Neurotech - the weblog of Luke Reeves

James and I rent one floor of a house, and one of the people upstairs is this high school guy, maybe 16 or 17. He finally got a computer to share between him and his mom, and James and I - who “own” the Internet connection here - added an extra LAN cable for them. He came down here at about 8:30 to ask how to hook up his new system (brand new, so we’re assuming XPSP2). We tell him just plug-and-play, since the LAN is DHCP. So he’s good to go.

I merrily go on my way, playing Warcraft with a nice ping of 70ms. Yeah! Suddenly, at about 9:30, my ping spikes to 500ms and stays there. Wondering what’s going on, I logged out of Warcraft and fired up iptraf (a traffic monitor) on our Linux router box in the closet.

James and I witness a flurry of activity from the upstairs LAN connection. It’s attempting to connect to port 135 of random computers. Well, not random actually. The opposite. It’s going x.x.x.1, x.x.x.2, and so on, faster than the screen can refresh. Port 135 is (of course) the Windows DCOM+ server. Can this traffic be generated from the kid? Is he a l33t hacker? No. The subsequent connections on port 25 say the opposite.

He got infected with a spam trojan. In less than two hours. Very, very nice. Who’s fault is this? Is it his? A kid gets a computer with his mom, there’s no geek in the house to explain to him “By the way, don’t fucking use Internet Explorer”. You’d think he’d be able to surf around the web without this fucking happening.

So now, since James and I feel somewhat responsible for the IP space allocated to us, we’ll be blocking port 25 and 135 from our LAN to the outside. Go Microsoft!

The icing on the cake will be when I get spam and trace it back to my own place of residence :-)

P.S.: It’s scanning port 135 to search for boxes open to that DCOM exploit to spread itself. And the average person would have no fucking clue that their system is doing these things - except when they complain to people (like me) that their system is “slowing down”.

P.P.S.: Now that the filter is in, we’re seeing it scan 200 IP addresses every second or so. W00t!

Tim Bray gets a server pricing surprise and realizes that Windows costs more than the hardware itself (at least from Dell).

I posted this question to Ask Metafilter and got no real answers yet, and I’m still looking for a solution:

I use the Windows XP Professional Internet Connection Sharing to dish out my DSL access to a couple of people residing in the same location. How do I find just basic log information about this service? It magically dishes out DHCP access to them, but I can’t even find how many IP addresses have been assigned, how many connections are active, and so on.

Ethereal was suggested (I just want the basics), and I’ve tried tools from netstat to ActivePorts. Windows XP actually hides all the connections that are being masqueraded from me. If I ever find an answer I’ll put it here.

The Inquirer has some decent instructions on speeding up Acrobat Reader that seem to work like a charm for my system. Via Curiosity is Bliss.

I discovered two cool tricks about the Windows networking system when I posed a question to Ask Metafilter yesterday. Basically my system has a static IP address at work and a dynamic one at home, and I wanted a more convenient method of switching between the two modes.

The solution I’ll use is the Alternate Configuration of an NICs TCP/IP properties. If the DHCP request fails, then the alternate manual addresses are used. I’ve Googled forever and never found this - the perfect answer for my situation.

The other proposed workaround is a built-in Windows command tool “netsh”. Again, I’d never heard of this before. It’s a shell that allows you to perform all sorts of really cool operations with the networking system, such as changing IP addresses, configuring the firewall, disabling interfaces, and so on. And it seems to be scriptable from batch files which makes it more powerful.

The only thing that worries me about netsh is the idea that a malicious program can invoke the commands itself, altering your firewall so that it’s actions are allowed. Hmmm. If I didn’t have a different firewall that may concern me. Still an excellent tool though.

This is probably an old piece of information, but it was fairly new to me. I’ve found that my computer was periodically connecting to (and attempting to connect to) a site called sa.windows.com. After many Google Groups searches it appears that the Windows “Search Assistant” is constantly updating itself through a web service located at that machine. Thankfully it’s easy to turn off. Go to the registry key “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Cabinet State” and add a String key named “Use Search Asst” with the value “no”. Do it for all the users on your system that login.

This is one of the things that piss me off about web services - they’re a total bitch to block with a firewall since they all use port 80 and most of them use the system URL fetching utilities.

Since these Windows tricks I’m uncovering seem mildy popular, I’ll keep posting them (and note to Techknight: send me any good ones you know).

So everyone can see that Windows XP shares by default at least three “drives” - $C, $D and $IPC. When you try to stop sharing, you’re warned about these being shared for “administrative purposes”. That’s no good for me, since I’m the administrator for my system, and I see absolutely no fucking purpose whatsoever to sharing these folders by default. What’s Microsoft thinking? At least the DCOM/RPC services can be turned off a little easier, but this is insane.

So I’ve found two ways to stop this. The first is to find the registry key “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters”- add DWORD value of 0 to the key name “AutoShareWks”. You’ll note that (after a reboot) that $C and $D are no longer shared. Awesome.

Unfortunately $IPC is still shared. I can find no reason behind this. In fact, I can find no purpose to this mysterious $IPC share at all. The only way I’ve figured out to get rid of that one is disable (in Administrative Tools) the service named “Server”. You won’t be able to share any folders from your machine, but for a lot of us that’s a good thing.

This highlights the basic security flaws that are constantly errupting from Windows systems. The default configuration shares three virtual folders for no reason other than “Administrative purposes”. Why? Does some poor bastard on a cable modem need to share these? This isn’t rocket science. This is about secure default values, something that other operating systems (Mac OSX, Linux, OpenBSD, etc) are catching onto a lot more quickly than Windows. Of course, Windows XP SP 2 will enable the firewall by default, but I’d bet my left nut that these mysterious folders are still shared.

Chris Pirillo has summed up the changes in Windows XP Service Pack 2, which is (unfortunately) due out next year. Strangely enough half the hardware on my laptop required patches that list their origin as SP2.

This is an awesome performance booster under Linux, and it works just as well under Windows XP (provided that you’re using NTFS). Find the registry key “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem” and set the value of “NtfsDisableLastAccessUpdate” to “1″.

Found a horrible bug in Windows XP. Explorer has a feature where it scans any AVI files found in the current directory for metadata, such as height, width and length. The problem is that if there’s a corrupt AVI - such as a partially downloaded file - Windows will attempt to scan the entire file by loading it into memory. You’ll know this happens when you browse to a local directory and suddenly your machine grinds to a halt and starts swapping to disk like crazy (even with gobs of RAM). Luckily it’s an easy fix. In the registry, navigate to the key:

HKEY_CLASSES_ROOT\SystemFileAssociations\.avi\shellex\PropertyHandler

And delete the default value (which is one of those ungodly CLSID hex numbers).

Although this does lead me to wonder if someone could cook up a decent replacement that doesn’t crash and can actually read the information on XVid, DivX and so on.