last time i noticed too many users scan my server ports(network type: LAN -about 300 hosts REDHAT8/WIN XP, Server W2K).
It is innocent activity but i am worry and closed acces to services for some of unruly nosy.
All my aplication are made in C.
The most of them use printf or another string functions which are vulnerable.
My friend explaned me how it is possible to break something in my server so I switch off it and just think what should I do.

If anybody has some expirience how to protect the stack it would be nice to enclose a link or explanation.
I think to debug is not easy way to improve it but more instructive.

If you know any aplication is easy to get and free licence then please take me a link, but like always I want to know how it works.
_____________________________
I installed honeypot,It is quite emausing name for software:)

If an admin or moderators could delete this thread it will be nice;)
Posted on 2003-09-09 08:42:11 by etn
Are you being scanned by computers inside or outside of your network?

If it's from the outside (ie internet), you should have a firewall on the machine acting as the internet gateway. Second, the only ports that should be openned are those running services. The services must be provided by robust applications.

If it's internal probing, you need to determine who is doing it and why. It may be someone with nothing better to do that eat up bandwidth by running random port scans. Or it could be someone looking for a way to take your machine down and/or steal confidential data. Are you the network admin?
Posted on 2003-09-10 17:24:07 by eet_1024

I installed honeypot,It is quite emausing name for software:)

The name is from Winnie the Pooh, he was always after the Honey Pots and would always get caught because his paw got stuck inside of it. That's the way a Honey Pot catches some-one, the only reason to put your paw in is if your doing something wrong ;)
Posted on 2003-09-10 21:10:47 by donkey
donkey thx for explanation:) Pooh is sweet and honey too

eet_1024 Hi!
There are many administrators because everyone can install own server and inform us about it.
This network has no Internet connection aviable, only LAN, but some time one of all users link it by modem conection to Internet without any firewalls .This people do it because want to send something from outside to their home computer.
It is dangerous for all users, but it is not the key danger.
The reason I am warried is that I noticed IP which scaned me and belongs to my another computer which was off. I have no idea how can I identify the blackHAT because after ARP request i get MAC which belongs to my IntCardAdapter in my computer(just is off).
One time somebody has steal away my Gadu-Gadu possword (Gadu is something like Kadu and similar to ICQ communicator).This is not Funny when somebody talks to your friends and for example invite them somewhere.After I turn on this machine(my computer-not the server) which address I get by ARP then appeared an error on the screen: about IP dupicate and I should to conntact my administrator immiediately...
Every host gets IP from DHCP server and it is impossible to get my IP before 72 h after I loged out.
DHCP logs said nothing strange, just like always(admin is an acquaintance and he is helpful men).

:alright: 4 U !
Posted on 2003-09-11 03:23:27 by etn
Server, Plain Computer, 95, XP, Linix, and bull s**t jokes...

A web pro will turn your darn FIREWALL off in front of your face if you bother to look down and catch when it happens which is near impossible when relaxed... and will search the processer, RAM or Windows who keep MAIN information even after a so called re-boot MAYBE somehow.. But one thing for sure it will find the last place of your working area and will set a shortcut to that place. P l e a s e don't tell me you want to hear more.
It takes a PRO plus WEB expertize and that is not most of us.


Firewall is not worth dodo without your own code doing something around it to make sure it don't fail ....At lease i know that to be a fact now and can't no one tell me difference ever again ... I Thanks the you for getting me closer to reality
Posted on 2003-09-11 03:28:46 by cmax

Firewall is not worth dodo without your own code doing something around it to make sure it don't fail...

That's bullshit. A correctly configured firewall (one without exploitable remote administration featurs) will make this impossible. Kerio Personal Firewall (with remote adminstration turned off) seems to be a pretty good choice for windows - it's simple and clean and without too many default rules.

Of course this doesn't help anything if you leave all your ports open, or if you have exploitable services running on the open ports - or if you're reta...unlucky enough to get hit by a trojan. While this can be too much to expect of a regular home users, frequentors of this board really ought to know how to protect themselves. Frankly, it doesn't take much - just some nazi blocking rules.

As for protecting the stack... stop using printf and those other unsafe C-style functions. Find a safe C string library (microsoft has one), or go all the way and use C++ strings and ostringstreams - lots and lots of trivial buffer overflows are gone, a lot of format string exploits as well, and the attacker will suddenly have to be a lot sneakier.

Another choice would be running something like PaX by some of the reverser legends, which marks the stack as nonexecutable (yes, this can be done, even though the x86 paging mechanism doesn't support this. And yes, Teo ripped off PaX for the BSD non-executable stack). There's a windows NT test version of nonexecutable stack being done by wraker/mcp on efnet, he can sometimes be seen in #win32asm asking for testers.
Posted on 2003-09-11 15:20:35 by f0dder
Kerio Personal Firewall ... I think i will try that. But i still it can never hurt to protect other programs like Firewall with sure code that you know can warn you when something goes wrong. It's just too important not to, at lease i will do it anyway.

No way will i ever trust any other program that i am not taking with my own block of code.

How in the world would you know they did not miss something in those programs that had a weak point. Even you may have a bug in your own program no matter how good you think it is. So don't tell me that everything is bull shit.

I seen a lot of stuff but that one took the cake for me no matter what had happened but it was alway on-line related other than that i never had a problem. I just don't trust my ISP anymore. WHY SHOULD I. And added protection can never hurt so why put that down.

How many people in a city is on-line 3:00 AM every MORNING for HOURS TALKING Code, searching Code.

Only me and the ISP operater that got the server in his basement. If it was me i would take a peep if possible i guest. I was a Mid-Night cab driver for four years so i know what time the city GO DEAD.
Posted on 2003-09-11 18:46:30 by cmax
PS: Let's talk about how to close my own dame port since you know.

I like to add that into to just to be more independent.

How about FIREWALL buliding HOW-TO at-lease get started or something.
Posted on 2003-09-11 19:02:28 by cmax
Kerio Personal Firewall

Yes, they really seems they mean SERIOUS business. Hope i am getting something in English.

Funny thing it said it don't work with Win 95 do you wish to install anyway...

but it working right now and seem to run very well. See what i mean about bugs. But i hope it is not fooling me.
Posted on 2003-09-11 21:19:22 by cmax