Center for Internet Security

October 30, 2003


Website of the day:

Center for Internet Security - Standards: "The Center for Internet Security (CIS) is a not-for-profit cooperative enterprise that helps organizations reduce the risk of business and e-commerce disruptions resulting from inadequate security configurations"

They maintain security configuration benchmarks for multiple types of systems.. with free tools to help you configure your systems.

Win2k Services

October 26, 2003


Quick note:

Sometimes google turns up some real great resources. Take a look at this 4 page pdf file of
Win2k Services. Damn I love google (even at 3:30 in the morning).

Security audit


Security audit: "To see how well-prepared a typical enterprise network is, we found a business willing to let us tag along while a professional auditing company poked and probed 28 of its servers, and then delivered its findings in a face-to-face meeting.
The results were frightening - and should sound the alarm for IT directors everywhere."

This is an awesome article.. please take a good look at it.

This article is from Network World Fusion - a great internet and print resource.

New law would require computer security audits, status reports - Computerworld

October 25, 2003


This would change some attitudes:

New law would require computer security audits, status reports - Computerworld: " WASHINGTON -- New legislation being drafted in the U.S. House of Representatives, which could be introduced as early as next week, would require all publicly traded companies to conduct independent computer security assessments and report the results yearly in their annual reports. "

From ComputerWorld

Son of MSBlast on the way? | CNET

October 24, 2003


Microsoft Security Bulletin MS03-043 hole. I suggest disabling the {useless} Messenging Service on all of your Windows devices to ward off this vuln and any future holes that may be found. The easiest way to do this in an AD environment is to use Group Policy.

Here's the article:

Son of MSBlast on the way? | CNET "Released on a security mailing list earlier this week, the program takes advantage of a flaw in Microsoft's Messenger Service to cause Windows-based computers to crash. The vulnerability affects almost every current Microsoft Windows system, leaving security experts concerned that independent hackers will quickly find a way to take control of a large number of computers by exploiting the flaw. "

"I think we are going to see a repeat of the (MSBlast worm)," said Vincent Weafer, senior director of Symantec's antivirus research center, referring to the program that spread across the Internet in August. The program used a similarly widespread Windows flaw to break through computers' security. "It took three weeks (for hackers) to figure out a working worm in that case."

From CNET -- Technology news and business reports

RSS Feeds

October 22, 2003


I've posted before about the wonders of RSS.. well, here's some great RSS sources out there for you SysAdmins:

Take a look at for a huge collection of RSS feeds. - Help Net Security News - Help Net Security Vulnerabilities - Help Net Security Advisories - Help Net Security Windows Software - Help Net Security Linux Software - SecurityFocus News - SecurityFocus Vulnerabilities - Internet Security Information & Tools - Trend Micro Virus Alert - PacketStorm Security Files,5000,583,00.xml - Computerworld Hacking News,5000,73,00.xml - Computerworld Security News - CERT - TheRegister News - Microsoft Download Center - Ars Technica - Netsys News,cat,1537,sortIdx,1,00.asp - PCWorld Viruses - PCWorld Popular Downloads of the Week - Wired - Techdirt - Slashdot - Lockergnome Tech Specialist

MorphaSys AutoDeFrag

October 21, 2003


For those of you that need to schedule defrag on Windows2000, take a look at MorphaSys AutoDeFrag.

AutoDeFrag is a launcher for the standard defragmenter built into Windows 2000. The standard defragmenter does not support the ability to be scheduled, and therefore must be manually launched when required, once for each fixed disk in your system.

AutoDeFrag works around this limitation and allows the Windows 2000 Task Scheduler to be used to schedule the defragmenter.
AutoDeFrag is a tiny (~50k) Win32 console application that does not require any user input.

Just copy the .exe into a folder (like in \winnt) and schedule, or use the at command via command prompt.

SpamBayes Outlook Addin

October 16, 2003


This is awesome! SpamBayes is a free, open-source spam-killing plugin for Outlook and Outlook Express. Using the superior Bayesian mathematical method and a self-training method, this program can achieve 99% spam blocking functionality within a week of use. This is my spam solution, and it's worth a try.

A TechTV write-up on SpamBayes:
TechTV | SpamBayes: Spam Prevention With Smarts

Download the plugin here:

SpamBayes Outlook Addin

or here:

SpamBayes: Bayesian anti-spam classifier written in Python.

Quote from

SpamBayes will attempt to classify incoming email messages as 'spam', 'ham' (good, non-spam email) or 'unsure'. This means you can have spam or unsure messages automatically filed away in a different mail folder, where it won't interrupt your email reading. First SpamBayes must be trained by each user to identify spam and ham. Essentially, you show SpamBayes a pile of email that you like (ham) and a pile you don't like (spam). SpamBayes will then analyze the piles for clues as to what makes the spam and ham different. For example; different words, differences in the mailer headers and content style. The system then uses these clues to examine new messages.

Two More Bulletins (for Exchange)

October 15, 2003


Microsoft Security Bulletin MS03-046 - Vulnerability in Exchange Server Could Allow Arbitrary Code Execution (829436)

Microsoft Security Bulletin MS03-047 - Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting Attack (828489)

- --------------------------------------------------------------------
Title: Microsoft Exchange Server Security Bulletin Summary for
October 2003
Issued: October 15, 2003
Version Number: 1.0
- --------------------------------------------------------------------

Microsoft Releases MS03-041-MS03-045


I've grown to hate Wednesdays:

Microsoft Windows Security Bulletin Summary for October, 2003

Microsoft Security Bulletin MS03-041 - Vulnerability in Authenticode Verification Could Allow Remote Code Execution (823182)

Microsoft Security Bulletin MS03-042 - Buffer Overflow in Windows Troubleshooter ActiveX Control Could Allow Code Execution (826232)

Microsoft Security Bulletin MS03-043 - Buffer Overrun in Messenger Service Could Allow Code Execution (828035)

Microsoft Security Bulletin MS03-044 - Buffer Overrun in Windows Help and Support Center Could Lead to System Compromise (825119)

Microsoft Security Bulletin MS03-045 - Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution (824141)

Exploit code targets recent RPC flaws

October 13, 2003


I know I went on and on about this exploit weeks ago, but this time it's a little different. Here's a post from the NTSysAdmin list:

rpc-dcom2 exploitIt doesn't matter if your system is patched. I tried this
against a fully patched win2k and a fully patched XP system. Both systems
crashed or crucial operating system services crashed but explorer remained

Microsoft admits that WinXP SP1, even though patched, got exploited (but says that they haven't tested it on other platforms). This is bad, really bad.

Here's a little help:

Snort signature:
alert TCP any any -> any 135 (msg:"RPC Vulnerability - bind
initiation";sid:1; rev:1; content:"|05 00 0B 03 10 00 00 00 48 00 00 00
7F 00 00 00 D0 16 D0 16 00 00 00 00 01 00 00 00 01 00 01 00 a0 01 00 00
00 00 00 00 C0 00 00 00 00 00 00 46 00 00 00 00 04 5D 88 8A EB 1C C9 11
9F E8 08 00 2B10 48 60 02 00 00 00|";

One suggestion would be to turn off these services and to block ports TCP 135, 139, 445 and 593; and UDP 135, 137, 138 and 445. I urge caution before doing this; there are numerous programs/applications that rely on RPC/DCOM and these ports. (Like a program called ScanRouter - which I had some rpc issues with over the weekend or Veritas Netbackup).

Here's a SearchSecurity article for further information: | Exploit code targets recent RPC flaws

Link to the code: rpcdcom3.c | Flaws found in IE and Adobe browser utility

October 08, 2003


"Late last week, Microsoft released a fix that addressed a way the flaw could be exploited but didn't fix the ADODB.Stream object itself, iDefense said in its advisory. 'I would not be surprised to see another wave of quiet, yet dangerous, Trojan attacks in light of this new exploit code,' Ken Dunham, iDefense's director of malicious code, said in the advisory.
Reston, Va.-based iDefense recommends users set a kill bit in the Windows registry to prevent the attack. Here is the key:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{00000566-0000-0010-8000-00AA006D2EA4}
Then users would need to create a dword value called 'Compatibility Flags' with the value '400.' "

Read more about this in this Search Security Article.

SecurityFocus HOME Infocus: Exploiting Cisco Routers (Part One)

October 07, 2003


SecurityFocus HOME Infocus: Exploiting Cisco Routers (Part One)

Another great SecurityFocus article, this time on Exploiting Cisco Routers, part 1. This is the first of a three-part series that will focus on identifying
and then exploiting vulnerabilities and poor configurations in Cisco

Check out this article, which is brought to you by SecurityFocus. While there, subscribe to thier newsletters, mailing lists, and RSS feeds.

Linux vs. Windows Viruses


SecurityFocus NEWSLETTERS Columnists: Linux vs. Windows Viruses

A GREAT article on why Linux is better than Windows when it comes to viruses. Here's a quote:

"There are about 60,000 viruses known for Windows, 40 or so for the Macintosh, about 5 for commercial Unix versions, and perhaps 40 for Linux. Most of the Windows viruses are not important, but many hundreds have caused widespread damage. Two or three of the Macintosh viruses were widespread enough to be of importance. None of the Unix or Linux viruses became widespread - most were confined to the laboratory."

Check out this article, which is brought to you by SecurityFocus. While there, subscribe to thier newsletters, mailing lists, and RSS feeds.

U.S. SENATE: Coleman seeks lower file-sharing penalties

October 04, 2003


Pioneer Press | 10/03/2003 |: "Sen. Norm Coleman, two days after holding a high-profile hearing on the recording industry's anti-piracy campaign, said Thursday he will push legislation this year to reduce legal penalties for people who download copyrighted music off the Internet.
Coleman, R-Minn., said current penalties, $750 to $150,000 per song downloaded, are excessive and enough to scare innocent people into settling lawsuits filed by the recording industry."

Coleman said he will also press for changes in federal law to curb the recording industry's subpoena power.

Microsoft Security Bulletin MS03-040


Microsoft Security Bulletin MS03-040

- ----------------------------------------------------------------------
Title: Cumulative Patch for Internet Explorer (828750)
Date: October 3, 2003
Software: Internet Explorer 5.01
Internet Explorer 5.5
Internet Explorer 6.0
Internet Explorer 6.0 for Windows Server 2003
Impact: Run code of attacker's choice
Max Risk: Critical
Bulletin: MS03-040

Microsoft encourages customers to review the Security Bulletins at:
- ----------------------------------------------------------------------
Recommendation: Customers should apply the patch immediately.

Admin Links

October 03, 2003


Well, I decided to throw together a quick list of links that I find valuable in the world of SysAdminHell. (Note: They are in no particular order, so the links at the bottom of the list are just as important as the ones at the top).

EventID.Net - The resource for Event Log information. Just input the event id and source into the search feature for tons of valuable information.

TechNet Online - Microsoft's resource for all things IT. A very valuable resource.

JSI, INC. - A massive collection of FAQs/Tips/Solutions for almost any topic you may need information on. - Search for drivers for any piece of hardware you may encounter. Membership is required, but it is quick and free (and everyone gets the same login user/pass). A must visit site anytime you are without a driver.

Windows NT/2000 FAQ - A large collection of Windows FAQs, all nice and searchable.

Windows 2000 Resource Center at - A beautiful resource, loads of how-tos, tutorials, articles, downloads - everything you might need to be a good admin.

NETSYS.COM - Find the latest news and articles as well as tons of archived info on the site that claims to be "The Intelligent Hacker's Choice!".

TechTutorials: Free Computer, Programming, Networking and Application Tutorials - A nice (FREE!) collection of IT tutorials ranging from Windows to Unix, Hardware to Programming, even sections on OS2 and DOS!

Ars Technica - Ars Technica is "The PC Enthusiast's Resource" (I visit this site at least 3-4 times a week just to read the news and commentary).

Top 75 Network Security Tools - A list of the best network security tools around - brought to you by the creator of nmap, Fydor.

Help Net Security - A great resource of security news, advisories, downloads, and articles.

.:[packet storm]:. - An extremely large and current security resource.

SecurityFocus - This site is an excellent resource when it comes to vulnerabilty advisories, newsletters, mailing lists, news, tools, etc. Seriously. Excellent.

The UltraTech® Knowledgebase Viewer - A collection of KB's based off the NTSysAdmin Mailing List (the best NTSysAdmin list around) - Tons of information, resources, links, etc (it's hard to not get side-tracked by all of the interesting information on this site).

Pacs-Portal Startups List - Find anything that may be in your computer's startup list (msconfig) here - a great resource if the site is up.

Google - This is a given, the ONLY search engine around in my world.

Symantec - A great virus database, great virus removal tools = a great resource when you have a virus problem.


October 02, 2003


Sometimes you just need a quick break from the day. Here are a few links to help you out:

User Friendly the Comic Strip - The Daily Static - The best IT comic around. - The Official Dilbert Website - A [true] look into the life of the office worker.

The Bastard Operator From Hell Official Archive - The original Bastard.

The Register - Bastard Operator From Hell - A true IT hero.

Web of es.comp.os.linux.*: comic from es.comp.os.linux.* - Translated from Spanish, sometimes hard to follow but still entertaining.



A zero-day exploit targeting an Internet Explorer vulnerability (versions
5 and forward) is being used to install a Trojan. Experts warn that it's
only a prelude to a series of attacks that are likely to wreck havoc given
the number of unprotected systems.

"This zero-day exploit is huge. It will likely be a major, and highly
successful, vector of attack upon thousands of computers for some time,"
says Ken Dunham, malicious code intelligence manager at iDEFENSE. "We have
verified that attackers are installing backdoor Trojans and dialers on
targeted computers at will."

"Multiple examples of the exploit code are available for attackers to
analyze and use in crafting their own attack," adds Dunham. "This type of
code availability and underground activity traditionally foreshadows a
flurry of malicious attacks."

Microsoft first issued a patch for the 'object type' vulnerability on Aug.
20. The flaw allows an attacker to compromise a system by embedding
malicious code in a Web page. If the Web page is viewed with a fully
patched IE browser, the malicious code embedded in the Web page will
execute. The 'object type' vulnerability patch doesn't prevent this
variation of the flaw, but Microsoft plans to issue a fix shortly.

- From Security Wire Digest
to subscribe, go to