Re: Sweet mother of Pete........
From: IBC (spamityspam_at_spam.spam)
Date: 03/03/04
- Next message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Sweet mother of Pete........"
- Previous message: Dave Nickason [SBS MVP]: "Re: Sweet mother of Pete........"
- In reply to: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Sweet mother of Pete........"
- Next in thread: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Sweet mother of Pete........"
- Reply: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Sweet mother of Pete........"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 3 Mar 2004 14:50:49 -0600
Hi Susan.
You're gonna find this hard to believe, but I'm actually far more paranoid
than you when it comes to security. The difference is YOU know what you're
doing and I'M learning my way. For years now, my users have been locked down
tight. The only thing they have in control panel is Printer's, and that's
only because my owner made me put it on late last year. We have several
"Power Users", but NO local admins. Trust me on this one, I take more heat
than you can imagine every day because my users can't install things. This
user isn't allowed to install anything.
Unless my user's tell me every place they have a webmail account, its a bit
hard to block them all. This one in particualr was a University account. How
on earth would I have known that? (other than read all 999 different web
connections logged in ISA each day)
I don't know for certain how fast the emails went out, but looking at Time
stamps in the ISA log, it looks like an average of 3 domains per second. I
have the log in excel format for anybody interested.
I'm POSITIVE the sigs were up to date. That was the first thing I checked,
and 2 seperate log files verify that they were updated. I pull 4 times a
day, but CA only updates their sigs once per day unless there is a crisis
virus sig I believe. DON'T QUOTE ME ON THAT.
As far as I know, nobody in this NG is affected by our server, it seemed to
just pull out of his local address book.
"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
wrote in message news:una23wVAEHA.2480@TK2MSFTNGP11.phx.gbl...
> And BTW see how fast these suckers are coming out?
>
> Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
>
> > And that's why the paranoid folk limit web based access to email.....
> > AND run their users in user mode versus local admin. You gave him full
> > rights to install that. See why I say that our vulnerabilities are not
> > our servers... they are our desktops?
> >
> > Ensure that you truly were up to date on your dat file sig... how often
> > do you pull them down?
> >
> >
> >
> > IBC wrote:
> >
> >> .......its finally happened. Almost 9 years without incident ends
> >> today. Our
> >> network was compromised.....by one of my own users.
> >>
> >> Despite the enormous 2x6 I have swung threateningly, one of my users
> >> opened
> >> a *.PIF file this morning. How you ask? He was off using web-based
> >> email to
> >> check his personal account, got the virus email stating his account was
> >> disabled, please see the attachment. (OK, CLUE IN HERE...if your
> >> account is
> >> disabled, would you have been able to get into the account to read
> >> that it
> >> was disabled?)
> >>
> >> I'm stressed out about several points and I'm welcoming scolding or
> >> feedback, which ever makes you feel better:
> >>
> >> 1. We run CA InnoculateIT with realtime scanning. How on earth did
> >> this get
> >> past? Engine and Definitions are up to date. To make matters more
> >> confusing,
> >> when I ran a manual scan, it found 171 infected files. WTH? They were
all
> >> from the Bagle Variant he had opened, but if the stupid product could
> >> find
> >> them when told to look manually, how come the realtime scanner didn't
get
> >> them? Is this because he ran it over the web connection?
> >>
> >> 2. InoculateIT couldn't remove one of the files. (access denied) I
> >> removed
> >> it manually by stopping the service and then deleting the file.
> >>
> >> 3. When reviewing the logs, its evident that the virus used my OWA SSL
> >> Rule
> >> for GHBN. What is this and why did it use my SSL rule?
> >>
> >> 4. If this thing uses its own SMTP engine, Exchange logs are useless
> >> except
> >> for incoming emails created by the virus, right? I used the email
> >> header to
> >> determine whodunit. The small consolation is the user readily admitted
> >> to me
> >> what he did and when so I could launch damage control immediately.
> >>
> >> 5. Using my ISA logs, I can see the general domains that were hit.
> >> (hoy, I'm
> >> sorry everybody...) It used port 25 in combination with my OWA SSL
> >> Rule and
> >> the Backoffice Internet Access Protocol rule. Is there a hole I left
open
> >> here? As near as I can tell I need those things open to work.
> >>
> >> 6. I now have serious concerns about the abilities of my AV. Its caught
> >> almost everything in the past, so I'm at a loss as to what happened
here.
> >> What else should I check to make sure this machine is absolutely clean?
> >>
> >> I'm off for my lunch of Tylenol and Tums..........
> >>
> >>
> >
>
> --
> http://www.sbslinks.com/really.htm
>
- Next message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Sweet mother of Pete........"
- Previous message: Dave Nickason [SBS MVP]: "Re: Sweet mother of Pete........"
- In reply to: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Sweet mother of Pete........"
- Next in thread: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Sweet mother of Pete........"
- Reply: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Sweet mother of Pete........"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
|
