#51908 - 2000-10-23 07:46 PM
It hit the fan.... The fan was oscillating....
|
Bryce
KiX Supporter
Registered: 2000-02-29
Posts: 3167
Loc: Houston TX
|
***totally un-kix related rant, sorry about the off topic post***By "it", I mean the type of "it" with a "sh" in fount of it. Why yes, we were hit by the veryfunny.vbs thing this morning. A set of circumstances, that only the great administrator in the sky could bring about, was the cause of my new ulcer. 1. Some how an attachment got past our exchange server at 12:03am (central time), I am still looking into that. 2. We have virus scan on all the computer (500+) to handle this very thing. 3. On 6 of those computers (all win9x) they were in the middle of upgrading. Mcafee was not running when they ran the virus... 2000+, and climbing, virus/email latter, the email server is still paying catchup and i won't hook it back up for at least another 3 hours. On the 6 users... I never installed WSH/VBS, they did it on their own. I want their heads on a pike! As a side note we normally get about 5-10 incoming virus hits a week. Email server is set to scan all attachments. I am suspecting a Yahoo type mail account was the security hole. Bryce
|
Top
|
|
|
|
#51910 - 2000-10-23 11:27 PM
Re: It hit the fan.... The fan was oscillating....
|
Bryce
KiX Supporter
Registered: 2000-02-29
Posts: 3167
Loc: Houston TX
|
Erik:Yes I am implementing the kix removal of wsh/vbs by using the logon script (I should have done this long ago!!) We were hit by veryfunny.vbs it is just a loveletter variant. I am also going to be reevaluating the latest security update for outlook. And will try to implement it before the end of the week.... I still haven't been able to find out how the attachment got through, but it look's like my virus scanner failed (Mcafee GroupShield). The initial user received the attachment at 6:45am. Several other people also received the same email, but the server caught and cleaned those, but not her's. At 9:11am she ran the attachment, her local virusscan was disabled waiting on a reboot to bring it up the latest version. At 9:12 the second user ran the attachment, and then the next user..... until a total of 7 people had ran the virus, resulting in a complete and total overload for the server based virusscan to catch them all. I was out of the building and I wasn't informed until almost an hour after the initial infection. That is when one of my help desk tech's shutdown both mail servers, while scrambling to get in touch with me (At this time I was on my back upstairs to my office). It took me another 20 min to get up to speed and get the servers running on a separate network, also hooked my self up to this separate network. Started a Scan On demand at 10:02am and at 4:12pm it just finished For those who are interested... Total number of infected email's was..... 4095!! Total downtime 6.5 hours, ...... yea. Bryce
|
Top
|
|
|
|
#51911 - 2000-10-24 08:27 AM
Re: It hit the fan.... The fan was oscillating....
|
Anonymous
Anonymous
Unregistered
|
Hya Bryce..,Hope you did get some sleep yesterday. All the 600+ users in our domains are code-developers and they need VBS-**IT..!! During the 'LoveLetter'-rage I had a script which (with 1 click) would remote (forcefully) shutdown a system, deletes it's network configuration from it's registry and removed it from the domain.. Fortunatly I had to use this only twice..!! We used McAfee VScan 4.0.3a with custommized dat-files and a central VirusAlert recipient system. I wish you luck and good speed with recovering from this **IT ------------------ Hope to be of service.., Fabian. -----------------Paranoia is reality on a finer scale-----------------
|
Top
|
|
|
|
#51913 - 2000-10-25 01:44 AM
Re: It hit the fan.... The fan was oscillating....
|
kholm
Korg Regular
Registered: 2000-06-19
Posts: 714
Loc: Randers, Denmark
|
Preventing virus-attacks via Outlook-mailSecurity patch for Outlook 2000/98 _________________________________________________________________________________________________ Bryce I had just initiated the rollout of the patch last friday (10/20/2000), that was why i was curious if you had installed it. (Now installed on 505 of 540 workstations on the LAN, the rest hasn't been logged onto yet, i am stil working on the WAN/RAS-script) ____________________________________________________________________________________________________ I haven't had any bad experiences after installing it, quite the opposite, users are now prevented from sending non-valid shortcuts and most trafic of transfering files are moved from the mail-servers to the file-servers. Security patch for Outlook 2000/98 When installed it is easy to change settings, works via the Outlook form: Outlook security setting. So once installed you don't have to change the clients each time you make a change in your security policy, takes affect next time the users open Outlook. It is now possible to remove filetypes from Level 1: Files not possible to send and receive, this wasn't the case in the previous security-patch. So I chose not to install the first patch because i have several users that gets program updates via mail (selfextracting zip-files), also we have some workstations that is stil not on the WAN, so we have to mail .mdb files to them. By default the "Unsafe" (Level1) files are: .ade Microsoft Access project extension .adp Microsoft Access project .bas Microsoft Visual Basic class module .bat Batch file .chm Compiled HTML Help file .cmd Microsoft Windows NT Command script .com Microsoft MS-DOS program .cpl Control Panel extension .crt Security certificate .exe Program .hlp Help file .hta HTML program .inf Setup Information .ins Internet Naming Service .isp Internet Communication settings .js JScript file .jse Jscript Encoded Script file .lnk Shortcut .mdb Microsoft Access program .mde Microsoft Access MDE database .msc Microsoft Common Console document .msi Microsoft Windows Installer package .msp Microsoft Windows Installer patch .mst Microsoft Visual Test source files .pcd Photo CD image, Microsoft Visual compiled script .pif Shortcut to MS-DOS program .reg Registration entries .scr Screen saver .sct Windows Script Component .shb Shell Scrap object .shs Shell Scrap object .url Internet shortcut .vb VBScript file .vbe VBScript Encoded script file .vbs VBScript file .wsc Windows Script Component .wsf Windows Script file .wsh Windows Script Host Settings file Look in Information About the Outlook E-mail Security Update Erik [This message has been edited by kholm (edited 25 October 2000).]
|
Top
|
|
|
|
#51914 - 2000-10-25 02:18 AM
Re: It hit the fan.... The fan was oscillating....
|
BoxKite
Da Box
Registered: 2000-05-17
Posts: 282
Loc: Vacaville,CA,USA
|
BRYCE, Dude, I feel your pain.Hope this makes you feel better. code:
$a = 6 while $a > 0 $x = 2500 $y = 0 while $x >= 0 $y = $y + 1 select case $y = 1 color r+/n case $y = 2 color y+/n case $y = 3 color g+/n case $y = 4 color b+/n case 1 $y = 0 endselect $r = rnd(23) $c = rnd(75) at($r,$c) "*" $x = $x -1 loop big select case $a = 6 color b+/n $w = chr(89) + chr(79) + chr(85) at(10,15) " $w " case $a = 5 color G+/n $w = chr(65) + chr(82) + chr(69) at(10,15) " $w " case $a = 4 color y+/n $w = chr(78) + chr(79) + chr(84) at(10,15) " $w " case $a = 3 color b+/n $w = chr(76) + chr(79) + chr(83) + chr(73) + chr(78) + chr(71) at(10,15) "$w" case $a = 2 color y+/n $w = chr(89) + chr(79) + chr(85) + chr(82) at(10,15) " $w " case $a = 1 color r+/n $w = chr(77) + chr(73) + chr(78) + chr(68) at(10,15) " $w " case 1 endselect small sleep(2) $a = $a - 1 if $a > 1 cls endif loop play "0g6d1000f1200f1300f1400f1500f1600f1700f1800f70d1900f" exit
------------------ BoxKite FACTA NON VERBA [This message has been edited by BoxKite (edited 25 October 2000).]
_________________________
Box FACTA NON VERBA
|
Top
|
|
|
|
Moderator: Glenn Barnas, NTDOC, Arend_, Jochen, Radimus, Allen, ShaneEP, Ruud van Velsen, Mart
|
1 registered
(Allen)
and 382 anonymous users online.
|
|
|