On 08/17/2015 07:35 AM, Nomen Nescio wrote:
Caught these records that actually got an ACK and returned an OK:
103 2015-08-16
20:37:37.831756 198.15.216.135 me.net HTTP 274 5270 GET >> http://www.msftncsi.com/ncsi.txt HTTP/1.1
104 2015-08-16
Seq=1 Ack=221 Win=15544 Len=0
105 2015-08-16
20:37:37.832683 me.net 198.15.216.135 HTTP 1259 6583 HTTP/1.1 200
OK (text/html)
Went on the try a GET /HNAP1/ which I had already blocked. The
http://www.msftncsi.com/ncsi.txt is a Microsoft site that returns a
page containing this:
Microsoft NCSI
Explained here: http://blog.superuser.com/2011/05/16/windows-7-network-awareness/
-SEC3 Pinger
That was quite interesting. Looks like another way the MS can
track you. I set the value in the register to zero as suggested,
it was 1 - on.
I am not sure what is going on with such a hit, but it seems like
they actually used my Linux server to go to msftncsi.com.
I block this request from someone hitting my Linux server with
this request using these. Only one is probably necessary.
Both on single line:
iptables -I INPUT 1 -p tcp -m multiport --dports 80,443 -m string --
string "msftncsi"
--algo bm --to 300 -j DROP
iptables -I INPUT 2 -p tcp -m multiport --dports 80,443 -m string --
string "HNAP1"
--algo bm --to 300 -j DROP
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 296 |
Nodes: | 16 (2 / 14) |
Uptime: | 45:15:04 |
Calls: | 6,648 |
Files: | 12,197 |
Messages: | 5,329,773 |