This has to be one of the best End User License Agreement clauses ever:

Lots of searching on the web yields very little about Skype that isn’t “it’s the greatest thing ever”, but there is this blog post where the author talks about the fact that Skype makes open hosts on the Internet into “supernodes” to facilitate conversations between computers behind firewalls and NAT devices. Smells a little fishy to me.

Similar to an earlier post, we are seeing another worm. This one uses the process name wmediaplayer.exe and seems to be spreading using weak or nonexistant administrator account passwords. Infected machines also appear to be scanning other hosts on ports 135, 139 and 445. Suspiscious keys in HKLMSoftwareWindowsCurrentVersionRun refer to executable name.

As usual, none of the antivirus vendors have signatures for this yet.

It’s just another day on the Internet. I’m not sure if it was someone on this campus that reported it, but the DDoS mentioned at ISC was also seen here.

I’ve converted one of our Linux Apache webservers over to logging with mod_log_sql and adapted some previously existing php code to display the data.
Continue reading →

I wanted to keep the Windows 2000 install that came on my new laptop and install Windows XP, but Dell only created one large NTFS partition. After doing a little searching around, I found ntfsresize, part of the Linux NTFS Project.
After downloading and burning the SystemRescueCD, I popped it in the drive, booted off it and typed run_qtparted hit enter and happily pointed and clicked my way through resizing the existing NTFS partition to free up some space for XP. And maybe even Gentoo

My aging and well traveled Dell Latitude C800 is up for replacement, so we ordered 3 identical Dell Latitude D800s. Fully decked out, with the kickass video card and the giant monitor (1920×1200 baby), dual batteries, DVD+R burner, etc.

They were ordered with Windows 2000 preinstalled (for the tech support) and a Windows XP license, but I’m considering wiping mine and installing Windows XP and gentoo. I’ve only got a few things installed so far, so not a big deal either way.

Every once in a while, while using Firefox, it sits there hung trying to resolve the ip address of something that isn’t in DNS. This happened twice in 10 minutes today, so I went searching bugzilla for an answer, and I found an open bug.

Its gotten about as much activity as the last bug I blogged about.

After spending the last few days watching portsentry logs for repeat offenders and moving them off to the quarantine VLAN, I finally got the chance to analyze an infected machine when one of Housing’s seldom used (and even less frequently updated) laptops was connected and got infected.

While installing Windows updates (MS04-011, MS04-012, MS04-014, MS04-016, etc) , the user saw an LSASS.EXE error and a shutdown counter started. The updates finished installing before the restart, but it was still infected. After rebooting and updating the McAfee virus scanner from 4387 to 4388 DATs, it detected c:winntsystem32bling.exe as W32/Sdbot.worm, which is what we’ve assume it to be all along.

The exe name seems to be pretty random, though one of the more common ones we’ve seen is winsmc.exe. Another recent virus that exhibits similar behavior is W32/Sasser.worm.g, so we are probably seeing some of that as well.

I can pretty much narrow down the exploit to using something that is patched in MS04-011, 012, or 014, as I have another laptop that has those patches, but nothing later and has not been infected. Most likely MS04-011, with the LSASS fixes. Since all these patches are from April of this year, the moral of the story is to visit Windows Update on a regular basis, or turn on Automatic Updates if you are on a high speed connection.

Well, as previously mentioned, I’ve been disabling URHnet connections like a fiend and yesterday was no exception: about 60 between 9 am and 4 pm and another 40 or so last night. All of this is due to some piece of malware that none of the anti-virus vendors seem to be catching yet. With the rate of change on the sdbot family, I’m not all that suprised.

One thing that’s different this year is that we’re not really disabling the connections, they are being moved to a network that has no connection to the outside world, called the “quarantine vlan”. There is just one DHCP server/DNS server/web server/ftp server machine, with a few instructions for the residents and some tools for our NetTechs to use. Thanks to some hard work by the fine people at CITES backbone and LAN maintenance groups, NetTechs have the ability to change which network a room is on from a webpage. So, really, no more disabled rooms, unless they are doing something Really Bad.