LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-03-2005, 02:12 PM   #16
Saquear
Member
 
Registered: Jan 2005
Posts: 56

Original Poster
Rep: Reputation: 15
Linux Secure???


Thomas my friend thanks for the reply, Question! Will Fedora 2 work for security or as you stated above?
You say that in XP it is easy to close the ports, does that go for XP Home edition also? What is the management tool in the control panel? And is their a tutorial on how to do it, closing the ports?
I got into trying to learn IT tech stuff by a fluke but it got my heart and I've even paid to learn but there very few good teachers, a lot but few. Anyway I just want to let you know that even though I don't know you, you have my deepest respects, not only for what you know but for helping a lot of
s like me, Saquear!!!
 
Old 04-04-2005, 02:33 PM   #17
broch
Member
 
Registered: Feb 2005
Distribution: Slackware-current 64bit
Posts: 458

Rep: Reputation: 32
windows secure? Nope
the best example:
A year or so there was remote execution hole in IE, even if you have, not used IE it did not matter because you had IE and that was enough. There are currently two other remote execution holes, although let's hope that not using IE is enough.

Can you point me to one to the one place where windows keeps all the gathered information about user's habits? As far as I know you need to wipe out the disk, because info is scattered almost everywhere.
In other words one cand protect information not knowing where it is located.

No viruses in two months? No big deal I have windows machine with read only %windows% and %Program Files% all user info is kept on separate partition plus one for swap. Usrers have no rights to write to anything except home dir. This is simply UNIX model. For three years no problem without AV and other crap. Plus quite delayed patches. Even blaster could not get because port tcp 445 was closed.

However this is not security.

To answer the first question: for secure transfer you need secure wrowber and secure bank server, with a policy of rejecting plain text or weak encryption.. Usually the problem is not the connection, but breaking later on the server and gathering sensitive data.
 
Old 04-04-2005, 05:34 PM   #18
Saquear
Member
 
Registered: Jan 2005
Posts: 56

Original Poster
Rep: Reputation: 15
Linux Secure???

Hi Broach, I appreciate your anwsers, it really helps. I am not trying to start a Ms vs. Linux war here. I'll tell you what happened I have to make a $$ trans action over the web, its not a lot of money but I have to use a credit card and I just don't want the #s available to just anyone. So about three weeks ago my computer was compromised, albeit a Trojan, finally got it but it left me pretty doubtful. At the same time I trying to learn to work on computers and I got into that by a fluke but I love the work with the exception that I don't know anything. A friend of mine turned me on to Mepis and wow it was nice, and I mean really nice, like M$ XP without the bugs and no crashes. My problem lies in that I don't know the command line or more I don't understand it. I have a bunch of tutorials that I bought and I see them on the forums but everyone that writes a tutorial writes to their point of view and not the newbie. I installed a seperate hard drive for Linux but now I have trouble connecting to the web where as before it was all right. I have Mepis 3.3 installed. But I have Simply Mepis 2.4, and 2003.10, and Fedora 2,Red Hat 9.0, Gentoo 2004.2, Suse 9.1, Mandrake 9.2, and Koppix3.3. I just don't know how to configure them, one to the hard drive, two to the DSL connection. In dos I know the copy, dir,move, plus a bunch of other commands but I do not know where to put them and why and if something goes haywire, which has happened I wouldn't even be aware of it. I don't mind tearing down and rebuilding just that right now I'm in a $$ pridictement and I need the computer to get get me out of this financial fix.
Either way Broach thanks for enlightening me, I do want to learn BSD or Unix. Which is better Free BSD or Net BSD?
Saquear !!!

Last edited by Saquear; 04-04-2005 at 05:36 PM.
 
Old 04-04-2005, 06:29 PM   #19
broch
Member
 
Registered: Feb 2005
Distribution: Slackware-current 64bit
Posts: 458

Rep: Reputation: 32
I would go with FreeBSD (I used it since 95', RH since 97'). I do believe that it is extremely easy. However I suggest to use Simly Mepis to learn basics. I understand that it works. Concentrate on one distro/OS first it would be easier and more efficient. Learn command line because this is still important.

In linux and BSD, GUI is not that powerfull as command line and you will always get better control over config when editing manually, even MS is starting to finally realize this simple truth.

When I got my first BSD (and later linux) running, I started from opposite side than you (I think), I red a lot (although manuals were more scarce than now). Then I installed OS and first time it simply worked.

What I suggest to do is, install linux or BSD (if BSD, then preferably Free), on the system disconnected from the net. Because you are dual booting, then always focus on one problem: let's say network. So check logs (where they are -> use google. I am not kidding, google is your friend, by the way most of the log files are in the /var/log) write down errors, boot to windows, search. That should work.
I would not trust first "learning" installations too much, however with linux/BSD when you close ports and set firewall you should be fairly secure (if during the learning phase you will install software only from your distro site). Learn how to use tripware (once you learn it, remember that it makes only sense to install tripware if and only if, you installed OS on disconnected box, then installed tripware and run it, then you can connect to the net with all the crap = firewall and ports and so on), or similar program. If this is linux take look at grsecurity (because it is easy to configure), next consider RSBAC

Securing windows is not easier: don't believe that firewall and firefox will resolve all problems.

Anyway, whatever OS you will use you need to be sure that it is clean.

Last thing is more about using on line credit cards than OS. Look for a bank that allow to create virtual accounts: for each transaction you will get a new credit card number, you can limit amount of the money and you can limit expiration date. Bank will know that each account belongs to you. So you will not have any problems with payments to several acounts, because it is in fact only one. Extra security is that each virtual account can be charged only once.

As you can see there are several ways of securing internet transactions. It take longer only first time because you have to make everything to work. Once done it is easy and fast.

FreeBSD handbook is here:
http://www.freebsd.org/doc/en_US.ISO...ook/index.html

I don't know if this sort of information will help you because it is really general, however it is difficult to say: do this or that not knowing what exactly is not working and how easy it is for you to "dive" into new stuff.

Last edited by broch; 04-04-2005 at 06:30 PM.
 
Old 04-05-2005, 02:03 AM   #20
Saquear
Member
 
Registered: Jan 2005
Posts: 56

Original Poster
Rep: Reputation: 15
Linux Secure???

Broach, wow you sure know a lot, that last post of yours was a real eye opener!!! What is tripware? You are right about the firewall, I was at a windows forum and and I got attacked and got a Trojan, what a pain. Virtual bank accounts, wow what a mind blower!!! Yeah you just taught me a bunch, in Linux there are a lot commands that reference to certain files that I do not know what they mean, like var. I did not know that var pointed to the network, and I didn't know that you had to access those files to find out about the network. Do you also go to var if you want to configure the network? Like PPPOE-ADSL? I don't think learning the commands is as important as knowing where they go and how to write them for what reason!!! Its not that my opinion counts more than someone else's its that I have three full blown tutorials for Linux specifically for the command line but neither one shows you where the command goes and how you are suppose to write it. The person who does the tutorials shows you how to write a specific command but doesn't explain where the space goes or why. Anyway I going to keep trying and I just found out why my Mepis won't connect to the network. The second Simply Mepis configured itself to the internet, but trying to learn I messed up Grub. For some reason putting the same C/D back in did not work so I got a new Mepis 3.3 and booted with the live C/D and then took it out and it automatically repaired Grub but some how the 3.3 would not connect to the internet. So then I put the old C/D back in and it still wouldn't connect so after I read your above post I got brave and I found out that I have three partitions of Simply Mepis. I don't know but I think I should have had to reformat the drive or fdisk it before I reinstall the previous Simply Mepis. Anyway thanks a lot and Keep in touch. Saquear!!!
 
Old 04-05-2005, 04:59 PM   #21
Saquear
Member
 
Registered: Jan 2005
Posts: 56

Original Poster
Rep: Reputation: 15
Linux Secure???

Broach are those books on Linux or Unix commands any good? Like " The Top Fifty Unix Commands" and " Linux in a Nutshell" ? Saquear!!!
 
Old 04-05-2005, 05:22 PM   #22
broch
Member
 
Registered: Feb 2005
Distribution: Slackware-current 64bit
Posts: 458

Rep: Reputation: 32
sorry, can't help don't know any of these
 
Old 04-05-2005, 11:18 PM   #23
Saquear
Member
 
Registered: Jan 2005
Posts: 56

Original Poster
Rep: Reputation: 15
Linux Secure???

Broach, what is "Tripware"? Saquear!!!
 
Old 04-06-2005, 04:05 AM   #24
backroger
Member
 
Registered: Dec 2004
Posts: 81

Rep: Reputation: 15
For linux commands...look here...

http://www.linuxdevcenter.com/linux/cmd/

For Linux How to's....look here..

http://www.linuxhomenetworking.com/

Linux is more secure since you can modify every setting at your arsenal. Security in Linux is also based on what will be the function of it.
 
Old 04-06-2005, 07:08 AM   #25
broch
Member
 
Registered: Feb 2005
Distribution: Slackware-current 64bit
Posts: 458

Rep: Reputation: 32
http://www.tripwire.org/
 
Old 04-06-2005, 11:46 AM   #26
Saquear
Member
 
Registered: Jan 2005
Posts: 56

Original Poster
Rep: Reputation: 15
Linux Secure???

Backroger, thank you for the links, the first link form O'Rielly is not valid anymore, and the second link is pretty good, I think. One of the problems with learning Linux is learning the different definitions, for instance I use a tutorial and it always mentions modifying the "var" file and I watch it and so what. Now I have been having problems with my network connection in Linux and in a forum other people have told me to change it and even showed me how, and all I can do is scratch my head. Well it wasn't til the the other day when Broch sent me some info that he mentioned the "var" file for my networking that I was able to put two and two together. It didn't solve my problem but it pointed me in the right direction. I have a very good tutorial on Linux commands, but for the life of me I don't know where to put them or where and how much, its enough to make a grown man cry.
Broch, thanks for the link to tripwire, is the free one enough or would some one need the paid version? Also I want to ask you about the differences of KDE and Gnome. Is one more functional, versatile. or more powerful than the other? Can you have both on a system successfully or will they clash? Thanks a lot for all your advice, Saquear !!!
 
Old 04-06-2005, 03:45 PM   #27
broch
Member
 
Registered: Feb 2005
Distribution: Slackware-current 64bit
Posts: 458

Rep: Reputation: 32
o.k. eventually install free tripwire (eventually meaning either on fresh install or you are 100% sure that OS is clean). You may consider root kit hunter:
http://www.rootkit.nl/projects/rootkit_hunter.html

Peronally I prefer KDE, for me Gnome is too bloated it is slower and still not that stable. However you can safely install both and test which one suits you better. Gnome also has perks which in fact may be more compelling to you than KDE stuff.
 
Old 04-06-2005, 07:24 PM   #28
backroger
Member
 
Registered: Dec 2004
Posts: 81

Rep: Reputation: 15
Re: Linux Secure???

Hmmm...what X terminal is better?

Read this...

KDE 3.1 vs. GNOME 2.2: How GNOME became LAME

http://www.linuxworld.com/story/32640.htm

In the pre-RH 7.0, You can install both and when you boot-up you will be ask if which X-terminal do you want to use...e.g. KDE or Gnome.

Currently, using RHEL AS 4.0 and just used Gnome...and never installed KDE. Maybe in the future...if I have some box to spare.

Quote:
Originally posted by Saquear
[B Also I want to ask you about the differences of KDE and Gnome. Is one more functional, versatile. or more powerful than the other? Can you have both on a system successfully or will they clash? Thanks a lot for all your advice, Saquear !!! [/B]
 
Old 04-10-2005, 12:41 AM   #29
Post Modern
Member
 
Registered: Nov 2002
Location: Massachusetts
Distribution: Fedora Core, RH, Mandrake, Xandros, Knoppix
Posts: 110

Rep: Reputation: 15
Broch - you asked..........................

.
.
Broch -

I don't do winblowz, but because you asked, here's a reply, I'll have to post it in two parts because of the post restrictions, so here's part one:

Microsoft's Really Hidden Files

Version 2.6b
by The Riddler

November 3, 2001

When I say these files are hidden well, I really mean it. If you don't have any knowledge of DOS then don't plan on finding these files on your own. I say this because these files/folders won't be displayed in Windows Explorer at all -- only DOS. (Even after you have enabled Windows Explorer to "show all files.") And to top it off, the only way to find them in DOS is if you knew the exact location of them. Basically, what I'm saying is if you didn't know the files existed then the chances of you running across them is slim to slimmer.

It's interesting to note that Microsoft does not explain this behavior adequately at all. Just try searching on microsoft.com.

FORWARD:
I know there are some people out there that are already aware of some of the things I mention. I also know that most people are not. The purpose of this tutorial is teach people what is really going on with Microsoft's products and how to take control of their privacy again. This tutorial was written by me, so if you see a mistake somewhere then it is my mistake, and I apologize.

Thanks for reading.

INDEX

1. DEFINITIONS
1.1) Acronyms

2. SEEING IS BELIEVING
3. HOW TO ERASE THE FILES ASAP
3.1) If You Have Ever Used Microsoft Internet Explorer
3.2) Clearing Your Registry
3.3) Slack files
3.4) Keeping Microsoft's Products
4. STEP-BY-STEP GUIDE THROUGH YOUR HIDDEN FILES (For the savvy.)
5. HOW MICROSOFT DOES IT
6. +S MEANS [S]ECRET NOT [S]YSTEM
6. A LOOK AT OUTLOOK
8. THE TRUTH ABOUT FIND FAST
8.1) Removing Find Fast
9. CONTACT INFORMATION AND PGP BLOCKS
9.1) Recommended reading
10. SPECIAL THANKS
11. REFERENCES

# Coming in Version 3.0: pstores.exe
# Related Windows Tricks.
# Looking back on the NSA-Key.
# What's with those Outlook Express .dbx files?
# Windows 2000 support.

1. DEFINITIONS

Well, the best definition I have been able to come up with is the following:

I) A "really hidden" file/folder is one that cannot be seen in Windows Explorer after enabling it to "show all files," and cannot be seen in MS-DOS after receiving a proper directory listing from root.
a) There is at least one workaround to enable Windows Explorer to see them.
b) There is at least one workaround to enable MS-DOS to see them.

II) Distinguishes "really hidden" file/folders from just plain +h[idden] ones, such as your "MSDOS.SYS" or "Sysbckup" folder.

III) Distinguishes from certain "other" intended hidden files, such as a file with a name of "x."

(Interesting to note that Microsoft has disabled the "Find: Files or Folders" from searching through one of these folders.)

1.1. ACRONYMS

DOS = Disk Operating System, or MS-DOS
MSIE = Microsoft Internet Explorer
TIF = Temporary Internet Files (folder)
HD = Hard Drive
OS = Operating System
FYI = For Your Information

2. SEEING IS BELIEVING

No. Enabling Windows Explorer to "show all files" does not show the files in mention. No. DOS does not list the files after receiving a proper directory listing from root. And yes. Microsoft intentionally disabled the "Find" utility from searching through one of the folders.

One more thing. They contain your browsing history at ALL times. Even after you have instructed Microsoft Internet Explorer to clear your history/cache. And so the saying goes, "seeing is believing."


Skipping the to chase here. These are the names and locations of the "really hidden files":

c:\windows\history\history.ie5\index.dat
c:\windows\tempor~1\content.ie5\index.dat

If you have upgraded MSIE several times, they might have alternative names of mm256.dat and mm2048.dat, and may also be located here:

c:\windows\tempor~1\
c:\windows\history\

Not to mention the other alternative locations under:

c:\windows\profiles\%user%\...
c:\windows\application data\...
c:\windows\local settings\...
c:\windows\temp\...
c:\temp\...

(or as defined in your autoexec.bat.)

FYI, there are a couple other index.dat files that get hidden as well, but they are seemingly not very important. See if you can find them.

3.0. HOW TO ERASE THE FILES ASAP

Step by step information on how to erase these files as soon as possible. This section is recommended for the non-savvy. Further explanation can be found in Section 4.0. Please note that following these next steps will erase all your cache files, all your cookie files. If you use the offline content feature with MSIE, following these next steps will remove this as well. It will not erase your bookmarks.

3.1. IF YOU HAVE EVER USED MICROSOFT INTERNET EXPLORER

1) Shut your computer down, and turn it back on. 2) While your computer is booting keep pressing the [F8] key until you are given an option screen.
3) Choose "Command Prompt Only" (This will take you to true DOS mode.) Windows ME users must use a boot disk to get into real DOS mode.
4) When your computer is done booting, you will have a C:\> followed by a blinking cursor. Type this in, hitting enter after each line. (Obviously, don't type the comments in parentheses.)

C:\WINDOWS\SMARTDRV (Loads smartdrive to speed things up.)
CD\
DELTREE/Y TEMP (This line removes temporary files.)
CD WINDOWS
DELTREE/Y COOKIES (This line removes cookies.)
DELTREE/Y TEMP (This removes temporary files.)
DELTREE/Y HISTORY (This line removes your browsing history.)
DELTREE/Y TEMPOR~1 (This line removes your internet cache.)

(If that last line doesn't work, then type this

CD\WINDOWS\APPLIC~1
DELTREE/Y TEMPOR~1

(If that didn't work, then type this

CD\WINDOWS\LOCALS~1
DELTREE/Y TEMPOR~1

(If this still does not work, and you are sure you are using MSIE 5.x, then please e-mail me. If you have profiles turned on, then it is likely located under \windows\profiles\%user%\, while older versions of MSIE keep them under \windows\content\.)

This last one will take a ridiculous amount of time to process. The reason it takes so incredibly long is because there is a ton of (semi-) useless cache stored on your HD.

5) Immediately stop using Microsoft Internet Explorer and go with any of the alternative browsers out there (e.g., Netscape 4.7x from netscape.com, Mozilla from mozilla.org, or Opera from opera.com).

FYI, Windows re-creates the index.dat files automatically when you reboot your machine, so don't be surprised when you see them again. They should at least be cleared of your browsing history.

3.2. CLEARING YOUR REGISTRY

It was once believed that the registry is the central database of Windows that stores and maintains the OS configuration information. Well, this is wrong. Apparently, it also maintains a bunch of other information that has absolutely nothing to do with the configuration. I won't get into the other stuff, but for one, your typed URLs are stored in the registry.

HKEY_USERS/Default/Software/Microsoft/Internet Explorer/TypedURLs/
HKEY_CURRENT_USER/Software/Microsoft/Internet Explorer/TypedURLs/

These "Typed URLs" come from MSIE's autocomplete feature. It records all URLs that you've typed in manually in order to save you some time filling out the address field. By typing "ama" the autocomplete feature might bring up "amazon.com" for you. Although I find it annoying, some people prefer this feature. One thing is for sure, however -- it's an obvious privacy risk. You wouldn't want a guest to type "ama" and have it autocomplete to "amateurmudwrestlers.com," would you?

3.3. SLACK FILES

As you may already know, deleting files only deletes the references to them. They are in fact still sitting there on your HD and can still be recovered by a very motivated person.

* BCWipe is a nice program that will clear these files.
* For you DOS buffs, there's a freeware file wiper on simtel.net that I use.
* If you are using PGP, there is a "Freespace Wipe" option under PGPtools.
* The newer versions of Norton Utilities have a nice file wiping utility.
* You might want to check out Evidence Eliminator's 30 day trial. This is probably the best program as far as your privacy goes.



3.4. KEEPING MICROSOFT'S PRODUCTS

If your work environment forces you to use Microsoft Internet Explorer, then I strongly recommend that you talk your boss into checking out one of these programs:

* PurgeIE
* Cache and Cookie Cleaner for IE
* TARGET="new-window">Anonymizer Window Washer

These programs automate the process for you, and is a better alternative to adding 'deltree/y' lines to your autoexec.

And if your work environment forces you to use Outlook or Outlook Express, then you should get in the habit of compacting your mailboxes.

You can do this by going to File > Folder > Compact All if you have Outlook Express, or Tools > Options > Other tab > [Auto Archive] if you have Outlook. Make sure to set things up here.

4.0. STEP-BY-STEP GUIDE THROUGH YOUR HIDDEN FILES

This next section is intended for the savvy user.

The most important files to be paying attention to are your "index.dat" files. These are database files that reference your history, cache and cookies. The first thing you should know is that the index.dat files is that they don't exist in less you know they do. They second thing you should know about them is that some will *not* get cleared after deleting your history and cache.

The result: A log of your browsing history hidden away on your computer after you thought you cleared it.

To view these files, follow these steps:

In MSIE 5.x, you can skip this first step by opening MSIE and going to Tools > Internet Options > [Settings] > [View Files]. Now write down the names of your alphanumeric folders on a piece of paper. If you can't see any alphanumeric folders then start with step 1 here:

1) First, drop to a DOS box and type this at prompt (in all lower-case). It will bring up Windows Explorer under the correct directory.

c:\windows\explorer /e,c:\windows\tempor~1\content.ie5\

You see all those alphanumeric names listed under "content.ie5?" (left-hand side.) That's Microsoft's idea of making this project as hard as possible. Actually, these are your alphanumeric folders that was created to keep your cache. Write these names down on a piece of paper. (They should look something like this: 6YQ2GSWF, QRM7KL3F, U7YHQKI4, 7YMZ516U, etc.) If you click on any of the alphanumeric folders then nothing will be displayed. Not because there aren't any files here, but because Windows Explorer has lied to you. If you want to view the contents of these alphanumeric folders you will have to do so in DOS. (Actually, this is not always true. Sometimes Windows Explorer will display the contents of these folders -- but mostly it won't. I can't explain this.)

2) Then you must restart in MS-DOS mode. (Start > Shutdown > Restart in MS-DOS mode. ME users use a bootdisk.)

Note that you must restart to DOS because windows has locked down some of the files and they can only be accessed in real DOS mode.

3) Type this in at prompt:

CD\WINDOWS\TEMPOR~1\CONTENT.IE5
CD %alphanumeric%

(replace the "%alphanumeric%" with the first name that you just wrote down.)

DIR/P

The cache files you are now looking at are directly responsible for the mysterious erosion of HD space you may have been noticing. One thing particularly interesting is the ability to view some your old e-mail if you happen to have a Hotmail account. (Oddly, I've only been able to retreive Hotmail e-mail, and not e-mail from my other web-based e-mail accounts. Send me your experiences with this.) To see them for yourself you must first copy them into another directory and THEN open them with your browser. Don't ask me why this works.

A note about these files: These are your cache files that help speed up your internet browsing. It is quite normal to use this cache system, as every major browser does. On the other hand. It isn't normal for some cache files to be left behind after you have instructed your browser to erase it.

5) Type this in:

CD\WINDOWS\TEMPOR~1\CONTENT.IE5
EDIT /75 INDEX.DAT

You will be brought to a blue screen with a bunch of binary.

6) Press and hold the [Page Down] button until you start seeing lists of URLs. These are all the sites that you've ever visited as well as a brief description of each. You'll notice it records everything you've searched for in a search engine in plain text, in addition to the URL.

7) When you get done searching around you can go to File > Exit. If you don't have mouse support in DOS then use the [ALT] and arrow keys.

8) Next you'll probably want to erase these files by typing this:

C:\WINDOWS\SMARTDRV
CD\WINDOWS
DELTREE/Y TEMPOR~1

(replace "cd\windows" with the location of your TIF folder if different.)

This will take a seriously long time to process. Even with Smartdrive loaded.

9) Then check out the contents of your History folder by typing this:

CD\WINDOWS\HISTORY\HISTORY.IE5
EDIT /75 INDEX.DAT

You will be brought to a blue screen with more binary.

10) Press and hold the [Page Down] button until you start seeing lists of URLS again.

This is another database of the sites you've visited.

11) And if you're still with me, type this:

CD\WINDOWS\HISTORY

12) If you see any mmXXXX.dat files here then check them out (and delete them.) Then:

CD\WINDOWS\HISTORY\HISTORY.IE5
CD MSHIST~1
EDIT /75 INDEX.DAT

More URLs from your internet history. Note, there are probably other mshist~x folders here so you can repeat these steps for every occurence if you please.

13) By now, you'll probably want to type in this:

CD\WINDOWS
DELTREE/Y HISTORY



5.0. HOW MICROSOFT DOES IT

How does Microsoft make these folders/files invisible to DOS?

The only thing Microsoft had to do to make the folders/files invisible to a directory listing is to set them +s[ystem]. That's it. As soon as the dir/s command hits a system folder, it renders the command useless (unlike normal folders.) A more detailed explanation is given in Section 6.

So how does Microsoft make these folders/files invisible to Windows Explorer?

The "desktop.ini" is a standard text file that can be added to any folder to customize certain aspects of the folder's behavior. In these cases, Microsoft utilized the desktop.ini file to make these files invisible. Invisible to Windows Explorer and even to the "Find: Files or Folders" utility (so you wouldn't be able to perform searches in these folders!) All that Microsoft had to do was create a desktop.ini file with certain CLSID tags and the folders would disappear like magic.

To show you exactly what's going on:

Found in the c:\windows\temporary internet files\desktop.ini and the c:\windows\temporary internet files\content.ie5\desktop.ini is this text:

[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}

Found in the c:\windows\history\desktop.ini and the c:\windows\history\history.ie5\desktop.ini is this text:

[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}

The UICLSID line cloaks the folder in Windows Explorer. The CLSID line disables the "Find" utility from searching through the folder. (Additionally, it gives a folder the appearance of the "History" folder.)

To see for yourself, you can simply erase the desktop.ini files. You'll see that it will instantly give Windows Explorer proper viewing functionality again, and the "Find" utility proper searching capabilities again. Problem solved right? Actually, no. As it turns out, the desktop.ini files get reconstructed every single time you restart your computer. Nice one, Slick.

Luckily there is a loophole which will keep Windows from hiding these folders. You can manually edit the desktop.ini's and remove everything except for the "[.ShellClassInfo]" line. This will trick windows into thinking they have still covered their tracks, and wininet won't think to reconstruct them.

PM
 
Old 04-10-2005, 12:43 AM   #30
Post Modern
Member
 
Registered: Nov 2002
Location: Massachusetts
Distribution: Fedora Core, RH, Mandrake, Xandros, Knoppix
Posts: 110

Rep: Reputation: 15
Broch - part two:

.
.
Here's part two:


I can't stress how ridiculous it is that Windows actually makes sure the files are hidden on every single boot. No other files or folders get this kind of special treatment. So what's the agenda here?

6.0. +S MEANS [S]ECRET NOT [S]YSTEM

Executing the "dir/a/s" command from root should be the correct command to display all files in all subdirectories in DOS. However, doing so will not display the index.dat files. This is because when DOS tries to get a list of the subdirectories of any +s[ystem] directory it hits a brick wall. No files or folders will be listed within any system directory. Not only does this defeat the whole purpose of the "/s" switch in the first place, but I'd say it looks like Microsoft took extra precautions to keep people from finding the files. Remember, the only thing you need to do to obscure a file in DOS is to mark the parent directories as +s[ystem].

I was told by a few people that this was due to a very old DOS bug that dates back many years. Fine. I can accept that. A bug it is.

But, would you consider your Temporary Internet Files to be "system files?" It would seem that your TIF folder appears to be marked +s[ystem] for no good reason at all. Just because. Same with your history folder. You may not agree, but I tend to think that Microsoft marked the folders as +s[ystem] solely to hide any directory recursal from DOS.

In case you didn't understand, here's a small experiment that will show you what I mean.

Since the content.ie5 and history.ie5 subfolders are both located within a +s[ystem] folder, we will run the experiment with them. The proper command to locate them should be this:

CD\
DIR *.IE5 /as/s

The problem is that you will receive a "No files found" error message.

Since we already know there is a content.ie5 subfolder located here, why is it giving me the "no files found" message?

But there is a way to get around this brick wall. That is, once you are inside the system directory, then it no longer has an effect on the dir listings. For example, if you enter the system folder first, and THEN try to find any +s[ystem] directories you can see them just fine:

CD\WINDOWS\TEMPOR~1
DIR *.IE5 /as/s

1 folder(s) found.

Now you will get a "1 folder(s) found." message. (But only after you knew the exact location.)

In other words, if you didn't know the files existed then finding them would be almost impossible.

And, by the way, to see the "bug" in progress:

CD\
DIR *.IE5 /a/s

It will echo "no files found."

Now, just take away the system attributes from the parent directory...

CD\WINDOWS
ATTRIB -S TEMPOR~1

And retry the test:

CD\
DIR *.IE5 /a/s

It will echo "1 folder(s) found."

7.0 A LOOK AT OUTLOOK EXPRESS

Would you think twice about what you said if you knew it was being recorded? E-mail correspondence leaves a permanent record of everything you've said -- even after you've told Outlook to erase it. You are given a false sense of security sense you've erased it twice, so surely it must be gone. The first time Outlook simply moves it to your "Deleted Items" folder. The second time you erase it Outlook simply "pretends" it is gone. The truth is your messages are still being retained in the database files on your hard drive. (As are your e-mail attachments.)

For earlier versions of Outlook Express, they will be located in either of the following folders:

c:\program files\internet mail and news\%user%\mail\*.mbx
c:\windows\application data\microsoft\outlook\mail\*.mbx

At this point you have two choices:

a) Get in the habit of compacting your folders all the time.
b) Backup, print out, or import the data into another e-mail client such as Eudora and then delete the mbx files (and thus all your e-mail correspondence) by typing this:

cd\windows\intern~1\%user%\mail
deltree/y mail

or

cd\windows\applic~1\micros~1\outloo~1\
deltree/y mail

(Typing in the above commands will kill all your e-mail correspondence. Do not follow those steps in less you have already backed up your e-mail and address book!)

If you have a newer version of Outlook or Outlook Express, the databases are located elsewhere. Look for .dbx and .pst file extensions. These databases are five times as creepy, and I strongly recommend you take at the files.

Just from my outbox.dbx file I was able to view some of my old browsing history, bring up previously-visited websites in html format, and even read ancient e-mail from my Eudora client (read: EUDORA).

Again, don't take my word for it. See for yourself and THEN tell me what you think "Slick Willy" is up to here.

8. THE TRUTH ABOUT FIND FAST

Have you ever wondered what that "Find Fast" program was under your control panel? Here's a hint: It has absolutely nothing to do with the "Find" utility located under the [Start] menu. Just to clear up any confusion before going on, Oblivion adequately explains Find Fast here:

"In any version of Word after 95, choose File Open and you'll get the Office App Open dialog. Instead of just a space for the file name, there are text boxes for file name, files of type, text or property & last modified. These are search criteria you can use to find one or more files. There is also an "Advanced" button that opens a dedicated search dialog with more options. When you use either of these dialogs to perform a search, that search process uses the indexes built by Find Fast."

But what would you say if I told you that Find Fast was scanning every single file on your hard drive? Did you know that in Office 95, the Find Fast Indexer had an "exclusion list" comprised of .exe, .swp, .dll and other extensions, but the feature was eliminated? If you were a programmer would you program Find Fast to index every single file, or just the ones with Office extensions?

FYI, If you have ever had problems with scandisk or defrag restarting due to disk writes, it is because Find Fast was indexing your hard drive in the background. It loads every time you start your computer up.

Now here is a good example of the lengths Microsoft has gone through to keep people from finding out Find Fast is constantly scanning and indexing their hard drives. (Always good to have an alibi.) Here's a snippet taken from microsoft.com:

"When you specify the type of documents to index in the Create Index dialog box, Find Fast includes the document types that are listed in the following table.

Doc Type File Name Extension
Microsoft Office files All the Microsoft Excel, Microsoft Web documents PowerPoint, Microsoft Project, and Microsoft Word document types listed in this table. Microsoft Binder (.odb, .obt) and Microsoft Access (.mdb) files. Note that in .mdb files, only document properties are indexed.
Microsoft Excel workbooks .xl* files
Microsoft PowerPoint files .ppt (presentation), .pot (template), .pps (auto-running presentation) files
Microsoft Project files .mpp, .mpw, .mpt, .mpx, .mpd files
Microsoft Word documents .doc (document), .dot (template), .ht* (Hypertext Markup Language document), .txt (text file), .rtf (Rich Text Format) files
All files *.* files

Did you get that last part? "All files?" Find Fast indexes Office Documents, Web documents, Word Documents, Power Point files, Project files, and -- oh, I forgot -- EVERY SINGLE other file on your computer.

Actually, the good news is that this isn't necessarily true. In another statement, Microsoft claims that if Find Fast deems the file "unreadable" then the file will not be included in the index. For example, your command.com probably wouldn't get indexed because it doesn't have a lot of plain text -- mostly binary.

But back to the bad news. Every single file that has legible text is going to be included in the Find Fast database. Do you understand the implication here? All text saved to your hard drive is indexed. The forensic capabilities are enormous, folks. Don't forget that "all text" also means previously visited webpages from your cache. See for yourself. Open up a DOS window and type:

CD\
DIR FF*.* /AH (This will bring up a listing of the Find Fast databases.)

EDIT /75 %ff% (insert %ff% with any of the names that were listed.)

Notice the incredible amount of disk accesses to your cache and history folders? Why do we need two indexes?

8.1. REMOVING THE FIND FAST PROGRAM

You can remove Find Fast using your Office CD, but I recommend you do it manually.

1) Reboot your computer in MS-DOS Mode.
2) Delete the FindFast.CPL file from c:\windows\system\
3) Delete the shortcut (.lnk) under c:\windows\start menu\programs\startup\
4) Delete the FindFast.EXE file from c:\progra~1\micros~1\office\ 5) It's important to delete the find fast databases (c:\ff*.*). 6) You can also safely delete FFNT.exe, FFSetup.dll, FFService.dll, and FFast_bb.dll if you have them.

Feel free to check out the ffastlog.txt (which is the Find Fast error log). It's a +h[idden] file under c:\windows\system\.

9. CONTACT INFO AND PGP BLOCKS

This tutorial is being updated all the time. If you have any useful input, or if you see a mistake somewhere, then please e-mail me so I can compile it into future versions. You will be able to find the most recent version of this tutorial at Microsuck.com. I am not directly affiliated with the site.

My e-mail address is located at the end of this note. Please let me know where you heard about this tutorial in your message. If you have something important to say to me, then please use encryption. My public key blocks are located below. Be suspicious if you send me an encrypted message but never get a reply.

Thanks for reading.

-- The Riddler
e-mail: ther1ddler@fuckMicrosoft.com

9.1. RECOMMENDED READING

http://www.theregister.co.uk/content/4/18002.html
http://www.findarticles.com/m0CGN/37.../article.jhtml
http://www.mobtown.org/news/archive/msg00492.html
http://194.159.40.109/05069801.htm
http://www.yarbles.demon.co.uk/mssniff.html
http://www.macintouch.com/o98security.html
http://www.theregister.co.uk/content/archive/3079.html
http://www.fsm.nl/ward/
http://slashdot.org
http://www.peacefire.org
http://stopcarnivore.org
http://nomorefakenews.com
http://grc.com/steve.htm#project-x

----------------------------------------------------------------------------------------
BTW: Two things:
1) I thought those that dual boot might appreciate this too....
2) the Riddler's not just being rude, that's a real Email address.... and a real site.


PM
-------------------------------------------------------------

Last edited by Post Modern; 04-10-2005 at 12:50 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
The Most Secure Linux System Is Embedded Linux That's Jumpered t3gah Linux - Security 2 06-12-2005 08:49 PM
VSFTPD with secure & non-secure logins Ricci Graham Linux - Software 5 04-07-2005 04:12 PM
Secure email (SSL vs. secure authentication) jrdioko Linux - Newbie 2 11-28-2004 01:39 PM
Linux Secure? garr0323 Linux - General 7 02-15-2004 02:52 PM
boot options: linux-secure, linux-nonfb etc Li-Wen Linux - General 1 01-17-2004 02:14 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:19 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration