Re: URLScan

[dumbwabbit]

i know you can (and I do) move and ACL critical system
files (eg cmd.exe and other stuff from %systemroot%
locations), and allow *only* access to certain
directories containing executables, and there are
other ways of configuring it, I have done it... I just
still have reservations when it comes to allowing .exe
through IIS at all.


--- Charles Otstot <[EMAIL PROTECTED]> wrote:
> I have seen some messages in the Microsoft IIS and
> security news groups
> on opeing up specific .exe's via URLScan.
> 
> Although the solutions were rather convoluted, you
> may want to check
> some of the groups there and post a question or two.
> I haven't worked
> with URLScan to the depth of knowing this one off
> the top of my head,
> but if I recall correctly, it *can* be done.
> 
> Charlie
> 
> dumbwabbit wrote:
> 
> > Hmm, I would NOT recommend opening up the .exe
> > extension.
> > Rather, you may want to consider redirecting them
> to
> > an FTP site, either your own, or the Citrix
> download
> > location (if there is one, sorry I don't know,
> never
> > used this client).
> > Baad security risk to allow .exe
> > just my
> > .02
> >
> > --- "Bonner, Jon" <[EMAIL PROTECTED]> wrote:
> > > Open the following file:
> > >
> %systemroot%\system32\inetsrv\urlscan\urlscan.ini.
> > > Scroll down in the file until you find the
> section
> > > containing the text ";
> > > Deny executables that could run on the server"
> and
> > > then place a semicolon in
> > > front of the EXE that appears below it. This
> > > comments out EXE so that
> > > URLScan will stop blocking files with that
> > > extension. Then restart IIS or
> > > reboot your server.
> > >
> > > Jon Bonner
> > >
> > >
> > > -Original Message-
> > > From: CHM Security
> [mailto:[EMAIL PROTECTED]]
> > > Sent: Friday, March 08, 2002 5:56 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: URLScan
> > >
> > >
> > >
> > >
> > > I am running Citrix nfuse on a IIS 5 server and
> > > attempted to install the
> > > urlscan.exe from M$. I have very limited
> knowledge
> > > on web servers and
> > > everytime I install the urlscan it kills the
> ability
> > > of clients to download
> > > the citrix web client (ica32t.exe) file. Like I
> said
> > > I have very limited
> > > knowledge of web servers and I'm not sure how I
> can
> > > edit the urlscan ruleset
> > >
> > > to allow this to happen. I would really like to
> run
> > > the urlscan tool to
> > > receive all of the benefits it provides, but as
> of
> > > right now I can't because
> > >
> > > it kills necessary functionality. Any help would
> be
> > > greatly appreciated!
> >
> > __
> > Do You Yahoo!?
> > Yahoo! Sports - live college hoops coverage
> > http://sports.yahoo.com/
> 


__
Do You Yahoo!?
Yahoo! Sports - live college hoops coverage
http://sports.yahoo.com/

Re: Restricting cmd.exe access

[dumbwabbit]

MS actually recommends moving a number of system files
(eg., cmd.exe ftp.exe netstat.exe and others) OUT of
\winnt and \winnt\system32, putting them in a folder
on a separate partition, and setting strict ACLs on
that directory to ONLY allow full control to System
and Administrators.
If you follow this, remember that if you want to be
able to do Run > cmd and have cmd open a command
prompt window, you will need to edit the System Path
to contain this new folder path. Also, MS recommends
moving at.exe and atsvc.exe... if you move them, and
don't edit the System Path, your scheduled tasks will
not run... so do this.
Example:
Say you move your files to:
D:\MyNewSystemFiles\
Then you will need to edit the System Path to read (no
semi-colon necessary if it is last entry - the ...
mean there may be more stuff before or after what I
typed... d'oh):

..c:\winnt;c:\winnt\system32;D:\MyNewSystemFiles;.

I suggest a reboot after you move the files, or at
least stop and restart the services that depend on any
of the files you decide to move.

For full MS details, go to www.microsoft.com/technet
and search for the IIS 4.0 Security Configuration
Checklist.

I have further found that there are other files that I
wanted secured besides those on the checklist... you
should put careful consideration into which
executables you want hidden

--- Rooster <[EMAIL PROTECTED]> wrote:
> hmm, i guess i read that mail different than you. 
> he had system in
> quotes, so i figured he was refering to the system
> account.  as a general
> rule, i agree that acling down the cmd.exe is a very
> good idea.  just
> remember that many exploits (for instance the .ida
> and the
> .printer) exploits come in as system, so the acls
> will not protect you
> from those exploits.  
> 
> -=rooster=-
> 
> On Sat, 16 Mar 2002, John R Ellingsworth wrote:
> 
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA1
> > 
> > No.  He says he wants to know the ramifications of
> "restricting
> > system access to cmd.exe".  I read it as denying
> system account
> > cmd.exe access (which may not be possible), and
> which he pointed out
> > in a follow up email. 
> > 
> > It does work, for this exploit; if a user does not
> have specific
> > permissions to access cmd.exe (or any other
> command properly ACL'd),
> > then it won't launch as scripted because the user
> does not have
> > rights.
> > 
> > If you do allow user cmd access and test it,
> you'll see that it is
> > run from the account of that user.
> > So I think it best to only give access to
> Administrator account.
> > 
> > This is an ideal ACL solution for a webserver.
> > 
> > Thanks, 
> > 
> > John Ellingsworth
> > Project Leader
> > Virtual Curriculum
> > 
> > - - Original Message - 
> > From: "Rooster" <[EMAIL PROTECTED]>
> > To: "John R Ellingsworth"
> <[EMAIL PROTECTED]>
> > Cc: "Curious George" <[EMAIL PROTECTED]>;
> > <[EMAIL PROTECTED]>
> > Sent: Saturday, March 16, 2002 3:36 AM
> > Subject: Re: Restricting cmd.exe access
> > 
> > 
> > > i think you missed what he said.  he wants to
> not allow SYSTEM from
> > > having access to the command shell.  
> > > 
> > > for the record, i don't think this will do what
> you want it to. 
> > > first of all, you can't really deny system from
> amything, and
> > > second of all, it would just take a bit of code
> to pop up a command
> > > shell even if the exe itself is restricted.
> > > 
> > > -=rooster=-
> > > 
> > > On Wed, 13 Mar 2002, John R Ellingsworth wrote:
> > > 
> > > > -BEGIN PGP SIGNED MESSAGE-
> > > > Hash: SHA1
> > > > 
> > > > Do it.  Restrict access to Administrator only.
> > > > 
> > > > I do it (am doing it right now) - no known
> problems.
> > > > 
> > > > Test it out on a dev machine first if you have
> concerns.
> > > > 
> > > > Thanks, 
> > > > 
> > > > John Ellingsworth
> > > > Project Leader
> > > > Virtual Curriculum
> > > > 
> > > > - - Original Message - 
> > > > From: "Curious George" <[EMAIL PROTECTED]>
> > > > To: <[EMAIL PROTECTED]>
> > > > Sent: Tuesday, March 12, 2002 12:59 PM
> > > > Subject: Restricting cmd.exe access
> > > > 
> > > > 
> > > > > 
> > > > > 
> > > > > This is a slight off shoot of the scary site
> post. What 
> > > > > are the potential ramifications of
> restricting "system" 
> > > > > access to cmd.exe? My thought is with all
> the MS 
> > > > > exploits that are gaining access via some
> service 
> > > > > running in the system context, this would be
> a great 
> > > > > way to mitigate the potential impact.
> Thoughts?
> > > > > 
> > > > > I am also thinking, ok this is going to
> inhibit using the 
> > > > > scheduler service under the system account
> to run 
> > > > > local batches, as well as any stored
> procedure in 
> > > > > SQL that accesses the command shell, but
> services 
> > > > > could be run in another context and still
> have access 
> > > > > to the command shell...
> > > > > 
> > > > > Am I way off with this? Will this break
> something that I 

Re: Netscape Communicator vs IE

[dumbwabbit]

Heh, the fact that Microsoft even has to release
patches, whereas the security vulnerabilities related
to Netscape come every 6 months to a year? Which
seems to be a more stable, secure application in this
light?

Makes Netscape my favorite.
4.79 baby. 6 is OK, nice email features, no Microsoft
vulns...

Just disable Javascript in Mail and News, and you
should be pretty well off in terms of browsing safety
in comparison to IE... the biggest PITA with IE is
locking everything down, and then figuring out exactly
which features you need enabled... I gave up on that
long ago. I now only use IE to play with the latest
exploits... and Office and Windows Updates.

Heh, I won't even visit FilePlanet with IE... just
don't trust it.

Opera is a nice browser methinks, but I don't know
enough about it's architecture yet. 1 vuln for them in
the last year or so that I have heard of.

--- Gilles Poiret <[EMAIL PROTECTED]> wrote:
> Hi,
> 
> I would like your advice about security aspects,
> concerning IE (e.g 5.5) vs Netscape Communicator
> (e.g 4.7x).
> 
> I *very often* heard problems with IE, and Outlook. 
> But Microsoft provides patches (for instance, a
> patch for Outlook to block dangerous attachments),
> and permits to control the surf (web site access,
> allow or not downloading,...) with IE. 
> At the opposite, I never (since version 4.77) heard
> about security problem for Netscape Communicator.
> But to my knowledge, there is no embedded mechanism
> of protection in this browser.
> 
> So I'm wondering what is the best (safest) browser,
> concerning security. Same thing for mail client
> (outlook vs messenger)...
> 
> For the moment, I think IE is safer (due to patches,
> and ability to control). If you have another
> opinion, please tell it me. 
> 
> Thanks for advance.
>  
> -- 
> Gilles POIRET
> 


__
Do You Yahoo!?
Yahoo! Sports - live college hoops coverage
http://sports.yahoo.com/

RE: URLScan

[dumbwabbit]

Hmm, I would NOT recommend opening up the .exe
extension.
Rather, you may want to consider redirecting them to
an FTP site, either your own, or the Citrix download
location (if there is one, sorry I don't know, never
used this client).
Baad security risk to allow .exe
just my 
.02

--- "Bonner, Jon" <[EMAIL PROTECTED]> wrote:
> Open the following file:
> %systemroot%\system32\inetsrv\urlscan\urlscan.ini.
> Scroll down in the file until you find the section
> containing the text ";
> Deny executables that could run on the server" and
> then place a semicolon in
> front of the EXE that appears below it. This
> comments out EXE so that
> URLScan will stop blocking files with that
> extension. Then restart IIS or
> reboot your server.
> 
> Jon Bonner
> 
> 
> -Original Message-
> From: CHM Security [mailto:[EMAIL PROTECTED]]
> Sent: Friday, March 08, 2002 5:56 PM
> To: [EMAIL PROTECTED]
> Subject: URLScan
> 
> 
> 
> 
> I am running Citrix nfuse on a IIS 5 server and
> attempted to install the 
> urlscan.exe from M$. I have very limited knowledge
> on web servers and 
> everytime I install the urlscan it kills the ability
> of clients to download 
> the citrix web client (ica32t.exe) file. Like I said
> I have very limited 
> knowledge of web servers and I'm not sure how I can
> edit the urlscan ruleset
> 
> to allow this to happen. I would really like to run
> the urlscan tool to 
> receive all of the benefits it provides, but as of
> right now I can't because
> 
> it kills necessary functionality. Any help would be
> greatly appreciated!


__
Do You Yahoo!?
Yahoo! Sports - live college hoops coverage
http://sports.yahoo.com/

Re: Legal problem - IDS - Commercial Vs Open Source.

[dumbwabbit]

Hmm, I believe that almost WITHOUT EXCEPTION, ALL
EULA's from any company I have ever done business with
disclaimed liability on behalf of that company should
their product not work in some way.

Basically, the way I interpret it, whether it's
Microsoft OS EULA, GNU, or homegrown, NO company is
responsible for ANYTHING.

In other words, caveat emptor reigns supreme, and you
should NEVER buy a car from Microsoft.

I think companies SHOULD be held accountable to some
extent, the problem there is to what extent, and how
do you prove it?

The only way to determine whether you have any legal
recourses in the event of such an intrustion is to
examine that company's EULA with a fine tooth comb. Do
they claim to provide any type of insurance? Do they
have conditional clauses to these, such as "You must
use X hardware devices, X OS (lol), X firewall product
in order for your rights under this EULA to be
applicable."

EULA's differ on a per-company and per-product basis,
that is really the only place to answer this question
at the moment.


--- "Hall, Duane" <[EMAIL PROTECTED]> wrote:
> I have been a lurker to this mail-list for quite a
> while, so here it
> goes.  I have come across an issue asked by
> management about IDS
> products.  They are asking about the legality
> issues.  
> 
> For instance:
> 
> If we have a breaking and are using a commercial IDS
> product and the IDS
> software doesn't catch it, do you have any legal
> recourse against the
> commercial product vendor?
> Can you sue them for not catching the intrusion.  My
> thinking is NO.
> I'm sure the software license agreement takes care
> of this.
> 
> The same is asked if we decide to use an open source
> product, like
> Snort.  I have said the same.
> 
> I tried to give an example, for instance Microsoft. 
> If some one breaks
> into a Windows server, no one but the administrator
> is responsible.
> You can't sue Microsoft, because you didn't apply a
> patch or weren't
> watching the server.
> 
> Does anyone have any articles or case studies to
> support my thinking.?
> Any help would be appreciated.
> 
> Duane Hall
> 
> **
> Duane Hall
> Security Administrator
> Hastings Entertainment, Inc.
> 806-351-2300 X-3945
> [EMAIL PROTECTED]
> 


__
Do You Yahoo!?
Great stuff seeking new owners in Yahoo! Auctions! 
http://auctions.yahoo.com

RE: Security for new small company

[dumbwabbit]

I also like the GB-100 and GB-1000 by GnatBox, nice
hardware device with great features, good price, very
reliable.
I have used both over the past year.

--- Brad Bendily <[EMAIL PROTECTED]> wrote:
> 
> 3Com has some hardware Firewall products that are
> meant to be used
> in a small office environment.
> 
> Has anyone on this list ever used any 3com firewall
> products?
> Any concerns or problems?
> 
> Does anyone have concerns or problems with 3com
> products in general?
> 
> We use many of their edge switches and core
> products. I like
> them. They follow more closely to standards than
> other makers. They don't
> make routers though. Nothing really to match Cisco's
> internet routers.
> 
> Thanks
> Brad B
> 
>  
> On Thu, 10 Jan 2002, Kleber S Oliveira wrote:
> 
> > Hello Ben,
> > 
> > You could buy Watchguard (SOHO) or Cisco PIX
> (506). These fw are for small companies or branch
> offices that have small throughput.
> > 
> > But if you want to create a DMZ with the mail
> server and website you could buy a Cisco PIX 515R
> that has three or more ethernet interfaces to do it.
> This solution is better and more scalable.
> > 
> > Any doubts don't hesitate to ask.
> > 
> > Regards
> > 
> > Kleber
> > 
> > Ben <[EMAIL PROTECTED]> wrote:
> > 
> > >
> > >
> > >Hi,
> > >
> > >I work for a new small company, and have been 
> > >asked to look into security with regard to our
> LAN and 
> > >web connection.  I am from a technical background
> 
> > >but could do with some advice in the security
> area.
> > >
> > >Our LAN is a w2k domain with 10 clients all
> running 
> > >win2k.  We are going to have a DSL connection put
> in 
> > >soon and i'm thinking about firewalls and 
> > >server 'locking down'.  
> > >
> > >Ideally we would like a hardware soloution for
> the 
> > >firewall, at present our website + email is with
> a 
> > >hosting company.  Within 12-18 months though this
> 
> > >may change to hosting the site + email ourselves.
> > >
> > >Could anybody recommend firewalls/security 
> > >products - and what ever soloution we go for what
> 
> > >must they be able to do?
> > >
> > >Many thanks
> > >
> > >Ben
> > >
> > 
> 


__
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/

Re: Portscanning from Windows XP machine

[dumbwabbit]

--- MadHat <[EMAIL PROTECTED]> wrote:
> At 05:06 PM 1/7/2002 -0800, e-CraftZone wrote:
> >Angry IP Scanner 1.87 from Angryziber is good. 
> It's very fast.  Also
> >includes command line usage.
> >http://www.angryziber.com/ipscan/
> 
> Appears to have a problem with WinXP so it does not
> fit the bill.
>
http://sourceforge.net/tracker/index.php?func=detail&aid=493606&group_id=25534&atid=384578
> 
> 
> >- Original Message -
> >From: "Philip Wagenaar" <[EMAIL PROTECTED]>
> >To: <>
> >Sent: Sunday, January 06, 2002 3:29 PM
> >Subject: Portscanning from Windows XP machine
> >
> >
> > > Hi,
> > >
> > > I`m looking for a good port scanner that will
> run under Windows XP. My
> > > wishlist for it that it scans TCP, UDP and
> stealth but i`m not really
> > > sure if there is such a one under Win
> enviroment.
> > >
> > > I also wondered if anyone got nmap for win32
> compiled and working yet.
Yes, there is in fact nmapnt - try at:
http://www.eeye.com/html/Research/Tools/nmapnt.html
> > >
> > > Philip Wagenaar
> > >
> > >
> > >
> 
> --
> MadHat at unspecific.com
> 


__
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/

Help with legal document - network probing agreement

[dumbwabbit]

Hi all.

I'm trying to become more involved with infosec as it
pertains to independent consulting, network auditing,
security advisor status etc. I have worked as CSO/MIS
for a mid-sized firm for the last 2 years, and a small
company for 3 years before that.

My current job function at my full-time position
involves extensive testing, probing, monitoring,
implementing and researching network security.

I have 2 friends who own ISPs (in partnership with
others), and we have been discussing the possibilities
of their using my services as an independent security
consultant. 

What I need help with is information on how to compose
valid legal documents which allow me to act in this
capacity for them. I have no legal background to speak
of, and we all want to make sure that we are covered
in this aspect before we commence security analysis.
We just want to make sure that we cover any potential
issues regarding the legalities of my performing these
types of network analysis for them.
Could anyone on this list possibly provide me with any
links to this type of legal document templates,
policies, laws and anything else that we may need to
know?
I have tried searching Google, CERT, SANS and some
other sites, but to no avail. Plenty of stuff on
internal IT policies etc., but I haven't been able to
find anything really specific to independent
consulting.
I would rather not even run a simple nmap probe etc.
on their networks without CYA for all parties
involved!
Someone suggested to me that simple document stating:
"I hereby authorize [consultant] to analyze and probe
my networks for potential security issues, with the
agreement that any information gathered will be kept
strictly confidential amongst the involved parties."
And then signed by all involved and notarized. Doesn't
seem to be enough to me.

Any helpful suggestions MOST appreciated!



__
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/

RE: Exchange 2000

[dumbwabbit]

Network Associates' GroupShield has the same
functionality of being able to automatically
block/delete/quarantine any specified attachment
types.
--- Marco Bicca ® <[EMAIL PROTECTED]> wrote:
> At 16:25 12-06-2001, Brent Scott wrote:
> Yep, for sure, you should use NAV For Exchange 2.51
> ;-) ... Pretty good 
> product ... you can block (delete) attachments, even
> if they are not 
> infected .. ;)
> 
> Take Care!
> Marco Bicca
> 
> >Would be better off to get Anti-Gen for Exchange
> Server, the filtering
> >is quite easy plus it does virus scanning as well.
> No having to hack the
> >registry. It also uses virus definitions from all
> the major anti-virus
> >software vendors assuring that at least one of them
> will stop what's out
> >there.
> >
> >Cheers,
> >Brent
> >
> >-Original Message-
> >From: Calhoun, Heath
> [mailto:[EMAIL PROTECTED]]
> >Sent: Wednesday, December 05, 2001 3:43 PM
> >To: g p; [EMAIL PROTECTED]
> >Subject: RE: Exchange 2000
> >
> >
> >I'd suggest getting Norton for Microsoft Exchange
> Server.
> >Once installed, through the registery you can block
> the file types.
> >
> >Heath Calhoun
> >
> >
> >-Original Message-
> >From: g p [mailto:[EMAIL PROTECTED]]
> >Sent: Tuesday, December 04, 2001 3:50 PM
> >To: [EMAIL PROTECTED]
> >Subject: Exchange 2000
> >
> >
> >I'm new to exchange 2000 and I know this is
> probably a easy question for
> >everyone but I was wondering how to block certain
> attachments(filenames)
> >in
> >exchange 2000.  I would like to have it such that
> files are stripped out
> >of
> >emails before it reaches endusers.  Can you help?
> >
> >Thanks, GP
> >--
> 
> ___
> Marco Bicca |   Security Engineer | 
> [EMAIL PROTECTED] | 
> 55 11 9963-4819
> LICQ: 3198441 | Yahoo: TwilightDrummer | MSNM:
> [EMAIL PROTECTED]
> 
> "Remember: security is not a solution; it is a way
> of life"
>   "The box said 'Windows NT or better', so I
> installed linux..."
> 
> PGP: http://www.it-cowboyz.com/pgp/mbicca.asc
> 
> 


__
Do You Yahoo!?
Send your FREE holiday greetings online!
http://greetings.yahoo.com

Re: rid of spamming on web email

[dumbwabbit]

See inline comment.

--- "Jay D. Dyson" <[EMAIL PROTECTED]> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> 
> On 6 Dec 2001 [EMAIL PROTECTED] wrote:
> 
> > Could you please tell me what one can do to
> counter these spammers... 
> > My email address has been hidden under the BCC:
> tag and the unsubscribe
> > path is an invalid email.  Their website has an
> unsubscribe button but
> > it doesn't do anything except look like its
> functioning. 
> 
>   There isn't really much one can do with these APNIC
> spammers apart
> from outright blocking those IPs from connecting to
> your SMTP port.  They
> intentionally alter their envelope data, from and to
> enough to circumvent
> most any Procmail ruleset.
> 
>   And you should forget about ever following *any*
> spammer's
> "unsubscribe" directives.  Those "unsubscribe"
> things aren't anything of
> the sort.  They are instead a means of confirming
> "live" e-mail addresses
> which they will in turn sell to other spammers as
> confirmed addresses that
> they will in turn spam even more, each with their
> own bogus "unsubscribe"
> addresses.
> 

Not to mention that some of these links attempt to
snag your NTLM credentials...

> > I am sick of these guys spamming, could someone
> offer some help as to
> > what can be done about these(THIS) spammer(s) ? 
> 
>   Well, let's have a look.
> 
> > Return-path: <[EMAIL PROTECTED]>
> > Received: from public1.qd.sd.cn (unverified
> [202.102.134.100]) by i01sv0648
> > (Rockliffe SMTPRA 4.5.4) with ESMTP id
> ;
> > Tue, 4 Dec 2001 11:09:51 +
> 
>   Okay, the spam is coming from China.  You can
> forget any
> meaningful action being taken against the spammers. 
> The admins throughout
> APNIC are the most sorry lot I've ever
> encountered[1].
> 
> > Received: from ok.ru
> (95.dallas-01rh15rt-tx.dial-access.att.net
> [12.86.200.95])
> > by public1.qd.sd.cn (8.9.3+Sun/8.8.8) with SMTP id
> TAA01523;
> > Tue, 4 Dec 2001 19:07:16 +0800 (CST)
> 
>   Okay, some gimp at att.net has been injecting the
> spam through the
> Chinese open relay.  Send a complaint to att.net and
> encourage them to
> nuke their spammer.  They're usually pretty good
> about handling it
> quickly.
> 
> - -Jay
> 
> 1.I don't personally fault these people.  They live
> in a land
>   wherein multiple "Cultural Revolutions" tend to
> cost intelligent
>   people their heads.  I don't really blame them for
> not wanting
>   to seem "too smart" and competently handle their
> systems.
> 
>((   
> ___
>))   ))   .-"There's always time for a good cup
> of coffee"-.   ><--.
>  C|~~|C|~~| (>- Jay D. Dyson --
> [EMAIL PROTECTED] -<) |= |-'
>   `--' `--'  `-- Si vis pacem, para bellum.
> --'  `--'
> 
> -BEGIN PGP SIGNATURE-
> Version: 2.6.2
> Comment: See http://www.treachery.net/~jdyson/ for
> current keys.
> 
>
iQCVAwUBPBOwaLlDRyqRQ2a9AQFFowP/b3wiJmwT4xzEZLAWN5FgSXxMpGV+IWKE
>
F1ZHn7vO1dstJvHxlDQJ5GAG1OAieGfIkWxv88YztB4Ty8Mc1dd7U6oJV8nfMR16
>
cMuooN3vDZO0PumdFVvkKVwp+aW/8W9BLx+UJx82ml8tBAq74iB3NBfuXoJ/yS5/
> 2W4ebesmsSk=
> =O+t4
> -END PGP SIGNATURE-
> 


__
Do You Yahoo!?
Send your FREE holiday greetings online!
http://greetings.yahoo.com

Re: Win2K and Lview.exe -- am I infected?

[dumbwabbit]

Use MD5sum to compare your source file to system file.

Get HandleEx (don't remember from where, sorry), Fport
(maps running processes to ports - from Foundstone),
and some of the utilities from SysInternals -
ListDLLs, Process Explorer, TokenMon, WinObj - between
these, you should be able to determine if you have any
rogue apps/processes active on your box.

Also, have you tried scanning your box with the LATEST
updated AV application at your disposal? For full
detection, I recommend using at least two different AV
products - I prefer Network Associates/McAfee's
VirusScan, perhaps Trend or F-Secure. Also try the
trojan detection util from Moosoft.

--- JJ Driscoll <[EMAIL PROTECTED]> wrote:
> For a long time now I have used a very old version
> of Lview, I believe it might be a 16 bit version, in
> my 32-bit operating systems to view my Jpegs.  I
> just like its small size and simplicity.
> 
> It used to occasionally lock up if I accidentally
> opened 2 or more instances of the program, but
> that's ok.
> 
> Suddenly, a couple of months ago, the system began
> acting in this disturbing way:  If I open even one
> instance, and close it normally again, the system
> slows to a crawl.  For example, when I switch active
> windows from Explorer to Netscape, it might take a
> full minute or two before the Netscape window
> redraws and comes to the front.  
> 
> I discovered that I can go to Task Manager --
> Processes, and kill the process " wowexec.exe" (with
> the leading space) and everything will be restored
> to normal behavior.
> 
> Around the time that this started happening I did
> two things which I can remember.
>  1.  Installed Win2K SP2 and did Windows Update
>  2.  Downloaded and installed a program from a
> German site for editing mpeg videos (fist time I
> broke my own rule of downloading and installing
> random software).
> 
> The Lview.exe appears to be same size as the
> original, which I have on CD ROM.  
> 
> Any idea if I have been infected with something and
> what I can do about it?
> 
> Thanks,
> 
> JJ
> 
>
_
> Are you a Techie? Get Your Free Tech Email Address
> Now! Visit http://www.TechEmail.com


__
Do You Yahoo!?
Send your FREE holiday greetings online!
http://greetings.yahoo.com

RE: Exchange 2000

[dumbwabbit]

Outlook 2000 SP2 (or SP1 with Email Attachment
Security Update), Outlook 2002 both have this
capability. I have never implemented it, nor read too
much about it, so I can't give too many specifics. But
the info is available on Microsoft's site.

With these clients and Exchange 5.5 or 2000, you can
control which attachment types get automatically
blocked.

>From what I recall, you can define the attachment
types to block in Exchange, but I do not know how to
configure it. I would imagine that further reading
either at http://www.microsoft.com/office or
http://www.microsoft.com/exchange would yield all the
juicy, pertinent details.

Perhaps someone else on the list has had experience
with this feature?

--- [EMAIL PROTECTED] wrote:
> 
> Exchange 2000 does not offer this capability
> natively.  You will need to
> use a third party product, certain AV products have
> this capability,
> such as NAI's GroupShield 5.0 for Exchange 2000. 
> The other option is to
> code a transport or event sink to strip the
> attachments out before they
> get delivered.  The Exchange 2000 SDK has examples
> of sinks.
> 
> Matt
> 
>-Original Message-
>   From:   "g p" <[EMAIL PROTECTED]>@ACCENTURE  
> On
> Behalf Of "g p" <[EMAIL PROTECTED]>
>   Sent:   Tuesday, December 04, 2001 3:50 PM
>   To: [EMAIL PROTECTED]
>   Subject:Exchange 2000
> 
>   I'm new to exchange 2000 and I know this is
> probably a
> easy question for everyone but I was wondering how
> to block certain
> attachments(filenames) in exchange 2000.  I would
> like to have it such
> that files are stripped out of emails before it
> reaches endusers.  Can
> you help?
> 
>   Thanks, GP
>   --
> 
> 


__
Do You Yahoo!?
Send your FREE holiday greetings online!
http://greetings.yahoo.com

Re: Ip Spoofing I Think

[dumbwabbit]

What type of Email server?

If it is Exchange, you need to disallow unauthorized
SMTP relaying. Also, you should enable logging on SMTP
interface in Exchange. See following link:
http://www.slipstick.com/exs/relay.htm

If you are not using Exchange, we need to know which
email server you are using in order to accurately
answer your question.

--- Gerald Lyons <[EMAIL PROTECTED]> wrote:
> Mailer: SecurityFocus
> 
> We have been getting complaint about spam going 
> threw our web server...The e-mail that people are 
> receiving has 'Received: from 208.149.120.240' 
> which is our Ip address...We do have a Mail Server 
> but shows no logs of the sender or the receivers.. 
> We have contacted C&W "Our Isp" but have gotten 
> nowhere with them...I need help Any suggestions 
> on what to do about this..
> 
> Thank You
> Gerald Lyons
> [EMAIL PROTECTED]


__
Do You Yahoo!?
Buy the perfect holiday gifts at Yahoo! Shopping.
http://shopping.yahoo.com

Re: NAT/PAT (Hide NAT) Vulnerabilities?

[dumbwabbit]

Couple of thoughts off the top of my head:
1) The router itself may have vulnerabilities - see
the relatively recent incidents with the Alcatel
routers, and the 3Com DSL routers, an older one with
Zyxel Prestige routers, the @Home cable modem
enumerations
2) What about if you get hit with a trojan via email?
Do you have outbound traffic filtered at all?
3) Any ports mapped to the external IP from your LAN
may be running vulnerable services...
I'm sure there are more...
Get a router with a hardware firewall - ie Linksys.
--- Dee Harrod <[EMAIL PROTECTED]> wrote:
> This strikes me as somewhat of a bonehead question,
> but it's something that's bothered me for awhile:
> 
> Let's say I have DSL at home. Let's also say that I
> have a single public IP address, but my internal LAN
> uses private addressing. The DSL router performs
> some
> sort of NAT or PAT (probably PAT here). All my
> internal machines can reach the Internet through the
> DSL router, but when they come out, the source
> address
> is changed to the public address. The ports are
> managed by the router, so that it knows who's
> talking
> to whom, and can thus properly direct returning
> traffic.
> 
> Since someone from the outside accessing the router
> itself would be a bad idea, say I'm blocking that.
> Let's say it's managed by http, and I have a filter
> rule that prohibits anything but my private network
> from reaching port 80.
> 
> Now, for all intents and purposes, how vulnerable is
> my internal network?
> 
> You can't start a connection with an internal system
> because you can't reach its IP address. Even if you
> did manage to hijack a session, of how much value
> would it really be?
> 
> So it seems to me that if you use NAT/PAT, you don't
> need a real firewall unless you're actually
> permitting
> some kind of traffic to connect to something from
> the
> outside.
> 
> Is that right?
> 
> -- Dee
> 
> __
> Do You Yahoo!?
> Yahoo! GeoCities - quick and easy web site hosting,
> just $8.95/month.
> http://geocities.yahoo.com/ps/info1



__
Do You Yahoo!?
Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
http://geocities.yahoo.com/ps/info1

Re: packet sniffer

[dumbwabbit]

I am partial towards Ethereal (the Beta version looks
really nice), and Analyzer (Netgroup Politecnico).

--- BurntCircuit <[EMAIL PROTECTED]> wrote:
> im looking for a good windows NT/2K/maybe XP pro)
> packet sniffer to monitor
> the comming and goings of a few programs that i dont
> trust. would someone be
> able to tell me of a good one (better yet the best
> one (LOL if there is
> one))
> 
> thanks
> Ben
> 


__
Do You Yahoo!?
Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
http://geocities.yahoo.com/ps/info1

Re: permission for nero

[dumbwabbit]

I had the same problem with Nero. I generally use my
workstation as a Power User or User, and only log in
as Administrator when I need to install drivers etc.

Nero gave me the same problem you describe, I wrote to
them twice and never heard back.

I was finally able to get Nero to work by changing the
Local Security Policies:

1) Back up files and directories - Assign this right
to your Users group.
2) Restore Files and Directories - Assign this right
to your Users group.
3) Load and Unload Device drivers - Assign this right
to your Users group.

Let me know if this solves it for you.

--- SF_Mailinglist <[EMAIL PROTECTED]> wrote:
> Hi guys,
> I need your help. I have some CD-writer with
> Nero-Burning ROM as software.
> My OS is Windows 2000. For security reasons I the
> users to be in the
> Users/PowerUsers groups. I get a message that they
> don't have enough
> permissions. I cannot give them administrative
> privileges. The software came
> with the writers - so I have the licences (it was
> not my decision to buy
> this software). There is no money for another
> burning software.
> What should I do?
> Thanks in advance
> 
> cheers,
> Michael
> CNA, 6xMCP
> 
> 
>
_
> Do You Yahoo!?
> Get your free @yahoo.com address at
> http://mail.yahoo.com
> 


__
Do You Yahoo!?
Make a great connection at Yahoo! Personals.
http://personals.yahoo.com

RE: Detecting weak passwords free tool

[dumbwabbit]

lc isn't free.
but it DOES work very well...
i insisted that we purchase it for my it dept. - we
use it on a monthly basis.

--- Robert Clark <[EMAIL PROTECTED]> wrote:
> Lophtcrack
> 
> Robert Clark
> MCSE, MCP+I, MCP, A+
> MIS - Texas Cellular 
> 
> -Original Message-
> From: Javier Palomares Lopez
> [mailto:[EMAIL PROTECTED]] 
> Sent: Wednesday, October 17, 2001 4:50 AM
> To: [EMAIL PROTECTED]
> Subject: Detecting weak passwords free tool
> 
> 
>  
> -BEGIN PGP SIGNED MESSAGE-
> 
> Hi all!
> 
> I'm looking for a free tool to check our NT users
> for weak passwords.
> Can you suggest me smthg.
> 
> Thanks in advance.
> 
> Javier Palomares López
> Morgan Stanley Telco Department
> Mail: [EMAIL PROTECTED]
> Phone: +34 914 121 222  Cell: 21222
> 
> -BEGIN PGP SIGNATURE-
> Version: PGPfreeware 7.0.3 for non-commercial use
> 
> Comment: Mi clave pública está en:
> http://www.getafe.com/javi.asc
> 
>
iQEVAwUBO81UMJPpkVDxif5cAQH0lggAjnuhT+b0buecAPbC08zCHsV32F39CMJ0
>
XaoUS8OUZIuwbNzLFaHRQQ/nZCCsG/DdU1Jz+9uoCPnnrrHiY6cq9YYSE8jxcJGJ
>
hfLbdIvCj5Hmadv1GpnXjn9WaQOeKHJQufY6e/rjCDiba+WcFdgWGO6sxcGfKzGP
>
zNzKbXGoFvlm/TmEOSOQl4rNNEWwsCPSfAQrpxsfY+U5Sj40aJy+34tg3vLl3in0
>
aaH+rciXyyoOGzZW+OU285M/g2paSjv57YCxi7ogsJIBovhX9/Fe1e3cB5WnVAPZ
>
GrEUcQNoMMp7Qm2xyiFT77WjsX4FasNgz0W8dnmlGkpbE7QzETrfcQ==
> =er8E
> -END PGP SIGNATURE-
> 


__
Do You Yahoo!?
Make a great connection at Yahoo! Personals.
http://personals.yahoo.com