[Dshield] Windoze Questions...SAMBA + Windows AD Question

Al Reust areust at comcast.net
Thu Feb 19 01:16:09 GMT 2004


I take no offense and Thank You. Someday, I may have the opportunity to 
take you up on the offer.

My curiosity still asks, was it one machine or all? I have seen that in the 
past with "hotfixes" on a single machine.



At 09:09 AM 2/19/2004 +1000, you wrote:
>----- Original Message -----
>From: "Al Reust" <areust at comcast.net>
>To: "General DShield Discussion List" <list at dshield.org>
>Sent: Tuesday, February 17, 2004 2:49 PM
>Subject: Re: [Dshield] Windoze Questions...SAMBA + Windows AD Question
> > Laurie
> >
> > If you use remote administration, it is Good thing that Snort tells you
> > someone hooked into IPC$. It should be (the remote IP) within your IP
> > (DHCP or known remote IP's), if it outside your IP range then you have a
> > compromised system and the IP where it came from. Depending on your actual
> > setup you could be seeing something that is quite normal (internal
> > application touching the server).
>I do NOT use remote administration and there is no external access allowed
>through the company hardware firewall. All machines are patched and have the
>latest AV updates every day, some with multiple AV's. There are many layers
>of protection in the network I maintain including S/w firewalls on all
>boxes. The Samba Server is locked up tight and no other servers are enabled.
> > However to remove those pesky administrative/hidden shares, Microsoft
> > explains how to create Hidden or Remove them (yes some registry editing is
> > required and once you have accomplished that you can replicate it)
>I never liked those shares and I have been working with software from
>Motorolla Assembler at Uni (B.Sc.(comp) 1993), to MS software from (DOS
>(Disk Operating System)) Basica, Quick Basic, Visual Basic Dos V1, MS-FP
>from FP2.6 to MS VFP Win 7.0 among others. I originally started working in
>databases with Kman (MDBS) then switched to other Xbase variants. I actually
>prefer CA's dBfast (on 95, 98a&b, 20000 and XP) because it has a basic rule
>set that doesn't change over time (since '95), not to mention speed and a
>very transparent code based event loop.
>I worked for Civil Engineering Consulting Engineers, prior to switching to
>comms in the field for Telecom Australia working on complex exchange
>cutovers (when the power went out our phones kept working), then I switched
>to software development and worked for the District Telecom
>Engineers/Engineering Managers on various Design office projects and finally
>the Queensland Networks manager. Our engineering section introduced the
>first cable TV network in Australia. I have been working on network security
>for the last couple of years.
>The only 'unauthorised' access to our network has been via our government
>and MS 'patches' as explained in my previous DSIELD post 'Unauthorised
>program access', while all of the multiple layers of (up to date) protection
>have said nothing is wrong. Lets face reality, the 'integration' of many MS
>products from Win2000/XP on has opened up a pandora's box for all kinds of
>hackers (I don't hack). The KIS rule has been broken and everybody faces the
> > So now that you have gotten that out of your system. Are there questions
> > that we can help with.
> >
>So now that you have gotten that out of your system. Are there any questions
>  that I can help you with.
>Laurence N. Kennedy
>Competency Based Learning
>p.s. Al and list, please note that this is not a 'flame', there are some
>very serious problems with things and unless the current 'sophist-icated'
>attitudes change, things will only get worse.
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 

More information about the list mailing list