20Jan09 W32.Downadup AKA Cornficker Removal

worm

W32.Downadup is a worm that propagates on local and network drives by taking advantage of the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability. W32.Downadup can create its own Service on Windows to run itself each time Windows is started. But from what I have herd as long as you have windows update MS08-067 installed you should be fine.

1. Temporarily Disable System Restore

2. Update the virus definitions.

3. Reboot computer in SafeMode

4. Run a full system scan and clean/delete all infected file(s)

5. Delete/Modify any values added to the registry.

Navigate to and delete the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters \”ServiceDll” = “[PATH OF WORM EXECUTABLE]”

6. Exit registry editor and restart the computer.

7. In order to make sure that threat is completely eliminated from your computer, carry out a full scan of your computer using AntiVirus and Antispyware Software.

Update:

The following graphic shows the OS distribution observedCornflicker OS distribution

1 Comment Posted by Richard in How To, windows
Tagged , , ,
18Jan09 Windows SBS 2008 Answer File

Windows Small Business Server 2008 supports installation using an answer file.  The answer file provides the following functionality:

  • Automates the SBS 2008 installation process for both a clean installation as well as a migration.
  • Allows you to run a clean installation setup in advanced mode interactively.

In addition, the answer file is the only way to to run the windows SBS 2008 installation in join domain/migration mode, there is no other way to trigger the SBS 2008 setup to act in that mode. Additionally, if you do not want to use the default of .local as your TLD, you must use an answer file to specify an alternative TLD.

To create the answer file for an automated install:

  1. On a client computer or server with .NET Framework 2.0 installed, insert the first Windows SBS2008 DVD and select the Tools link. If autorun is disabled, browse to the Tools folder on the SBS 2008 DVD 1.
  2. Launch the answer file generator tool by running SBSAfg.exe.
  3. Select New installation or Migration from existing server (Join existing domain) depending on your scenario.
  4. Type in the required information.  See below for a summary of each field. clip_image006
  5. Save the Answer file as sbsanswerfile.xml.
    Note:     you cannot user any filename other than sbsanswerfile.xml. This is the only filename that the SBS 2008 setup will look for.
  6. Copy the answer file to the root of a USB drive, floppy disk or a partition on the destination server. Then start either installing or migrating to Windows 2008. If the SBS 2008 installation wizard detects a migration answer file, the migration process starts automatically.

Shared Information

  • Get Installation Updates: Whether or not to automatically attempt to download installation updates.
  • Run Unattended: If unchecked, the setup fields will be pre-populated but you must click Next during setup.
  • Clock and time zone settings: You must make sure that you use the correct time zone.
  • Windows Live OneCare for Server: Choose whether or not to install the trial version.
  • Microsoft Forefront Security for Exchange Server: Choose whether or not to install the trial version.
  • Company Information: The name and address of the business. This information is used for settings on your server and is not sent to Microsoft. You can edit the company information later. To edit it, in the Windows SBS Console, click the Help list menu, and then click Edit Company Information.
  • Certificate Authority Name: You can customize the name of your CA.  We recommend leaving this setting blank, which will use the default name of <DomainName>-<ServerName>-CA.

Migration Specific Information

  • Source Server Information
    • Domain Administrator Account Name: The user account name of a domain administrator in the existing domain.
    • Password: The password that corresponds to the existing domain administrator account name.
    • Source Server Name: The name of the server from which you are migrating.
    • Source Domain Name: The full DNS name of your organization’s internal domain.
    • Default Gateway: The IP address that is assigned to the router on your network.
    • Source Server IP Address: The IP address that is assigned to the Source Server.
    • DHCP is running on the Source Server: Select this box if the DHCP service is running on the Source Server. It is recommended that the DHCP service run on the Destination Server. If you are running the DHCP service on the Source Server, it is moved for you during Windows SBS 2008 migration. If the DHCP service is running on another server or device, you must manually disable it on that server or device.
  • Destination Server Information
    • Destination Server Name: The name of your new SBS 2008 server.
    • Destination Server IP Address: The IP for your new SBS 2008 server.  Please verify that this address is not in use.

New Install Specific Information

  • Server Information (Note: You cannot change ANY of the following names after the installation finishes)
    • Server Name: The name of your new server. This must be a unique name on the local network.
    • Internal Domain Name: The NetBIOS name of the internal domain—for example, contoso. This must be a unique name on the local network. The domain name and the server name cannot be the same.
    • Full DNS Name: The DNS name of the internal (local) domain.  You must provide at least two labels for the full DNS name. For example, you can use contoso.local, but contoso alone is not valid. It is recommended that you do not use a public top level domain name, such as .com, as the last label in the full DNS name. This is the DNS name of the internal domain.
  • Network Administrator Account
    • First Name: First name of the administrator.
    • Last Name: Last name of the administrator.
    • Administrator User Name: User name or alias for the new network administrator account.
    • Administrator Password: Password for the new network administrator account. The password that you provide must be complex. If you do not provide a complex password, the unattended installation stops so you can provide the complex password.
  • Network Settings for the Server
    • Automatically Detect the Network Settings: Use DHCP to identify an un-used private IP address.
    • Manually Choose the Network Settings as Follows:
      • IP Address: IP address of the SBS 2008 server.  This must be a private IP address.
      • Default Gateway: The IP address that is assigned to the router on your network.
1 Comment Posted by Richard in Hardware, How To, Software, windows
Tagged , , ,
2Jan09 Submarine cable repair

Ever wonder how broken undersea cables get repaired? A few interesting links were posted to the NANOG mailing list last month, including a series of YouTube videos produced by Hibernia Atlantic onboard Global Marine’s Cable Innovator. My favorite is this one demonstrating how the individual fibers are prepared and spliced together:

Other videos in the series demonstrate (in no particular order):

Interesting stuff. Alcatel also has a couple nifty Flash videos demonstrating how cables are laid and retrieved for repair.

No Comments Posted by Richard in How To
16Dec08 Logon Type Codes Revealed
clip_image006

Event ID: 529 Logon/Logoff Source: Security Logon types

The logon/logoff category of the Windows security log gives you the ability to monitor all attempts to access the local computer. In this article I’ll examine each logon type in greater detail and show you how some other fields in Logon/Logoff events can be helpful for understanding the nature of a given logon attempt.

Event IDs 528 and 540 signify a successful logon, event ID 538 a logoff and all the other events in this category identify different reasons for a logon failure. However, just knowing about a successful or failed logon attempt doesn’t fill in the whole picture. Because of all the services Windows offers, there are many different ways you can logon to a computer such as interactively at the computer’s local keyboard and screen, over the network through a drive mapping or through terminal services (aka remote desktop) or through IIS. Thankfully, logon/logoff events specify the Logon Type code which reveals the type of logon that prompted the event.

Logon Type 2 – Interactive

This is what occurs to you first when you think of logons, that is, a logon at the console of a computer. You’ll see type 2 logons when a user attempts to log on at the local keyboard and screen whether with a domain account or a local account from the computer’s local SAM. To tell the difference between an attempt to logon with a local or domain account look for the domain or computer name preceding the user name in the event’s description. Don’t forget that logon’s through an KVM over IP component or a server’s proprietary “lights-out” remote KVM feature are still interactive logons from the standpoint of Windows and will be logged as such.

Logon Type 3 – Network

Windows logs logon type 3 in most cases when you access a computer from elsewhere on the network. One of the most common sources of logon events with logon type 3 is connections to shared folders or printers. But other over-the-network logons are classed as logon type 3 as well such as most logons to IIS. (The exception is basic authentication which is explained in Logon Type 8 below.)

Logon Type 4 – Batch

When Windows executes a scheduled task, the Scheduled Task service first creates a new logon session for the task so that it can run under the authority of the user account specified when the task was created. When this logon attempt occurs, Windows logs it as logon type 4. Other job scheduling systems, depending on their design, may also generate logon events with logon type 4 when starting jobs. Logon type 4 events are usually just innocent scheduled tasks startups but a malicious user could try to subvert security by trying to guess the password of an account through scheduled tasks. Such attempts would generate a logon failure event where logon type is 4. But logon failures associated with scheduled tasks can also result from an administrator entering the wrong password for the account at the time of task creation or from the password of an account being changed without modifying the scheduled task to use the new password.

Logon Type 5 – Service

Similar to Scheduled Tasks, each service is configured to run as a specified user account. When a service starts, Windows first creates a logon session for the specified user account which results in a Logon/Logoff event with logon type 5. Failed logon events with logon type 5 usually indicate the password of an account has been changed without updating the service but there’s always the possibility of malicious users at work too. However this is less likely because creating a new service or editing an existing service by default requires membership in Administrators or Server Operators and such a user, if malicious, will likely already have enough authority to perpetrate his desired goal.

Logon Type 7 – Unlock

Hopefully the workstations on your network automatically start a password protected screen saver when a user leaves their computer so that unattended workstations are protected from malicious use. When a user returns to their workstation and unlocks the console, Windows treats this as a logon and logs the appropriate Logon/Logoff event but in this case the logon type will be 7 – identifying the event as a workstation unlock attempt. Failed logons with logon type 7 indicate either a user entering the wrong password or a malicious user trying to unlock the computer by guessing the password.

Logon Type 8 – NetworkCleartext

This logon type indicates a network logon like logon type 3 but where the password was sent over the network in the clear text. Windows server doesn’t allow connection to shared file or printers with clear text authentication. The only situation I’m aware of are logons from within an ASP script using the ADVAPI or when a user logs on to IIS using IIS’s basic authentication mode. In both cases the logon process in the event’s description will list advapi. Basic authentication is only dangerous if it isn’t wrapped inside an SSL session (i.e. https). As far as logons generated by an ASP, script remember that embedding passwords in source code is a bad practice for maintenance purposes as well as the risk that someone malicious will view the source code and thereby gain the password.

Logon Type 9 – NewCredentials

If you use the RunAs command to start a program under a different user account and specify the /netonly switch, Windows records a logon/logoff event with logon type 9. When you start a program with RunAs using /netonly, the program executes on your local computer as the user you are currently logged on as but for any connections to other computers on the network, Windows connects you to those computers using the account specified on the RunAs command. Without /netonly Windows runs the program on the local computer and on the network as the specified user and records the logon event with logon type 2.

Logon Type 10 – RemoteInteractive

When you access a computer through Terminal Services, Remote Desktop or Remote Assistance windows logs the logon attempt with logon type 10 which makes it easy to distinguish true console logons from a remote desktop session. Note however that prior to XP, Windows 2000 doesn’t use logon type 10 and terminal services logons are reported as logon type 2.

Logon Type 11 – CachedInteractive

Windows supports a feature called Cached Logons which facilitate mobile users. When you are not connected to the your organization’s network and attempt to logon to your laptop with a domain account there’s no domain controller available to the laptop with which to verify your identity. To solve this problem, Windows caches a hash of the credentials of the last 10 interactive domain logons. Later when no domain controller is available, Windows uses these hashes to verify your identity when you attempt to logon with a domain account.

Conclusion

I hope this discussion of logon types and their meanings helps you as you keep watch on your Windows network and try to piece together the different ways users are accessing your computers. Paying attention to logon type is important because different logon types can affect how you interpret logon events from a security perspective. For instance a failed network logon on a server might now be surprising since users must access servers over the network all the time. But a failed network logon attempt in a workstation security log is different. Why is anyone trying to access someone else’s workstation from over the network? As you can see, it pays to understand the security log.

2 Comments Posted by Richard in windows
Tagged , , , ,
Pages (10): « Previous 1 2 3 4 5 6 Next » ... Last »