[Dshield] Windoze Questions...SAMBA + Windows AD Question

Laurie Kennedy cblmaint at cblptyltd.com.au
Wed Feb 25 00:00:45 GMT 2004


Hello David, List and Moderators,

----- Original Message ----- 
From: "David Vincent" <david.vincent at mightyoaks.com>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Tuesday, February 24, 2004 2:20 PM
Subject: RE: [Dshield] Windoze Questions...SAMBA + Windows AD Question


> laurie, go to http://www.sysinternals.com and get yourself a copy of
> tcpview.

The only external access from the Linux Samba server is to update the MS-RAV
anti virus. I also run SAINT (the last free version) each month to determine
internal weaknesses (management has been informed multiple times). I do not
save the root session details and shut down, remove network access, then
change the root passwords off line, prior to restarting the server. On most
days the server is turned on with no root access whatsoever, until it is
shut down. I am not allowed to shut down the server during the day to
perform safe user access modifications.

>also go and get "stinger" from the mcaffee website.
> http://vil.nai.com/vil/stinger/  give those a whirl on your server.
stinger
> will take care of the most recent viri, tcpview will show you all the open
> connections to your server and where the exes are that are being
exploited.

I have been using, updating and running Stinger on the XP/Win2000 boxes for
the past 9 months now. Every scan comes out clear. The XP box in question
has ISP supplied SPAM/Virus filters, MS-WIN-RAV, VET, and Zone alarm
installed with all A/V auto updated and clean. The MS-WIN-RAV shows the mail
as being 'clean', but the MS-RAV-LINUX on the Samba server chokes and tries
to contact an IP in CANBERRA in the Australian Capital Territory ACT,
(blocked by the hardware firewall) when it scans the XP Box emails. I have
told Administration that I need at least 6 hours to format and re-install
all software on the XP box, and probably the Win2000 boxes.

> sounds like you're either infected with viri or you're 0wned.

---MODERATOR(s) - Please Remove the following from the list
version --------------------

The Administration Manager wants proof. I have been keeping him up to date
on everything but he doesn't seem to absorb any technical details. Could
somebody (not list members) please contact him and explain things in very
simple terms.

kennedy.sean---at---cblptyltd.com.au  (replace ---at---) Please cc to me.

thanks LNK
----------------------------------------------------------------------------
--------------------------------------------

I have suspected that this is has been the case since I loaded the latest MS
'critical' security patch, detected an unauthorised program (blocked by the
hardware firewall) trying to contact the (ACT) when accessing our Telstra
Bigpond FTP site, and was then attacked by the European Global Name Server
on the MYDOOM port twice in 59 mins, on different IP's within the next 2
hours. Last week the Australian Federal Government gave themselves
retrospective powers to monitor all emails, even though everything that goes
out of the country (like emails to the Dshield list) has been monitored for
a couple of years.

> also sounds like the administration doesn't care.  that sucks.

The global security industry (SANS Committee or the like) should be able to
send out emails to the CEO/President/Admin Manager (whoever/whatever) who
prevent their security staff from doing their jobs properly, for action
within a given time frame. If they don't, they should have their broadband
access to the Internet blocked until they comply.

>
> also sounds like you have a lot of work ahead of you.  :(
>
> -d

My Home PC Win2000 (internal HDD) and XP (all legitimate S/W, and A/V with
all patches) removeable hard drives have ceased to load Windows since last
Friday when I dialed up on the internet. The Win98 removeable HDD drive
still works OK even though it is the oldest out of the lot. I have swapped
every component with another similar PC (and Vs a Vs) and everything checks
out OK, including the memory via Memtest (it is warranted for 2 years and is
1 year old). We have had quite a few severe storms lately, but the PC has
the power disconnected when not in use and the removeable XP HDD was not
even in the PC! Talk about DOS attacks.

Yes I do have a lot of work ahead of me at home, but in the office I
probably have about 18 hours max as most of the other PC's are Win 98 and we
only have 3 XP/Win2000 boxes in operation. I only need permission to clean
them up.

Regards,

Laurence N. Kennedy
Competency Based Learning




More information about the list mailing list