, my Win2k OS was running at 100% CPU (svchost.exe taking 99%).

I ended up calling Microsoft in the US and paying $295 dollars to open an incident ticket with them.

I still don't have the problem fixed, but I've learnt the following from Microsoft:

A 'something' is changing my security settings every time I log on. If I change them to what they should be, then log off/on, the 'something' has done it's deed again and I'm back where I was with RIP Listener doing some strange stuff.

Microsoft told me straight I have probably been hacked.

The only other possible explanation they could offer was related to the fact I once had McAfee FireWall/VirusScan installed - Apparently that could have gotten corrupted and be the root of my problem, because although it is supposed to be long gone, there are still remnants of it on my system.

I really hope McAfee is the problem, because it’s not nice to think that someone has been observing all my business and personal communications for I don’t know how long.

I’m not really expecting to be able to find out what the problem is – Microsoft have given me 16+ hours of support already - I think a total wipe is the only thing I’ll be doing with them when I call back next to finish my ticket.

Anyway, I had a couple of questions I was hoping to get some advice on:

1) Microsoft suggested I get a hardware firewall (rather than a software one). Where can I buy such? Preferably an Irish or UK supplier who accepts credit cards and delivers.

2) About a month ago someone gave me their PGP key on a floppy disk so I could write to them securely. I recall they remarked something like “No funny business now – That’s just a PGP key I promise”. I trusted them, and hence I added the PGP key to my PGP keys, noticing nothing out of the ordinary when doing so. I said that to Microsoft and they said “If I was you, I wouldn’t take any more PGP keys off that person”. Are Microsoft talking rubbish or sense – Any opinions? I don’t want to think I’ve been hacked by this person I trusted, but if I was, I feel I need to know so I can at least be aware that they are my enemy rather than my friend.

Thanks in advance for any feedback. Claire.

wish

Well to begin with I will say this out right -- I am not a big fan of microsoft -- so I dont know how much you should trust their tech support.

As for the firewall you really have three main options, get a prebuilt dedicated firewall like cisco ( http://www.cisco.com/warp/public/cc/pd/iosw/ioft/iofwft/ )

or

If you know some unix guru type person you could get them to install and configure a firewall on a olb box with freeBSd or some thing similar

or

If you are comfortable with linux in the slightest then RedHat and all them have a very nice gui interface firewalls with a few default configs which are very effective..... (be warned, this could leed you into a false sence of security if you **** it up)

claireG

thanks wish - I'm off at Cisco reading now.

I just thought I should probably add that I'm a home/small business user - 2 computers and a laptop on my "network" which is simply a 4-port netgear ethernet hub.

I've got eircom's business ADSL package and I get that through a router (zyxel prestige 600).

Maybe that info will help people recommend more suitable firewall solutions?

DannyD

sorry to hear about that 295 dollar price tag.A software firewall like zone alarm is great for one or two computers.

BJJ

Microsoft is a pain in the a@ss

Shanerie

You should have a look at smoothwall - it's fairly
easy to install and turns any pc into a dedicated
hardware firewall.

So if you have an old 486 or such its a very cheap
and handy option.

http://www.smoothwall.org

Gavin

no need to go crazy. Get a decent virus scanner, update it regularly and a good small firewall for windows is tiny personal firewall. free too.

Gav

Gerry

erm, a software firewall for windows is going to be vulnerable to having its setting changed by whoever hacked her machine surely?

Some of the zyxel routers support packet filtering, the 643 and 941 for example, I haven't been able to locate any thing on the web to say that the 600 does, it would seem that it doesn't. If you find the manual on zyxels site, and it supports packet filtering, you could have a hardware firewall at no extra cost.

Otherwise I recommend the smoothwall/linux/freebsd solutions, if you know anyone that can set them up. I personally think they are easier to set up than cisco, cisco seem to have spent a lot of time ensuring that only people who put a lot of time into doing cisco training can manage their firewalls. A unix firewall will be much cheaper also, all the software will be free, you can get a 486 box that is being thrown out, and throw whoever is setting it up for you some cash.

Sposs

Try a netscreen Firewall,they're about €600 but nice little machines that'll do the job,for contact info for they're Irsh distrubitor check the link

[URL=http://]www.e92plus.com[/URL]

dahamsta

If you know some unix guru type person you could get them to install and configure a firewall on a olb box with freeBSd or some thing similar

This is the one I recommend. Most geeks hang onto their hardware like security blankies, but _someone_somewhere_ will have an old 486 somewhere, and that's genuinely all you need. No keyboard, monitor or mouse required. Get someone to install a server-class linux distro on it, set it up as a gateway, install a firewall and Robert's your fathers brother.

A lot of Linux-heads will do this for you for free if you try and show an interest in what they're doing. And you buy them a beer afterwards.

The beer is important.

adam

Typedef

Originally posted by claireG
Over the weekend I started having PC problems. Specifically, my Win2k OS was running at 100% CPU (svchost.exe taking 99%).

<snip> Claire.

SUMMARY

Svchost.exe is a generic host process name for services that are run from dynamic-link libraries (DLLs). The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. There can be multiple instances of Svchost.exe running at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.

Svchost.exe groups are identified in the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost

Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service_names extracted from the following registry key, whose Parameters key contains a ServiceDLL value:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Service

Thus if you reduce (intelligently) the number of services listed in that particular registry key you should reduce the number 'services' being run by svchost.exe.

I would speculat that you have a whole load of programs that are getting run on startup, perhaps loads of programs in your system tray?

If that is the case simply reducing the number of programs that get run on boot should help you out no end.

It is RUBBISH for Microsoft to suggest that getting an expensive hardware router will reduce your cpu usage considering the process in question is svchost.exe, the tech you were talking to is 1 an idot, 2 trying to shaft you, 3 doesn't have a clue what he is talking about 4. All three.

Regards.
Bod

Typedef

Get a 486 if you want a firewall.

If you are in Dublin I will install Slackware Linux onto it for you set it up as a router and set up some nice firewalling (for fun).

In either case a firewall 'wont' protect you from geting viruses, an anti-virus package of some sort will.

Firewalls are used to protect lans running internal services that they would rather aren't available to people who aren't on their networks or to stop people doing things like flood pining your ip or just for the sake of paranoia.

"You've been hacked and need a hardware firewall".

Nonesense at most you need virus protection software that incrementally updates itself and Linux running a (free and superior) firewall on some delapidated 486.

Ye olde ILUG is good for help in such matters.
ilug@linux.ie ..... hmm... don't buy a hardware firewall... to bloody expensive and if you want to 'upgrade it' you have to buy 'new' hardware for (n) thousand yo yos thank you very much.

I will set up said firewall scheme for some coca cola and chocolate and or a great big 10,000 euro cheque good for buying coca cola and chocolate.

ButcherOfNog

Originally posted by Typedef

considering the process in question is svchost.exe, the tech you were talking to is 1 an idot, 2 trying to shaft you, 3 doesn't have a clue what he is talking about 4. All three.

em, no. theres many hacks/worms/attacks out there that replace or drop new files named the same as standard ones, files that you would be expecting to see running in your processes. its quite possible that the svchost.exe isn't the standard ms one. Its also extremely likely that if you have no firewall, no virus scanner and an always on connection .... you've been hacked/compromised.

its common for these 'fake' exe's to be in your windows root folder, with the correct version sitting in system32.

Typedef

Originally posted by ButcherOfNog


em, no. theres many hacks/worms/attacks out there that replace or drop new files named the same as standard ones

Which would imply she had a virus! Ok so I guess you could call that getting hacked, in any case for $295 to be told that because process(x) is running at 99% you've been "hacked" and need to buy a router (when what you most likely really need to get is anti virus software) is just a wind up to extract money.

In any case Linux is a better solution than a hardware router in this Techies self_important_opinion.

ButcherOfNog

Originally posted by Typedef

in any case for $295 to be told that because process(x) is running at 99% you've been "hacked" and need to buy a router (when what you most likely really need to get is anti virus software) is just a wind up to extract money.

heh, i agree bout the cost and the solution suggested, daft as a brush

hmmm

heh, i agree bout the cost and the solution suggested, daft as a brush

heh yeah it is insane. It's the equivalent of getting a puncture on your car and being told to buy a helicopter and have it ready in case you get another.

What I'd suggest is:
- Backup data
- Wipe HD
- Reinstall Win 2k (a fine OS)
- Patch 2k uptodate (SP3)
- Install a virus scanner
- Install zone alarm as a software firewall
- Install the programs you use slowly, and see whether one is excessively using system resources.

Then, away you go.

hmmm

About a month ago someone gave me their PGP key on a floppy disk so I could write to them securely. I recall they remarked something like “No funny business now – That’s just a PGP key I promise”. I trusted them, and hence I added the PGP key to my PGP keys, noticing nothing out of the ordinary when doing so. I said that to Microsoft and they said “If I was you, I wouldn’t take any more PGP keys off that person”.

oh and that's utter rubbish. I'd write to Microsoft and demand my money back, they'll probably ignore you but that comment is the best evidence this 'techie' you were talking to had no more clue what he was talking about.