RE: 1,800 files missing from system32

From: Joe Blatz (sd_wireless_at_yahoo.com)
Date: 10/15/04

  • Next message: Scott Fuhriman: "RE: 1,800 files missing from system32" 
    Date: Fri, 15 Oct 2004 07:08:26 -0700 (PDT)
To: MMoll <MMoll@finance.nyc.gov>, incidents@securityfocus.com

    A couple of people have pointed out that this could be
    a malicious insider. Based on the information I
    provided I think that is a highly valid response. What
    I failed to mention is that these sites are very
    isolated from each other and do not share any common
    administrators.

    The security model in place is based mostly on the NSA
    Windows 2000 guides and far exceeds the OOB security
    configuration of W2k.

    AV software is set to quarantine infected software.

    I had one person respond back that he had seen
    similiar behavior (with only 35 files deleted) caused
    by Veritas Backup Exec. I'm hoping to get more
    details.

    Thanks to everyone who has replied thus far, and any
    other suggestions on how to track down what is causing
    this would be most welcome.

    --- MMoll <MMoll@finance.nyc.gov> wrote:

    > There are 2 things that come to mind as check point
    > items.....
    >
    > a. Evaluate the distribution of admin ID's in the
    > production environment. Best practice is a seperate
    > human ID for every day use from admin ID's used for
    > admin work. Point of this is that apparently, the
    > benifet of system ACL's are not being realized, and
    > could be a factor in the high amount of infected
    > files. In a secure production environment, it is
    > difficult for a domain controller to have file
    > damage due to intursionary processes. evaluate the
    > security model being used, legacy, enterprise, high
    > security, or none.....see microsofts site reference
    > to security guides and templates.
    >
    > b. Check the settings on the virus software.
    > setting the action to deny access and continue
    > scanning, is more desireable than to delete files
    > upon dection of intrusionary processes.
    >
    > My belief is that someone using an admin enabled
    > human ID, is the root cause.

                    
    _______________________________
    Do you Yahoo!?
    Declare Yourself - Register online to vote today!
    http://vote.yahoo.com

  • Next message: Scott Fuhriman: "RE: 1,800 files missing from system32"

    Relevant Pages

    • (no subject)
      ... Look at the Navy-Marine Corps Internet, a contract ... Security is secuirty and penetration means exactly that. ... You just hit a sore spot w/ me...the CSI/FBI survey. ... it's probably an admin who has ...
      (comp.security.misc)
    • (no subject)
      ... Look at the Navy-Marine Corps Internet, a contract ... Security is secuirty and penetration means exactly that. ... You just hit a sore spot w/ me...the CSI/FBI survey. ... it's probably an admin who has ...
      (comp.os.ms-windows.nt.admin.security)
    • Re: Food for Thought
      ... Look at the Navy-Marine Corps Internet, a contract ... Security is secuirty and penetration means exactly that. ... that telling the reader to do a Google search for sources isn't going to ... it's probably an admin who has ...
      (microsoft.public.win2000.security)
    • Re: Grant Administrative Access to a Domain Controller
      ... Anyone with a good understanding of AD and Windows security will easily see ways of compromising the environment. ... Do not give enhanced rights to Domain Controllers to anyone you don't trust with Domain and/or Enterprise Admins. ... Just know that minimal access can be parlayed into even more access and try as you might, you cannot secure Active Directory from people with server operator or admin or several other levels of access rights on a DC. ...
      (microsoft.public.windows.server.active_directory)
    • Re: Rather funny; looks like page defacement to me
      ... > afford one (and often when they can't afford one this person works ... On top of all that pressure, ... so I was a bit caustic on the "incompetent admin" point; ... Nobody would hire me (I'm a security engineer) to draw structural diagrams. ...
      (Focus-IDS)