[Dshield] Windoze Questions...SAMBA + Windows AD Question

allan.vanleeuwen@orangemail.nl allan.vanleeuwen at orangemail.nl
Tue Feb 24 11:42:43 GMT 2004

'sounds like you're either infected with viri or you're 0wned.'

I'm sorry, where did he say anything like that ?
I think laurie is just pre-paranoid ... 

Cable modem lights can light up, if you are being scanned from outside ...
Doesn't mean you're owned !
HD leds lighting up, can be anything from scheduled job to delayed write
cache emptying itself. Can even be the indexing service, which actually
checks to make sure the machine is IDLE, and then starts indexing the entire
HD .... Neither of these mean he got owned.
And if laurie stays paranoid like this, I don't think he ever WILL be owned
... He's taking the right precautions.


-----Original Message-----
From: David Vincent [mailto:david.vincent at mightyoaks.com] 
Sent: dinsdag 24 februari 2004 5:20
To: General DShield Discussion List
Subject: RE: [Dshield] Windoze Questions...SAMBA + Windows AD Question

> Earlier on last week I sent an email to the CBL Administration Manager
> stating that 'I cannot guarantee the security of the internal 
> network while
> XP/2000 boxes are connected to the network, until a patch is 
> released for
> the latest exploit'. I then removed server access to all Win 
> 2000 boxes, but
> have been overruled on blocking network access for the one XP 
> box (that has
> not been made available for maintenance for over 6 months 
> despite numerous
> requests (another overrule)). I have also been overruled on 
> shutting down
> the server and firewall during the day, disconnecting them 
> from the network,
> and re-setting passwords in the safest environment, whenever 
> I notice the
> Server HDD lights and the cable modem lights going crazy, with nobody
> accessing them. Last Friday I tried to access the Win2000 IDS 
> box (after a
> safe reset of the Samba server root password, and safe 
> password reset on the
> Win2000 box/IDS) but received the message 'The Administrator 
> has blocked
> access to this computer'. I know that the person who uses the 
> XP box is
> incapable of administering the network. I am now on a win 98 box with
> msasn1.dll removed.

laurie, go to http://www.sysinternals.com and get yourself a copy of
tcpview.  also go and get "stinger" from the mcaffee website.
http://vil.nai.com/vil/stinger/  give those a whirl on your server.  stinger
will take care of the most recent viri, tcpview will show you all the open
connections to your server and where the exes are that are being exploited.

sounds like you're either infected with viri or you're 0wned.

also sounds like the administration doesn't care.  that sucks.

also sounds like you have a lot of work ahead of you.  :(


list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is alleen
bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt,
wordt u verzocht de inhoud niet te gebruiken en de afzender direct te
informeren door het bericht te retourneren. Hoewel Orange maatregelen heeft
genomen om virussen in deze email of attachments te voorkomen, dient u ook
zelf na te gaan of virussen aanwezig zijn aangezien Orange niet
aansprakelijk is voor computervirussen die veroorzaakt zijn door deze

The information contained in this message may be confidential and is
intended to be only for the addressee. Should you receive this message
unintentionally, please do not use the contents herein and notify the sender
immediately by return e-mail. Although Orange has taken steps to ensure that
this email and attachments are free from any virus, you do need to verify
the possibility of their existence as Orange can take no responsibility for
any computer virus which might be transferred by way of this email.

More information about the list mailing list