|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Domain may have been compromiseda. W2K server DC/WINS/DNS - internal/Norton Corporate 7.x b. W2K server Exchange/DC/Nav for Exchange/ORF SpamBlocker c. W2k server Apache/DNS - external/Norton Corporate 7.x d. W2K server IIS - Norton Corporate 7.x I beleive at least d. has been compsomised. Its ha a lan NIC and and a wan NIC. The wan NIC after two days of running has in excess of 100,000,000KB in and out. I had about 6 services that spybot-search-and-desytroy found and ultimately deleted. Eventually the machine locks up and I've tested disk drives, replaced power supply and and video card. I think the basic components are in working order. The ebsite on this machine a re VERY LOW access (may 50 people in the entire world actually know they exist). d. is the only server with WAN access. All other access is firewalled. i.e. port 25 is redirected via router to internal lan address and port 80 for the Apache server is redirected in the same manner. Access to the IIS server is handled via WAN addresses in DNS. Spybot has not found any other problems on other servers. Last night I was "auto" notified that NAV for Exchange was corrupted on b. I shut down the service for now. I may reinstall tonight. Also, I happen to notice (purly by accident) that the recent documents pointed to non-existant "exchange like" names (edb1 etc). This makes me think that somehow I'm being used as a relay and something has corrupted my NAV for exchange. Although, I'm not noticing and excessive SPAM lately (including today with NAV for Exchange turned off). As of last night with d. disconnected from the lan and the wan, the whole network seems terribly slow. External Web pages (i.e. msn.com, my banking pages etc.) being accessed literally crawl. I'm tempted to rebuild the entire domain (at least three days of work) but I thought maybe I should change the Administrator password first (to see if that halts any undeteced activity requiring the Admin password). However, I'm not sure of the remificatoins of that action based upon the domain configuration of software being run. I will say that in the past 3 years I've left my servers logged in as Administrator 24/7. This will obviously change post haste. So, any suggestions on: 1. Changing the domain Administrator Password 2. Better security measures for the WAN web server 3. Better detection of what is possibly corruting my system (assuming external attack) 4. Any other general security measures I can take for the future TIA, Bapu. 
Other interesting topics
Event ID 5719: No Windows NT or Windows 2000 Domain Controller is available for domain <domain>.
Novell/Active Directory Built-in Administrator acct. for Domain be password never expires? encryption that cannot be restored W2K ESENT Event ID 454, error -515 every 5 minutes Best Practice: Patches that are not critical or security related Windows Vista No Updates are successful Re: automatic updates disabled "error 1058" Security settings |
|||||||||||||||||||||||
