Mar 31 2009 3:32PM GMT
Posted by: Troy Tate
honeynet,
diagnostic tools,
Conficker,
ms08-067,
antivirus,
patches,
anti-virus,
detection,
scanning,
vulnerability scanning,
vulnerability
A Simple Conficker Scanner (SCS) tool has been released by members of the Honeynet Project. This tool can be run under linux or Windows. It runs a specially crafted RPC query against a host or range of IP addresses. The tool will tell if systems are clean or potentially infected. I am running this tool against hosts on my network and I found a Windows 2000 server apparently infected by Conficker. I am in the process of clean-up on that host. It looks like a couple of things contributed to the infection on this computer:
1. Out of date anti-virus. The antivirus signatures had not been updated since January 2008.
2. Microsoft patches not applied.
Folks, the advice about maintaining up-to-date AV and applying patches is good advice. Heed the warnings and save yourself some troubles of clean-up. I will be having a discussion with my operations team about this situation and make it clear that we should have been prepared for this and this situation should not have arisen.
I am also following the advice from McAfee on Combating the Conficker worm
For more details on how the Conficker worm actually works, follow the links in my blog
Thanks for reading. Let’s continue to be good network citizens.
Feb 11 2009 8:08PM GMT
Posted by: Troy Tate
Data security,
administration,
analysis,
antivirus,
anti-virus,
diagnostics,
howto,
information security,
malicious activity,
malware,
Microsoft,
Microsoft Windows,
Active Directory,
AD,
network security,
Password,
policy enforcement,
reporting,
risk,
risks,
scanning,
search,
Security,
security notification,
tools,
troubleshooting,
Windows,
password management,
account management
With an environment spanning 18+ sites and more than 3000 computers around the globe, you could understand how challenging it would be to track down what device/user might be locking user accounts. There are tools out there that you can pay for that can help do this. However, Microsoft has some free tools that with a little testing and use will permit you to quickly track down where the account is being locked and address the situation.
We had a situation recently where malicious software got onto a couple of machines and attempted to use the Administrator account to login. We have account lockout on our Windows 2003 AD domain, so after the appropriate number of invalid tries the Administrator account was locked out in the domain. This is because the machines were members of the domain and the malware did not distinguish the local administrator account from the domain administrator when attempting to elevate authority. Note that we use least user authority in our environment so the malware was not able to spread beyond these two machines. We suspect the machines became infected due to out of date antivirus signatures.
Unfortunately, the antivirus we use did not alert us to the situation. The way we were alerted was by our Microsoft Systems Center Operations Manager (SCOM) implementation. It notified the SCOM admin that the domain Administrator account was locked. The operations team was then tasked with tracking down what or who was locking this account. This is where the Microsoft Account Lockout and Management Tools came in use and helped isolate the cause. Continued »
Feb 2 2009 5:15PM GMT
Posted by: Troy Tate
ARP,
protocol,
testing,
tools,
toolkit,
scanning,
education,
video,
training,
protocol analysis,
Laura Chappell
ARP - or Address Resolution Protocol is a necessary element for network traffic. Per Wikipedia: “In computer networking, the Address Resolution Protocol (ARP) is the method for finding a host’s link layer (hardware) address when only its Internet Layer (IP) or some other Network Layer address is known. ARP is defined in RFC 826.[1] It is Internet Standard STD 37.” It is not an IP only protocol.
What this means, is that ARP is not a protocol that is easily blocked or disabled on a network. This is as designed but this also means that attackers can use this protocol for malicious activities. It is important that you understand the ARP protocol and the ways it is used and the dangers associated with it.
Laura Chappell, the BitGirl, has created a new tutorial on using ARP to scan networks which may be firewalled or ICMP pings are blocked. ARP will permit you - and attackers - to find hosts on the network. Take some time and watch this short video and gain some valuable insights into ARP.
Watch Chappell University - Ethical Hacking with NetScanTools Pro - ARP Scanning
Thanks for your time and let’s be good network citizens!
