Why is my c:\windows\system32 on the intenet?!

[CletusTheDwarf]

So i just discovered today that if I browse to my pc's IP address, it brings up the index of my C:\Windows\System32 directory! you can browse the subfolders, download the files, etc. I am behind a netgear router and even if i turn off http port forwarding to my local ip, it still happens. What is supposed to happen if I go to my ip, is i'm supposed to get a login screen to access a plugin for trillian, which lets me get at my buddy list for anywhere. That works correctly if i use my local ip address. But if i use my global ip, it just shows all my sys32 files! Can someone tell me how to turn that off?

 

[d33pt]

dont worry, that's not really going out over the internet.

 

[CletusTheDwarf]

no, it definitley is. i tried it from a computer on campus.

 

[Brazen]

Are you behind a SOHO router? If so, what happens if you turn off all port forwarding?

 

[CletusTheDwarf]

what is a soho router?

 

[Brazen]

Small Office/Home Office

Things like Linksys, Netgear, and D-Link Cable/DSL routers are SOHO routers.

 

[CletusTheDwarf]

yeah, it's a netgear router. don't see a way to turn off all port forwarding, just one at a time

 

[JackMDS]

Originally posted by: CletusTheDwarfThat works correctly if i use my local ip address. But if i use my global ip, it just shows all my sys32 files! Can someone tell me how to turn that off?

What that means in functional term (local vs. Global)?

Do you have more than one PC on the Network?

If you do, how the connection through the Internet is directed toward the correct PC?

Are you sure that on the computer in question is Not on the DMZ?

I think that when you deselect the open ports one at time, at the end they are all deselected?

:sun:

 

[Goosemaster]

1. on your desktop, right click on your computer and click manage. Sometimes my computer is on the start menu.

2. Double click on 'shared folder' and click once on 'shares'

The only things listed should have dollar signs next to them. Anything else that is shared, and that you do want to have shared, you can remove by right-clicking on it, and selecting 'stop sharing'

 

[nweaver]

shared folders should NOT show up on port 80 (assuming this guy isn't looking for shares, but is instead hitting port 80 with a web browser). Netstat (not sure with windows switches, linux would be a -p) can show you what program is listening to what port.

 

[Goosemaster]

Originally posted by: nweaver
shared folders should NOT show up on port 80 (assuming this guy isn't looking for shares, but is instead hitting port 80 with a web browser). Netstat (not sure with windows switches, linux would be a -p) can show you what program is listening to what port.

oh.. i thought he meant '\\ip' and not '//ip'

yeah....check your ports IMMEDIATELY

 

[CletusTheDwarf]

Originally posted by: JackMDS

Originally posted by: CletusTheDwarfThat works correctly if i use my local ip address. But if i use my global ip, it just shows all my sys32 files! Can someone tell me how to turn that off?

What that means in functional term (local vs. Global)?

Do you have more than one PC on the Network?

If you do, how the connection through the Internet is directed toward the correct PC?

Are you sure that on the computer in question is Not on the DMZ?

I think that when you deselect the open ports one at time, at the end they are all deselected?

:sun:

what i mean is if i use the ip address for the router, it goes to my sys32 directory. but if i go to 192.168.0.3, my local IP, then i get the IM Everywhere login screen.

There are 3 pc's on the network, the router takes care of directing the internet towards the right one.


I also ran several intenet security tests that I found online that scan your ports and such for security holes, and none of them found anything wrong. does this mean I'm fine?

 

[nweaver]

what port? Are you trying to open a share to your computer (i.e \\live.ip.of.router\) or browsing to it with a web browser (i.e. http://ip.of.live.router)?

If you can open a browser to that from anywhere, I would grab your important non executable files and format. Who knows what has happened if people have access to that...hacked executables, configs, etc.

 

[CletusTheDwarf]

here is what i get when i run netstat:

Active Connections

Proto Local Address Foreign Address State
TCP cletusthedwarf:1042 cs52.msg.dcn.yahoo.com:5050 ESTABLISHED
TCP cletusthedwarf:1044 64.12.24.164:5190 ESTABLISHED
TCP cletusthedwarf:1045 baym-cs139.msgr.hotmail.com:1863 ESTABLISHED
TCP cletusthedwarf:1053 oam-d17c.blue.aol.com:5190 ESTABLISHED
TCP cletusthedwarf:1054 205.188.5.88:5190 ESTABLISHED
TCP cletusthedwarf:1055 mail.umich.edu:993 ESTABLISHED
TCP cletusthedwarf:1087 72.14.207.104:http TIME_WAIT

 

[JackMDS]

If you use your External IP locally i.e. typing it to the browser that is one of your LAN's computer, it can do many strange things, but that does Not mean that your are exposed if connected through the Internet.

You have to try your external IP from another location through the Internet.

If you want to see Live the computer?s ports action download and run this free program: http://www.sysinternals.com/Utilities/TcpView.html

:sun:

 

[Rogue]

Install and run fport by Foundstone:

http://www.foundstone.com/index.htm?sub...bcontent=/resources/proddesc/fport.htm

If you see system32 associated with a network session, chances are it's a rootkit of some kind.

 

[CletusTheDwarf]

jackMDS, i have tried it from another location and the sys32 directory still comes up.

 

[nweaver]

try netstat -v -b to get program stuff (or PID) and see if you can track down anything.

 

[CletusTheDwarf]

here's what i get:

C:\Documents and Settings\Evan>netstat -v -b

Active Connections

Proto Local Address Foreign Address State PID
TCP cletusthedwarf:1042 cs52.msg.dcn.yahoo.com:5050 ESTABLISHED 29
4
C:\WINDOWS\System32\mswsock.dll
C:\WINDOWS\system32\WS2_32.dll
D:\Internet Programs\Trillian\plugins\yahoo.dll
-- unknown component(s) --
[trillian.exe]

TCP cletusthedwarf:1044 64.12.24.164:5190 ESTABLISHED 2904
C:\WINDOWS\System32\mswsock.dll
C:\WINDOWS\system32\WS2_32.dll
D:\Internet Programs\Trillian\plugins\aim.dll
-- unknown component(s) --
[trillian.exe]

TCP cletusthedwarf:1045 baym-cs139.msgr.hotmail.com:1863 ESTABLISHED
2904
C:\WINDOWS\System32\mswsock.dll
C:\WINDOWS\system32\WS2_32.dll
D:\Internet Programs\Trillian\plugins\msn.dll
-- unknown component(s) --
[trillian.exe]

TCP cletusthedwarf:1053 oam-d17c.blue.aol.com:5190 ESTABLISHED 290

C:\WINDOWS\System32\mswsock.dll
C:\WINDOWS\system32\WS2_32.dll
D:\Internet Programs\Trillian\plugins\aim.dll
-- unknown component(s) --
[trillian.exe]

TCP cletusthedwarf:2641 205.188.5.88:5190 ESTABLISHED 2904
C:\WINDOWS\System32\mswsock.dll
C:\WINDOWS\system32\WS2_32.dll
D:\Internet Programs\Trillian\plugins\aim.dll
-- unknown component(s) --
[trillian.exe]

TCP cletusthedwarf:2643 mail.umich.edu:993 ESTABLISHED 4040
C:\WINDOWS\System32\mswsock.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\inetcomm.dll
C:\Program Files\Common Files\SYSTEM\MSMAPI\1033\pstprx32.dll
[OUTLOOK.EXE]

TCP cletusthedwarf:3389 eecs4440p21.engin.umich.edu:1639 ESTABLISHED
708
-- unknown component(s) --
[svchost.exe]

TCP cletusthedwarf:2646 oe.bay108.hotmail.com:http TIME_WAIT 0