×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Security, hacker detection & forensics FAQ

Small Network Security

How do I block Kazaa, Yahoo, AIM, and programs that port roam? by PcLinuxGuru
Posted: 29 Mar 03 (Edited 22 Jul 03)

If you have been searching for a cheap effective means of blocking this type of software then here is your answer. I blocked Yahoo, Kazaa and all those other programs that port roam (such applications can change the port so the blocking of a specific static port(s) is of no use).

This will also work on programs like Wingate for which their is no port to block because it routes traffic.

1)Goto www.sysinternals.com, get and install pstools on a server or machine that will be scanning as stated below (doesn't have to be a server).

2)Create a batch script similar to:

@ ECHO OFF
:loop
REM All of the following is one line do NOT hit enter
REM The ^ is a shortcut for a more statemet.

for /F %%a in ('net view ^| find "\\" ') do pslist %%a | find "ypager" /I && pskill %%a ypager >> d:\shutdownlog.txt && psloggedon %%a >> d:\shutdownlog.txt && shutdown -r -t 60 -m "This computer has found that you are using Yahoo Instant Messenger. You have been reported and the computer will be rebooted. Your account will be suspended." -f %%a
REM You can hit enter now
goto loop

3) For each program your going to block you need to add:

for /F %%a in ('net view ^| find "\\" ') do pslist %%a | find "process name" /I && pskill %%a process name >> d:\shutdownlog.txt && psloggedon %%a >> d:\shutdownlog.txt && shutdown -r -t 60 -m "Message you want offender to see." -f %%a

 So if I was going to block Yahoo AND Kazaa then my script would look like:

@ECHO OFF
:loop
for /F %%a in ('net view ^| find "\\" ') do pslist %%a | find "ypager" /I && pskill %%a ypager >> d:\shutdownlog.txt && psloggedon %%a >> d:\shutdownlog.txt && shutdown -r -t 60 -m "This computer has found that you are using Yahoo Instant Messenger. You have been reported and the computer will be rebooted. Your account will be suspended." -f %%a

for /F %%a in ('net view ^| find "\\" ') do pslist %%a | find "kazaa" /I && pskill %%a kazaa >> d:\shutdownlog.txt && psloggedon %%a >> d:\shutdownlog.txt && shutdown -r -t 60 -m "This computer has found that you are using Kazaa. You have been reported and the computer will be rebooted. Your account will be suspended." -f %%a

goto loop

4) Run the batch script and have fun.

Now what this script does is it basically will do a net view and get the computer names. Then it does a pslist (downloaded from sysinternals) and looks for the ypager process (Yahoo Instant Messenger). If it finds it then it kills the process and writes to the shutdownlog file. You can end it there if you want but I go a step further becasue I want to know who did it. So a psloggedon will be done on that computer and written to the log so I know know the users login name and the TIME (I do this to dispute or support their excuses for example if they were not their at the TIME of the offense). You can end it their also but I work in a school and I am serious about installing this junk so I run pshutdown (I renamed the file to shutdown) on the machine with the message and a 60 second time delay which lets them know they have been busted and shutsdown the machine.

Now you run the batch file and every now and then look at the shutdown log to see who you have snared. Now you have all the information you need and if you want you can goto the specific computer and pull up the ownership of the illegal software and print the screen. Take all that to their boss.

I work in a college environment with about 800 students and their accounts get disabled when they install software like this.

Now where did I put my CD for Quake :)

Please note that this has only been tested on server operating systems running windows. This includes Windows XP, NT 4 w/sp6 and Windows 2000 Advanced Server. This is meant for networks not single machines. The server scans all the workstations on the network.

Have fun!!!
Bill

Back to Security, hacker detection & forensics FAQ Index
Back to Security, hacker detection & forensics Forum

My Archive

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close