[Dshield] Windoze Questions...SAMBA + Windows AD Question

Laurie Kennedy cblmaint at cblptyltd.com.au
Thu Feb 19 22:15:19 GMT 2004


Hello Al and List,

The PC in question was the Win2000 pro hardware firewall Console/IDS
machine.

All machines are patched/updated daily/as required, but it looks like the
main target was the firewall console. Unless you use a laptop or another PC
that does not have access to both Win/Linux, your hardware firewall could be
vulnerable. I have noticed that several of the latest 'hotfixes' appear to
be processor specific and the patch is applied on one type of CPU but not
the other.

Regards,

Laurie

----- Original Message ----- 
From: "Al Reust" <areust at comcast.net>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Thursday, February 19, 2004 11:16 AM
Subject: Re: [Dshield] Windoze Questions...SAMBA + Windows AD Question


> Laurence
>
> I take no offense and Thank You. Someday, I may have the opportunity to
> take you up on the offer.
>
> My curiosity still asks, was it one machine or all? I have seen that in
the
> past with "hotfixes" on a single machine.
>
> Regards
>
> Al
>
> At 09:09 AM 2/19/2004 +1000, you wrote:
> >----- Original Message -----
> >From: "Al Reust" <areust at comcast.net>
> >To: "General DShield Discussion List" <list at dshield.org>
> >Sent: Tuesday, February 17, 2004 2:49 PM
> >Subject: Re: [Dshield] Windoze Questions...SAMBA + Windows AD Question
> >
> >
> > > Laurie
> > >
> > > If you use remote administration, it is Good thing that Snort tells
you
> > > someone hooked into IPC$. It should be (the remote IP) within your IP
> >range
> > > (DHCP or known remote IP's), if it outside your IP range then you have
a
> > > compromised system and the IP where it came from. Depending on your
actual
> > > setup you could be seeing something that is quite normal (internal
> > > application touching the server).
> >
> >Al,
> >
> >I do NOT use remote administration and there is no external access
allowed
> >through the company hardware firewall. All machines are patched and have
the
> >latest AV updates every day, some with multiple AV's. There are many
layers
> >of protection in the network I maintain including S/w firewalls on all
> >boxes. The Samba Server is locked up tight and no other servers are
enabled.
> >
> > > However to remove those pesky administrative/hidden shares, Microsoft
> > > explains how to create Hidden or Remove them (yes some registry
editing is
> > > required and once you have accomplished that you can replicate it)
> >
> >I never liked those shares and I have been working with software from
> >Motorolla Assembler at Uni (B.Sc.(comp) 1993), to MS software from (DOS
> >(Disk Operating System)) Basica, Quick Basic, Visual Basic Dos V1, MS-FP
> >from FP2.6 to MS VFP Win 7.0 among others. I originally started working
in
> >databases with Kman (MDBS) then switched to other Xbase variants. I
actually
> >prefer CA's dBfast (on 95, 98a&b, 20000 and XP) because it has a basic
rule
> >set that doesn't change over time (since '95), not to mention speed and a
> >very transparent code based event loop.
> >
> >I worked for Civil Engineering Consulting Engineers, prior to switching
to
> >comms in the field for Telecom Australia working on complex exchange
> >cutovers (when the power went out our phones kept working), then I
switched
> >to software development and worked for the District Telecom
> >Engineers/Engineering Managers on various Design office projects and
finally
> >the Queensland Networks manager. Our engineering section introduced the
> >first cable TV network in Australia. I have been working on network
security
> >for the last couple of years.
> >
> >The only 'unauthorised' access to our network has been via our government
> >and MS 'patches' as explained in my previous DSIELD post 'Unauthorised
> >program access', while all of the multiple layers of (up to date)
protection
> >have said nothing is wrong. Lets face reality, the 'integration' of many
MS
> >products from Win2000/XP on has opened up a pandora's box for all kinds
of
> >hackers (I don't hack). The KIS rule has been broken and everybody faces
the
> >consequences.
> >
> > > So now that you have gotten that out of your system. Are there
questions
> > > that we can help with.
> > >
> >
> >So now that you have gotten that out of your system. Are there any
questions
> >  that I can help you with.
> >
> >Regards,
> >
> >Laurence N. Kennedy
> >Competency Based Learning
> >
> >p.s. Al and list, please note that this is not a 'flame', there are some
> >very serious problems with things and unless the current 'sophist-icated'
> >attitudes change, things will only get worse.
> >
> >_______________________________________________
> >list mailing list
> >list at dshield.org
> >To change your subscription options (or unsubscribe), see:
> >http://www.dshield.org/mailman/listinfo/list
>
>
>




More information about the list mailing list