| Home | Register | Members | Search | Windows Vista Tips | File Database | Links |
 |
| Thread Tools | Display Modes |
|
Guest
Posts: n/a
|
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news: ... > From: "Peter Foldes" <> > > | Crossposted from microsoft.public.windows.server.general > | > | "W" <> wrote in message > | news: ... >>> We have our Windows 2003 servers fairly locked down by NTFS, and when a >>> user browses the Internet they are logged in as an ordinary user with >>> minimal access to the file system. So imagine my horror to see that a >>> virus was able to change every single file and folder on the file system >>> to be read-only and hidden, apparently using the attributes for files >>> that are affected by the ATTRIB commandline command. >>> >>> Is the ability to use ATTRIB controlled by NTFS permissions? Or is >>> this the Write Attributes permission in NTFS? Unfortunately we >>> probably did enable that because it was generating too many false >>> positive audit messages. >>> >>> The command >>> >>> attrib -h -r *.* /s /d >>> >>> apparently does NOT affect all folders under the current folder. Is >>> there a command that can be used that would change every file and folder >>> from the current location and down all subtrees? >>> >>> Is there any utility that would restore any critical system files and >>> folders to their original attributes? >>> > > A virus didn't hide files and folders, a System Fix trojan or other rogue > malware did. > > If I understand this post, a user was ALLOWED to browse the Internet from > the POC of the Win2003 Server. If that was the case that was the mistake. > Nobody, users or administrators should be browsing on a server platform. > This is disrepecting the role of the server. A System Fix type trojan is > bad enough but that kind of behavioour (which should never be alloewd on a > server) coold have had more disaterous effects. The Windows 2003 server in question is actually an individual's personal workstation. He prefers to use Server for many reasons as his workstation, and one of those reasons is the ability to come in by Terminal Services without disrupting the console session. To be honest, this malware would have done minimal damage had we just not allowed the Users group to have Write Attributes permissions on such a wide file system scope. We had allowed that because so many applications give security error log messages after attempting to change an attribute that it rendered logging very cumbersome. We clearly didn't understand the implication of that setting and now we do. So no user should have global Write Attributes. Check.  Other than that, the virus was only able to change files and add new files inside the user's profile folder. We simply deleted that folder and had the user login fresh to create a new profile folder. That at least contained the initial active part of the infection, and we'll have to continue with other utilities later. > The first think to do is find and eliminate the System Fix type trojan and > then use Lawrence Abrams' (aka; Grinler) Unhide utility. > http://download.bleepingcomputer.com/grinler/unhide.exe > > The Server may have to be booted in Safe Mode such that the trojan isn't > loaded. Note also do NOT dump TEMP folders prior to running Unhide. > Unhide may also be executed in Safe Mode. All of those utilities look useful thanks. I could not get the MS Standalone Sweeper to create a standalone CD. It gives an error when trying to write the CD that has no error code and simply indicates it cannot continue. Amazing that it took MS 10 years to finally understand that to beat a virus effectively you should boot from a dedicated uninfected OS, without invoking the OS of system under test. Better late than never, assuming I can ever get it to work. -- W |
|
|
|
|||
|
|
| |
|
Guest
Posts: n/a
|
From: "W" <>
> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news: ... >> From: "Peter Foldes" <> >> >>> Crossposted from microsoft.public.windows.server.general >>> >>> "W" <> wrote in message >>> news: ... >>>> We have our Windows 2003 servers fairly locked down by NTFS, and when a user browses >>>> the Internet they are logged in as an ordinary user with minimal access to the file >>>> system. So imagine my horror to see that a virus was able to change every single >>>> file and folder on the file system to be read-only and hidden, apparently using the >>>> attributes for files that are affected by the ATTRIB commandline command. >>>> >>>> Is the ability to use ATTRIB controlled by NTFS permissions? Or is this the Write >>>> Attributes permission in NTFS? Unfortunately we probably did enable that because it >>>> was generating too many false positive audit messages. >>>> >>>> The command >>>> >>>> attrib -h -r *.* /s /d >>>> >>>> apparently does NOT affect all folders under the current folder. Is there a command >>>> that can be used that would change every file and folder from the current location >>>> and down all subtrees? >>>> >>>> Is there any utility that would restore any critical system files and folders to >>>> their original attributes? >>>> >> >> A virus didn't hide files and folders, a System Fix trojan or other rogue malware did. >> >> If I understand this post, a user was ALLOWED to browse the Internet from the POC of >> the Win2003 Server. If that was the case that was the mistake. Nobody, users or >> administrators should be browsing on a server platform. This is disrepecting the role >> of the server. A System Fix type trojan is bad enough but that kind of behavioour >> (which should never be alloewd on a server) coold have had more disaterous effects. > > The Windows 2003 server in question is actually an individual's personal workstation. > He prefers to use Server for many reasons as his workstation, and one of those reasons > is the ability to come in by Terminal Services without disrupting the console session. > > To be honest, this malware would have done minimal damage had we just not allowed the > Users group to have Write Attributes permissions on such a wide file system scope. We > had allowed that because so many applications give security error log messages after > attempting to change an attribute that it rendered logging very cumbersome. We > clearly didn't understand the implication of that setting and now we do. So no user > should have global Write Attributes. Check. > > Other than that, the virus was only able to change files and add new files inside the > user's profile folder. We simply deleted that folder and had the user login fresh to > create a new profile folder. That at least contained the initial active part of the > infection, and we'll have to continue with other utilities later. > > >> The first think to do is find and eliminate the System Fix type trojan and then use >> Lawrence Abrams' (aka; Grinler) Unhide utility. >> http://download.bleepingcomputer.com/grinler/unhide.exe >> >> The Server may have to be booted in Safe Mode such that the trojan isn't loaded. Note >> also do NOT dump TEMP folders prior to running Unhide. Unhide may also be executed in >> Safe Mode. > > All of those utilities look useful thanks. > > I could not get the MS Standalone Sweeper to create a standalone CD. It gives an error > when trying to write the CD that has no error code and simply indicates it cannot > continue. Amazing that it took MS 10 years to finally understand that to beat a > virus effectively you should boot from a dedicated uninfected OS, without invoking the > OS of system under test. Better late than never, assuming I can ever get it to work. > This was not a case of a virus and if you are the administartor of some system of systems which included this Windows 2003 server then that explains the poor security and this trojan getting installed. If this was a virus you and your comapny would have been up shits creek becaus ethe virus would have infected other files and spread beyond the borders of this one Windows 2003 server to other systems on your network. -- Dave Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk http://www.pctipp.ch/downloads/dl/35905.asp |
|
|
|
|
|||
|
Guest
Posts: n/a
|
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:... > From: "W" <> > > "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news: ... > >> From: "Peter Foldes" <> > >> > >>> Crossposted from microsoft.public.windows.server.general > >>> > >>> "W" <> wrote in message > >>> news: ... > >>>> We have our Windows 2003 servers fairly locked down by NTFS, and when a user browses > >>>> the Internet they are logged in as an ordinary user with minimal access to the file > >>>> system. So imagine my horror to see that a virus was able to change every single > >>>> file and folder on the file system to be read-only and hidden, apparently using the > >>>> attributes for files that are affected by the ATTRIB commandline command. > >>>> > >>>> Is the ability to use ATTRIB controlled by NTFS permissions? Or is this the Write > >>>> Attributes permission in NTFS? Unfortunately we probably did enable that because it > >>>> was generating too many false positive audit messages. > >>>> > >>>> The command > >>>> > >>>> attrib -h -r *.* /s /d > >>>> > >>>> apparently does NOT affect all folders under the current folder. Is there a command > >>>> that can be used that would change every file and folder from the current location > >>>> and down all subtrees? > >>>> > >>>> Is there any utility that would restore any critical system files and folders to > >>>> their original attributes? > >>>> > >> > >> A virus didn't hide files and folders, a System Fix trojan or other rogue malware did. > >> > >> If I understand this post, a user was ALLOWED to browse the Internet from the POC of > >> the Win2003 Server. If that was the case that was the mistake. Nobody, users or > >> administrators should be browsing on a server platform. This is disrepecting the role > >> of the server. A System Fix type trojan is bad enough but that kind of behavioour > >> (which should never be alloewd on a server) coold have had more disaterous effects. > > > > The Windows 2003 server in question is actually an individual's personal workstation. > > He prefers to use Server for many reasons as his workstation, and one of those reasons > > is the ability to come in by Terminal Services without disrupting the console session. > > > > To be honest, this malware would have done minimal damage had we just not allowed the > > Users group to have Write Attributes permissions on such a wide file system scope. We > > had allowed that because so many applications give security error log messages after > > attempting to change an attribute that it rendered logging very cumbersome. We > > clearly didn't understand the implication of that setting and now we do. So no user > > should have global Write Attributes. Check. > > > > Other than that, the virus was only able to change files and add new files inside the > > user's profile folder. We simply deleted that folder and had the user login fresh to > > create a new profile folder. That at least contained the initial active part of the > > infection, and we'll have to continue with other utilities later. > > > > > >> The first think to do is find and eliminate the System Fix type trojan and then use > >> Lawrence Abrams' (aka; Grinler) Unhide utility. > >> http://download.bleepingcomputer.com/grinler/unhide.exe > >> > >> The Server may have to be booted in Safe Mode such that the trojan isn't loaded. Note > >> also do NOT dump TEMP folders prior to running Unhide. Unhide may also be executed in > >> Safe Mode. > > > > All of those utilities look useful thanks. > > > > I could not get the MS Standalone Sweeper to create a standalone CD. It gives an error > > when trying to write the CD that has no error code and simply indicates it cannot > > continue. Amazing that it took MS 10 years to finally understand that to beat a > > virus effectively you should boot from a dedicated uninfected OS, without invoking the > > OS of system under test. Better late than never, assuming I can ever get it to work. > > > > This was not a case of a virus and if you are the administartor of some system of systems > which included this Windows 2003 server then that explains the poor security and this > trojan getting installed. > > If this was a virus you and your comapny would have been up shits creek becaus ethe virus > would have infected other files and spread beyond the borders of this one Windows 2003 > server to other systems on your network. First, some Trojans also act like viruses and attempt to spread. Some do not. Why is it important to this discussion? Second, no virus would have done the damage you describe because we browse the Internet from ordinary Users accounts (unlike 90% of all other user organizations where being "Administrator" all the time seems to be a common practice) and because we further went to extraordinary lengths to render Users unable to write to the vast majority of the file system. For example, on all of our computers, we prevent an ordinary user from being able to create a new file in the Windows, System32, or Windows Temp folders. Shared file access across user accounts on the same machine are through a carefully controlled folder. Access to the SAM files and their backups is explicitly denied, rendering brute force attacks on passwords impossible. Third, there was nothing in the original post or its follow on that would give you any basis for determining what the adequacy of our security measures was or is. You shouldn't make stuff up just for bravado. I appreciate the utilities that were posted as those are enormously useful. -- W |
|
|
|
|
|||
|
Guest
Posts: n/a
|
|
|
|
|
||
|
Guest
Posts: n/a
|
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:: > From: "W" <> > >> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message >> news: ... >>> From: "Peter Foldes" <> >>> >>>> Crossposted from microsoft.public.windows.server.general >>>> >>>> "W" <> wrote in message >>>> news: ... >>>>> We have our Windows 2003 servers fairly locked down by NTFS, and >>>>> when a user browses the Internet they are logged in as an >>>>> ordinary user with minimal access to the file system. So >>>>> imagine my horror to see that a virus was able to change every >>>>> single file and folder on the file system to be read-only and >>>>> hidden, apparently using the attributes for files that are >>>>> affected by the ATTRIB commandline command. >>>>> >>>>> Is the ability to use ATTRIB controlled by NTFS permissions? Or >>>>> is this the Write Attributes permission in NTFS? Unfortunately >>>>> we probably did enable that because it was generating too many >>>>> false positive audit messages. >>>>> >>>>> The command >>>>> >>>>> attrib -h -r *.* /s /d >>>>> >>>>> apparently does NOT affect all folders under the current folder. >>>>> Is there a command that can be used that would change every file >>>>> and folder from the current location and down all subtrees? >>>>> >>>>> Is there any utility that would restore any critical system files >>>>> and folders to their original attributes? >>>>> >>> >>> A virus didn't hide files and folders, a System Fix trojan or other >>> rogue malware did. >>> >>> If I understand this post, a user was ALLOWED to browse the >>> Internet from the POC of the Win2003 Server. If that was the case >>> that was the mistake. Nobody, users or administrators should be >>> browsing on a server platform. This is disrepecting the role of the >>> server. A System Fix type trojan is bad enough but that kind of >>> behavioour (which should never be alloewd on a server) coold have >>> had more disaterous effects. >> >> The Windows 2003 server in question is actually an individual's >> personal workstation. He prefers to use Server for many reasons as >> his workstation, and one of those reasons is the ability to come in >> by Terminal Services without disrupting the console session. >> >> To be honest, this malware would have done minimal damage had we >> just not allowed the Users group to have Write Attributes >> permissions on such a wide file system scope. We had allowed that >> because so many applications give security error log messages after >> attempting to change an attribute that it rendered logging very >> cumbersome. We clearly didn't understand the implication of that >> setting and now we do. So no user should have global Write >> Attributes. Check. >> >> Other than that, the virus was only able to change files and add new >> files inside the user's profile folder. We simply deleted that >> folder and had the user login fresh to create a new profile folder. >> That at least contained the initial active part of the infection, >> and we'll have to continue with other utilities later. >> >> >>> The first think to do is find and eliminate the System Fix type >>> trojan and then use Lawrence Abrams' (aka; Grinler) Unhide utility. >>> http://download.bleepingcomputer.com/grinler/unhide.exe >>> >>> The Server may have to be booted in Safe Mode such that the trojan >>> isn't loaded. Note also do NOT dump TEMP folders prior to running >>> Unhide. Unhide may also be executed in Safe Mode. >> >> All of those utilities look useful thanks. >> >> I could not get the MS Standalone Sweeper to create a standalone CD. >> It gives an error when trying to write the CD that has no error >> code and simply indicates it cannot continue. Amazing that it >> took MS 10 years to finally understand that to beat a virus >> effectively you should boot from a dedicated uninfected OS, without >> invoking the OS of system under test. Better late than never, >> assuming I can ever get it to work. >> > > This was not a case of a virus and if you are the administartor of > some system of systems which included this Windows 2003 server then > that explains the poor security and this trojan getting installed. > > If this was a virus you and your comapny would have been up shits > creek becaus ethe virus would have infected other files and spread > beyond the borders of this one Windows 2003 server to other systems > on your network. > +1 -- Character is doing the right thing when nobody's looking. There are too many people who think that the only thing that's right is to get by, and the only thing that's wrong is to get caught. - J.C. Watts |
|
|
|
|
|||
|
Guest
Posts: n/a
|
"W" <> wrote in
news: : > First, some Trojans also act like viruses and attempt to spread. > Some do not. Why is it important to this discussion? It's only important from proper anaylsis, recovery and future prevention. In your case tho, nothing. > Second, no virus would have done the damage you describe because we > browse the Internet from ordinary Users accounts (unlike 90% of all > other user organizations where being "Administrator" all the time > seems to be a common practice) and because we further went to > extraordinary lengths to render Users unable to write to the vast > majority of the file system. For example, on all of our computers, > we prevent an ordinary user from being able to create a new file in > the Windows, System32, or Windows Temp folders. Shared file access > across user accounts on the same machine are through a carefully > controlled folder. Access to the SAM files and their backups is > explicitly denied, rendering brute force attacks on passwords > impossible. You underestimate the ability for a virus to acquire sufficient rights on a poorly secured system. Don't assume IP policy is perfect if the OS has other problems, I have little doubt they do at this point. > Third, there was nothing in the original post or its follow on that > would give you any basis for determining what the adequacy of our > security measures was or is. You shouldn't make stuff up just for > bravado. When you mentioned using a server OS for a workstation, that was very helpful in determining your competency as an administrator. Adding that you allowed surfing on the server was only icing on the cake. > I appreciate the utilities that were posted as those are enormously > useful. They're well known amongst many security/pc techie circles. -- Character is doing the right thing when nobody's looking. There are too many people who think that the only thing that's right is to get by, and the only thing that's wrong is to get caught. - J.C. Watts |
|
|
|
|
|||
|
Guest
Posts: n/a
|
|
|
|
|
||
|
Guest
Posts: n/a
|
"W" <> wrote in
news: : > "Dustin" <> wrote in message > news:Xns9FE2953CDB293HHI2948AJD832@no... >> > Third, there was nothing in the original post or its follow on >> > that would give you any basis for determining what the adequacy of >> > our security measures was or is. You shouldn't make stuff up >> > just for bravado. >> >> When you mentioned using a server OS for a workstation, that was >> very helpful in determining your competency as an administrator. >> Adding that you allowed surfing on the server was only icing on the >> cake. > > An OS is an OS, and you do or do not secure it. Whether a given OS > is used as a personal workstation or not is a function of its > assigned use, and it is not a function of the other possible uses of > the OS. The fact that a Windows Server *could* be used as a server > does not mean it *must* be used as a server. If in fact only one > user uses the server, functionally it stops being a server and in > terms of its role it performs like a workstation. If that suits you, fine by me. -- Character is doing the right thing when nobody's looking. There are too many people who think that the only thing that's right is to get by, and the only thing that's wrong is to get caught. - J.C. Watts |
|
|
|
|
|||
|
|
| |
|
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
