ZOMG VIRUS
Sep. 4th, 2006 11:16 amWe've just had an edict that a particular server we've got is generating a lot of network traffic, and therefore it's been firewalled and we've got to scan it for the latest virus that's doing the rounds.
Unfortuately, it's one of our domain controllers. So, really not all that suprising that got a lot of traffic on 'windows RPC' ports, to lots and lots of hosts.
Sometimes I despair.
And then I remember that I'm just a humble Unix admin, and therefore it's officially NMFP. (*smug mode*)
Unfortuately, it's one of our domain controllers. So, really not all that suprising that got a lot of traffic on 'windows RPC' ports, to lots and lots of hosts.
Sometimes I despair.
And then I remember that I'm just a humble Unix admin, and therefore it's officially NMFP. (*smug mode*)
no subject
Date: 2006-09-04 12:04 pm (UTC)Most of the ones i bump into dont even seem to know the basics of network stuff.
The only MSCE book I have ever delved into (Something about Windows 2000 configuration, got admit wasnt really paying that much attention) seemed to be riddled with basic factual errors,
It took me ages to convince one of our lot not to reboot the big Oracle server once a week. Especially as he seemed to think that because he had installed Ubuntu on his PC at home (Apparently this noble experiment lasted 48 hours before he decided he couldnt live without Quake III), this gave him intimate knowledge of how to muck around with Solaris on a 48 way Starfire.
no subject
Date: 2006-09-04 12:11 pm (UTC)I frequently have discussions about how frequently servers need to reboot. I did have to take one of mine down, finally, after around 1200 days of uptime.
no subject
Date: 2006-09-04 02:07 pm (UTC)/rolleye...
The mere fact that the ports were available is damning enough. I have worked in one place where I would have lost my job for letting that slip by me.
I can just hear the excuses now: "Oh we have to have the RPC ports open, because, um, er...(wait what is RPC for again?...oh, right!) So that SOAP can run, it uses RPC calls! (doesn't it?)"
Yeah... Mr. '44 needs to have a chat with you, sonny. Check into the small brick closet in the basement and he'll be with you shortly.
no subject
Date: 2006-09-04 06:00 pm (UTC)Of course it can be argued that you cant do much useful with active directory anyway, but I'm not really qualified to judge that.
no subject
Date: 2006-09-04 06:10 pm (UTC)no subject
Date: 2006-09-04 06:13 pm (UTC)You're right. Can't do jack on the inside without RPC, rendering my original comment null and void. How embarrassing!!
So that changes the complexion of the issue quite a bit and makes me wonder just how the hell a virus makes it's way to the domain controller without visiting a desktop (and thereby *multiple* desktops) before getting into the DC.
Good catch. Sorry for the improperly focused smarm.
no subject
Date: 2006-09-04 06:56 pm (UTC)Most of them dont seem to have a clue about things like selective filtering, Differing IP ranges for differing cards, or my personal favorate, redundant network cards.
However its fair to say, I dont much about these things under Windows either, other than the fact that i assume they can be done, and its probably not beyond the Wit of a normal person to figure it out with the Internet. (EG, I was under the impression forward facing RPC was essential for a DNS controller under AD, however if you say you can get away without it, i will accept that. I know its not nessesary under a real operating system :P )
no subject
Date: 2006-09-04 07:05 pm (UTC)IANAMCSE, but the ability to filter thusly has been around for several years in Windows - obviously it is typically a function of network design such that this type of traffic is secured with segmentation, subnet masking, and the other techniques as necessary (and is probably typical on a properly built *NIX network, eh?)