RE: Nimda and patch end up shutting my Web Server
By now there are probably tools that will remove (or at least claim to remove) Nimda, but once you were infected your machine started announcing to the world that everyone had access to it. Even if a tool cleans up Nimda can you ever be sure that some enterprising script kiddie hasn't placed a trojan/backdoor on it? Wipe-n-load is the only way to be sure. jbh -Original Message- From: Vani Murarka [mailto:[EMAIL PROTECTED]] Sent: Sunday, September 23, 2001 7:49 AM To: NT System Admin Issues Subject: Nimda and patch end up shutting my Web Server NT and IIS Gurus, please help. My system was infected by Nimda. Norton found certain TFTPxxx files under Inetpub/scripts which were infected. It could not clean it. It quarantined it. I deleted those files. But new TFTPxxx files kept getting created in that directory, and Norton kept saying those are infected with Nimda. I searched the internet to see what patch I must install. Following links from Symantec, this is the one I downloaded and installed - http://www.microsoft.com/ntserver/nts/downloads/critical/q269862/default .asp The patch was called Windows 4.0 Hotfix Ever since installing that, my Web Server does not run. Trying to run it from Internet Service Manager, says, The specified module could not be found. I am also not being unable to uninstall the patch from Control Panel - Add/Remove Programs as the page from where I downloaded it suggests, because it is not listed there. Maybe I selected the inappropriate patch - but now I am at a loss as to what to do next. Please give pointers. Thanks Vani http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: IIS Slow Down Due to Nimda?
Title: IIS Slow Down Due to Nimda? On my boxes where I have host headers configured and no website is "default", that is, every website demands that a host header be in the request, none of these requests are making it into the logs. I have no idea what that means wrt IIS, maybe it is still processing them and not logging or maybe it just ignores them once a matching host header isn't found. jbh -Original Message-From: John Cesta - Lists [mailto:[EMAIL PROTECTED]]Sent: Thursday, September 20, 2001 9:03 AMTo: NT System Admin IssuesSubject: RE: IIS Slow Down Due to Nimda? Any one seen there IIS Server slow down due to the bug? Is there anyway to stop the request(cmd.exe) from even being made to you box? Here's is what my logs look like. Sunday was a little slow but on an average day we get around ~700 unique visitors. Of course IIS is going to slow down due to many requests. Not much of a way to make it stop unless you know where the source is, call them and ask. Otherwise we are all in the same boat. John Cesta -Original Message-From: Jerry Gamblin [mailto:[EMAIL PROTECTED]]Sent: Thursday, September 20, 2001 10:36 AMTo: NT System Admin IssuesSubject: IIS Slow Down Due to Nimda? Any one seen there IIS Server slow down due to the bug? Is there anyway to stop the request(cmd.exe) from even being made to you box? Here's is what my logs look like. Sunday was a little slow but on an average day we get around ~700 unique visitors. Date Hits Successful Hits 09/16/2001 : 372 : 222 09/17/2001 : 3,454 : 1,026 09/18/2001 : 6,224 : 1,046 09/19/2001 : 5,401 : 745 09/20/2001 : 2,193 : 86 Total Hits : 17644 Average Hits : 3528 That's around 14,000 hits alone from this virus. I don't know what its doing to the server, but is there any way to make it stop? Jerry Gamblin Technology Specialist Linn State Technical College One Technology Drive Linn, MO 65051 [EMAIL PROTECTED] www.linnstate.edu 573-897-5240 -Original Message- From: Murray Freeman [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 20, 2001 9:24 AM To: NT System Admin Issues Subject: RE: HELP VIRUS ON NT MACHINE? HEY, not true, not true. We got hit on 3 servers and were able to cleanse manually and never even turned off the servers, nor did it impact our regular production. Murray -Original Message- From: Rocky Stefano [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 20, 2001 9:21 AM To: NT System Admin Issues Subject: RE: HELP VIRUS ON NT MACHINE? For those of you that were unfortunately hit with the latest worm. There is usually no recourse but to wipe the machine clean and reload your software. Trend Antivirus has released a cleaner for the virus. Here is the info. Trend Micro has developed a cleaning tool that will allow you to clean systems infected by PE_NIMDA.A. The cleaning tool and instructions, manual cleaning instructions, and the latest pattern file can be found on our FTP site at: ftp://us-web\[EMAIL PROTECTED] Password: tmcustomer Directory: Premium Customer\tool Files: Cleaning tool: FIX_NIMDA.zip Cleaning tool description and instructions: Readme_nimda.txt Manual cleaning documentation: How to Clean.txt Latest pattern file: ptn_942.zip -Original Message- From: Tiffany Belcher [mailto:[EMAIL PROTECTED]] Sent: September 19, 2001 5:35 PM To: NT System Admin Issues Subject: HELP VIRUS ON NT MACHINE? This thing is on a machine at work and it writes .eml files all over the place in the folders on the hard drive. Is there a way to get rid if this virus? What is it? Uninstalling outlook express or email would that do it? It ran very sluggish and now is frozen up. HELP http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htmhttp://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: OT? perspective of events
There are a number of problems you leave out. First, I have sniffed a switched network before and it is not that hard. You need only overflow a switch with more bogus MAC addresses than it can handle and suddenly you have a hub. Even without any effort my snort box picks up loads of traffic it shouldn't behind two switches. You can probably assume you are safe from sniffing behind a router, unless there is a compromised box behind it with you. Second, you may have plenty to be afraid of. If someone sends you an html mail with a linked image from a child porn site, by having it open by accident in a preview window you could suddenly be catogorized as a child porn viewer by some automatic tool. I have had several very disturbed and concerned users contact me about incidents like this with html mail. I have no worries about reactions to this tragedy as I beleive that the vast majority of indivuals have good intentions even if their actions aren't perfect. What I worry about are overreactions. I woke up today much angrier than I was yesterday and I can think of some pretty horrible overreactions that I might be willing to support in the aftermath of the attacks. One can only hope that the leaders of my country and others have a better handle on their emotions than the general population. jbh -Original Message- From: Luke Brumbaugh [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 12, 2001 8:29 AM To: NT System Admin Issues Subject: RE: OT? perspective of events I read about this. It's a NT box running a kinda Sniffer software. I have used sniffer, the log gets incredibly big in a short period of time. So, the idea of scanning an ip address or email header for certain patterns would only be possible. Wiretaps are common, but you can only monitor so many phones at a time. Same here with email and this Carnivore black box. So you ask yourself, are you doing something to be afraid of? If not, then why worry, sniffer doesn't work well on switched networks and as for internet, only terrorist and child pornographers have something to worry about. -Original Message- From: Benjamin Winzenz [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 12, 2001 9:51 AM To: NT System Admin Issues Subject: RE: OT? perspective of events I don't know how I feel about stuff like that yet. I think some of it may be warranted (we already know that any phone conversation basically can be recorded based on a myriad of words that are said). I think that the same type of thing monitoring e-mail would not be noticed by most. I think though, that if we were all told the extent of spying that the FBI already does, legally or illegally, we probably would be shocked. I almost think that things like that are better off kept silent. what the people don't know won't hurt them type of attitude. It's gonna get really interesting for a while here. As someone else said, we are in for a bit of a bumpy ride. As a side note, although I was not directly affected by the horrible acts that took place yesterday (no relatives), we will all be affected by this dastardly deed for a long time to come. My heart goes out to those who have experienced a loss. Even today, I still am in shock at what happened. At the same time, let us pray that our leaders make informed and wise decisions in the aftermath of what has happened. Ben Winzenz, MCSE Network/Systems Administrator Peregrine Systems, Inc. -Original Message- From: Kevin Lundy [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 12, 2001 9:14 AM To: NT System Admin Issues Subject: OT? perspective of events My sympathies and thoughts go out to everyone directly affected by these cowardly acts. My thoughts also go out to the millions of us indirectly affected. Now to bring a slightly on-topic slant to the discussions - in recent months there has been considerable debate on Carnivore (the FBI's electronic snooping tool). In order to increase our security, I'm sure we Americans are going to have to give up some of our personal freedom and privacy. As IT pro's, has anyone's opinion of Carnivore changed? I know if someone had asked me the question on Monday, I was adamantly against Carnivore. Today, I'm willing to accept some software black-box scanning my email looking for suspicious activity. Thoughts? BTW - just because I am initiating a slightly on topic discussion, in no way am I suggesting that that the other threads stop. I'm all for them. Many of our list members are in NY and DC. Those who don't like the off topic discussions - learn to use the delete key or setup a filter or rule. http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm Enterprise Channel Management Software for Manufacturers Visit us at
RE: W2K permissions
Title: W2K permissions Normal users are prevented from installing printer drviers by default. To change this on a single workstation, open the Local Security Policy snap-in (can be found in the Administrative Toolsfolder within the Control Panel), expand Local Policies and under it expand Security Options. Change the "Prevent users from installing printer drivers" policy to disabled. You can also change this policy within the Domain Security Policy snapin on a domain controller and it will take affect for all the machines in your domain. jbh -Original Message-From: Blake R. Fowkes [mailto:[EMAIL PROTECTED]]Sent: Wednesday, September 12, 2001 3:53 PMTo: NT System Admin IssuesSubject: W2K permissions I am still very new to W2K so please bear with me. Can anyone tell me why I can not install a network printer as a normal user? I have installed the NT compat security template, at least I think that I did that correctly. Thanks, Blake Fowkes Waid and Associates http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: NewYork Terrorist Attack
Am I the only one that thinks that imaginary friends have caused enough trouble. If our species could put this whole god thing behind us maybe, just maybe, we could approach our problems rationally and find better solutions than what has happened today and what will happen as a result of it. Some people will think the perpetrators are going to heaven as martyrs, some will think they are destined for hell as sinners. I just think a lot of people died needlessly today (and every day) because of the human fascination with supreme beings and this constant struggle for who has the better imaginary friend. jbh -Original Message- From: Laura Swartout [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 11, 2001 9:57 AM To: NT System Admin Issues Subject: RE: NewYork Terrorist Attack The news said that there were 5 planes hijacked. 4 are accounted for (2 in NYC, 1 pentagon, 1 crashed in PA (plane was originally scheduled to fly to San Francisco)). They don't know where the 5th is. No news about any of those planes being shot down by the military. The news just reported that the Palestinians are celebrating in the streets shouting God is Great. I sincerely doubt that God is celebrating. GOD BLESS AMERICA! Let's pray that the terror these cowards hope to instill in us instead more strongly unites us as a great and noble nation. Deepest sympathies to families, friends and loved ones of those who have been murdered today. -Original Message- From: Gareth Campling [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 11, 2001 10:36 AM To: NT System Admin Issues Subject: Re: NewYork Terrorist Attack deepest sympathys to everyone involved in this tragic day. can anyone in the states elaberate on the rumours on UK TV about a 4th airplane ? and US military to shoot down ? , all i can say is i hope it is pure speculation. Best wishes to all -- Best regards, Gareth, MCP mailto:[EMAIL PROTECTED] http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: NewYork Terrorist Attack
Title: RE: NewYork Terrorist Attack They are setting up several places aroundmy part of Utah for blood donation. Donating blood is always a good thing, so even if it never gets to NYC it is a good idea. jbh -Original Message-From: Murray Binette [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 11, 2001 2:04 PMTo: NT System Admin IssuesSubject: RE: NewYork Terrorist AttackDoes anyone know if donating blood up here in Canada would somehow contribute? http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: telnet client
I like TeraTerm Pro, mainly for the ssh extension. http://hp.vector.co.jp/authors/VA002416/teraterm.html jbh -Original Message- From: Jim Busick [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 06, 2001 4:46 PM To: NT System Admin Issues Subject: telnet client Any suggestions for an alternative telnet client for Win2k? http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: Legal Email Issues - Dont shoot me :) -
Title: Message This is only semi-related, but I recently did some work to recover email evidence in a dispute. What I did was hook the hard drive from a Windows 98 machine up to my linux box and dump the strings from the entire drive (including "empty" space.) I was able to reconstruct mail as far back as early 1999. Another great thing was that the machine had a huge drive and since IE was using a percentage of the drive as cache, it never stopped caching so we could reconstruct browsing sessions that far back too. The odd thing about the email was that it was from a yahoo account and while we couldn't read the cached yahoo pages, we could find lots of yahoo email in the free space on the disk. My only guess is that it was somehow written to disk by IE unencrypted (temporarily for rendering?) and then thoseclusters never got written over again. Since an email fits nicely within a cluster, we got lots of them. Overall, it was pretty spooky to get this much information from a drive, but given the conditions I think it would have been impossible to fake. Keep your eyes open when you look at the machines, never know what good stuff you might find in there. jbh -Original Message-From: Benjamin Zachary [mailto:[EMAIL PROTECTED]]Sent: Thursday, September 06, 2001 8:29 PMTo: NT System Admin IssuesSubject: RE: Legal Email Issues - Dont shoot me :) - Oh man that would be great, we need an expert. Mail me off list and maybe I can fax you the documents. My lawyer has free reign, Im basically spending 20k to make her go away, so money is not an object at this point. We also got a letter from MS today explaining they have been informed that my company distributes illegal software. heh.. gee I wonder where that came from. We are going to try and find out which PC she recieved it from, and which account, she couldnt have deleted it, else, what good is it. So we are going to try and subpeona (sp?) all the computers she is in contact with, and then have someone go through them looking for the word document. When we pull the computer, Im going to run EZ-Recovery from Ontrack against it and try to pull it back and then we will press for purgery, and jail time. As far as the ISP, we own the mail server at the office, but anything they want would be there.. Thanks Bob! -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 06, 2001 9:56 AMTo: NT System Admin IssuesSubject: RE: Legal Email Issues - Dont shoot me :) - Just got back to work today. Got this at home, but couldn't reply (relaying turned off to prevent spamming) This is the sort of work I do. If I were in your situation, I would let her introduce the evidence in court. In the mean time, you attorney should be able to obtain a copy of the 'e-mail'. With this copy, check the time and date it was supposedly sent. A summons should then be sent off to your ISP for connection details and mail routing records. This would certainly hurt her credibility and should make the rest of the procedings in court lean your way. On top of all of this, I realize this is a civil proceeding, but purgery is purgery no matter what court it is in. By her entering this evidence and testifying to that fact that she received it, she would be purgering herself on the stand. This is punishable by jail time. If it gets into all that, a forensic investigation could be done to show that indeed she did not recieve the e-mail and that she typed it up herself. Not sure where you live, but if I can do anything to help you in this, please let me know. I am a computer forensic investigator in Kentucky and would be happy to lend a helping hand. Ptl. Bob Couchman Unit 57 Network Administrator Computer Crime Section Madisonville Police Department 99 East Center Street Madisonville, KY 42431 (270) 821-1720 (270) 824-2115 (fax) [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Visit the Madisonville Police Department on the internet at http://www.madisonvillepd.com http://www.madisonvillepd.com/ -Original Message- From: Benjamin Zachary [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 05, 2001 11:05 To: NT System Admin Issues Subject: OT: Legal Email Issues - Dont shoot me :) - This is kind of a personal issue, but maybe someone could help me out as it relates to legalaties for email. My x-wife typed stuff up in word to look like an email and put threats and various obscenties in it. There is no header info just says subject,to,from and the offending text it could simply be typed in word (and was btw!:) ). Anyhow, I went online to mail.com, yahoo.com, hotmail.com, outlook, outlook express, and aol.com and printed up an email from each to show
t.exe
Does anyone know of a legitimate reason my my c:\InetPubs\Scripts directory would have in it a file named t.exe and why that file would show up as a task belonging to IUSR_SERVERNAME? I can't find a reference to t.exe anywhere I have looked and the file was created recently, but not at a time corresponding to anything I have done to the machine (I think.) Thanks jbh http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: DHCP...
This is a pretty big stretch. I think it should say not just anyone can create a DHCP server on a W2K server that is a member of your domain. Anyone could setup a DHCP server using third party software or with another OS and cause havoc. The resource kit has a utility called DHCPLOC that makes rouge servers a little easier to locate (or at least identify.) jbh -Original Message- From: Starrdust [mailto:[EMAIL PROTECTED]] Sent: Monday, August 20, 2001 7:11 PM To: NT System Admin Issues Subject: RE: DHCP... Thanks Kevin. I am reading the resource kit and it is talking about 'the end of rougue DHCP servers'. It states - with Windows 2000 not just anyone can create a DHCP server. Now, DHCP servers must be authorized in the Active Directory before they're allowed to start handing out addresses. -johnp -Original Message- From: Kevin Miller [mailto:[EMAIL PROTECTED]] Sent: Monday, August 20, 2001 11:54 PM To: NT System Admin Issues Subject: RE: DHCP... Not that I know of? Kevinm WLKMMAS*TM, QWSZC, VRY+Y, NFH, SAD-VF, DERSDESDFG ~~~ More letters after my name makes me Smarter. ~~~ please respond back to rent this ad space for your needs -Original Message- From: Starrdust [mailto:[EMAIL PROTECTED]] Sent: Monday, August 20, 2001 5:52 PM To: NT System Admin Issues Subject: DHCP... Sorry for asking for what must be a very rookie question, but to install DHCP on a Win2K domain, does Active Directory 'have' to be used. Thanks, -johnp http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm