Koozali.org: home of the SME Server
Contribs.org Forums => General Discussion => Topic started by: mazkot on May 04, 2009, 10:17:41 AM
-
Hi,
One of our remote sites had 3 pcs affected with conficker via USB.
It has an SME 7.4 running as
-DHCP Server
-File Server
-Proxy server
Installed
-Dansguardian
Aside from dansguardian, squid and qpsmtp logs.
What logs should also check?
we already disable all usb ports for added security.
thanks
-
Don't know about the logs, but if you download Nmap (http://nmap.org/) you can scan your network for infected pc's (see the Conficker announcement on the frontpage for info).
HTH.
-
Don't know about the logs, but if you download Nmap (http://nmap.org/) you can scan your network for infected pc's (see the Conficker announcement on the frontpage for info).
HTH.
Go to the command line of your SME server and type:
[root@mysmeserver~]# nmapIt is already installed on SME.
Also check the manpages:
[root@mysmeserver ~]# man nmap
-
Hmmm... I don't think Nmap is installed in SME by default.
-
Hmmm... I don't think Nmap is installed in SME by default.
You are correct, you need to install with yum from the Base repository:
[root@test8 ~]# yum list available | grep nmap
nmap.i386 2:4.11-1.1 base
nmap-frontend.i386 2:4.11-1.1 base
-
You are correct, you need to install with yum from the Base repository:
[root@test8 ~]# yum list available | grep nmap
nmap.i386 2:4.11-1.1 base
nmap-frontend.i386 2:4.11-1.1 base
mmmhhh... Chris.. you are showing the available version for SME8, aren't you?
because on a server of mine (SME 7.4) I see:
[root@e-smith ~]# yum list available | grep nmap
nmap.i386 2:3.70-1 base
nmap-frontend.i386 2:3.70-1 base
Ciao
Stefano
-
Hmmm... I don't think Nmap is installed in SME by default.
True AFAIK namp is not part of the base installation. You can however install it like this:
yum install nmap
-
chris burnat & others
What's the point of installing nmap on sme re the conficker virus ?
From what I read conficker is a Windows virus attacking specific vulnerabilities in Windows OS's. Surely it's the Windows PC that needs virus software installed.
See
http://en.wikipedia.org/wiki/Conficker
and many other sites
-
chris burnat & others
What's the point of installing nmap on sme re the conficker virus ?
From what I read conficker is a Windows virus attacking specific vulnerabilities in Windows OS's. Surely it's the Windows PC that needs virus software installed.
See
http://en.wikipedia.org/wiki/Conficker
and many other sites
nmap is not a virus software, but I am sure you know this. With nmap, one can scan remote machines and check which ports are open. Checking what is happening with ports on a network is good practice. For example, checking workstations by o/s and keeping a records of nmap output can be very useful if and when strange happenings take place. Having nmap on SME is thus a good idea. Mind you, the version shipped from the Base repo is a bit old, it does not appear to support the --script argument for example. An update would not go astray, I have not looked into this yet.
-
As an illustration, I just installed latest nmap (4.85beta) on sme8:
[root@test8 ~]# rpm -vhU http://nmap.org/dist/nmap-4.85BETA8-1.i386.rpm
Retrieving http://nmap.org/dist/nmap-4.85BETA8-1.i386.rpm
Preparing... ########################################### [100%]
1:nmap ########################################### [100%]
And tested for conficker on a WINXP workstation on the network - not done yet for 7.4:
[root@test8 ~]# nmap -PN -T4 -p139,445 -n -v --script smb-check-vulns,smb-os-discovery --script-args safe=1 192.168.0.6
Starting Nmap 4.85BETA8 ( http://nmap.org ) at 2009-05-05 12:28 EST
NSE: Loaded 2 scripts for scanning.
Initiating ARP Ping Scan at 12:28
Scanning 192.168.0.6 [1 port]
Completed ARP Ping Scan at 12:28, 0.01s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 12:28
Scanning 192.168.0.6 [2 ports]
Discovered open port 445/tcp on 192.168.0.6
Discovered open port 139/tcp on 192.168.0.6
Completed SYN Stealth Scan at 12:28, 0.01s elapsed (2 total ports)
NSE: Script scanning 192.168.0.6.
NSE: Starting runlevel 1 scan
Initiating NSE at 12:28
Completed NSE at 12:28, 0.09s elapsed
NSE: Starting runlevel 2 scan
Initiating NSE at 12:28
Completed NSE at 12:28, 0.17s elapsed
NSE: Script Scanning completed.
Host 192.168.0.6 is up (0.00071s latency).
Interesting ports on 192.168.0.6:
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:11:11:24:F9:5B (Intel)
Host script results:
| smb-os-discovery: Windows XP
| LAN Manager: Windows 2000 LAN Manager
| Name: ROZELLE\DAW
|_ System time: 2009-05-05 12:28:44 UTC+10
| smb-check-vulns:
| MS08-067: Check disabled (remove 'safe=1' argument to run)
| Conficker: Likely CLEAN
|_ regsvc DoS: Check disabled (add --script-args=unsafe=1 to run)
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.80 seconds
Raw packets sent: 3 (130B) | Rcvd: 3 (130B)
-
chris burnat
OK I see the point now. Thanks for the "pointers".
-
Checking what is happening with ports on a network is good practice.
Perhaps it is, but so is handwashing.
Does nmap detect conficker activity? If so, which version, and how must it be used to do so?
-
Charlie
See
http://insecure.org/#conficker
-
Does nmap detect conficker activity?
And even if it can, are there easier ways for folk to detect and clean infected Windows boxen?
-
Charlie
Here's one proprietary brand, with a link to download a Removal tool
http://www.symantec.com/norton/support/kb/web_view.jsp?wv_type=public_web&docurl=20090331164714EN&selected_nav=partner
I'm sure other AVs have their versions of removal tools.
-
Charlie
Here's one proprietary brand, with a link to download a Removal tool
No need to tell me, Mary. I'm uninfested by Windows and its various pathogens. :-)
-
Thanks
Downloaded their windows base for now.
It's a lot helpfull in scanning since we rarely go to there.