What I'm guessing is happening is that you've got some bit of malware still that drops and runs a program that is listening on the DNS port(s), and that's what interfering with your DNS queries, even if they're remote.
Just when I thought I had it all settled down, that "malware" dropped in a copy of W32.Spybot.NLX worm on us just to add a little more excitement. This starts a service called MSDN UPDATE 32 that tossed out a file called rdriv.exe. The AntiVirus software caught it but the service keeps restoring it. I disabled the service, but even after a reboot I can't delete the stuff in the Registry. I think you may be right about the DNS port issue. I need to find out what is listening on that port and kill it. I will spend some more time in the morning looking at that.
Thanks for all the help.
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
If my previous advice about fport and pskill don't help you identify and get rid of the pests (oh, and you might want to run Task Manager, and then kill explorer.exe in case it's attached there. After you've used Microsoft Antispyware or RegEdit to stop it from restarting, then use File, Run from Task Manager to start a new copy of explorer.exe) you might want to install DNS on the mail server. Once it's listening on 53/udp and 53/tcp the malware won't be able to. You won't even have to use this instance of the server, just make sure it's listening.
You can definitely edit your boot.ini so that you have a "Safe Boot" option, and then make it the default entry before you reboot:
http://support.microsoft.com/?kbid=239780
The catch is, I can't think how you would maintain remote connectivity. I don't think Safe Mode with Networking would start the terminal services, and nothing you put in the Run key is going to get started. That might be the point where you need to have someone at the remote end be your hands and eyes.
Andrew 8)
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Orin Wells
- Sent: Sunday, August 21, 2005 11:48 PM
- To: [email protected]
- Subject: RE: [Declude.JunkMail] OT - Losing DNS connectivity
- At 10:34 PM 8/21/2005, Colbeck, Andrew wrote:
- Set up DNS elsewhere, given how light it is and relatively easy to set up. Then shut down DNS on your mailserver; it may be that the malware is trying to communicate on port 53, as this is so often an easy way to get through firewalls that are only doing port filtering.
- The three DNS servers available are external to our box. When we are not able to access one we can't access the others either. Also, the FTP management goes south when this happens. By the way, my guarded optimism failed me. They dropped out again after a couple of hours.
- Use "netstat -b" from the command line if you have Windows Server 2003 (or Windows XP for that matter) and that will show you any executables that are listening and on which ports. On Windows 2000 use fport.exe from http://www.foundstone.com to do the same.
- We have 2000
- Use pskill.exe from http://www.sysinternals.com (part of the pstools collection) to kill processes by name or pid (including children) that Task Manager won't kill.
- I have seen this, but never used it.
- If that's not working for you, start in Safe Mode check for and try to kill any processes that look out of place and delete the registry entries.
- Not possible. The server is on the other side of the state. I don't know of any way to restart a server in safe mode remotely.
- It certainly sounds like you have more than one infection. I'd advise you to use the Advanced tools in Microsoft AntiSpyware beta to examine all the startup locations and look for extras that you can't verify.
- I didn't read all the documentation so I didn't realize they had this. I actually removed the MS AntiSpyware beta to exclude it as being the cause (saw a refence where someone ran into that). If it was, I don't know if something was left behind that could cause the disconnects.
- Aside from setting up temporary DNS, you just might need a backup plan. Figure out how much more time you want to devote to cleanup before you will rebuild. Make sure that time is before you *need* to rebuild so that you allow yourself enough downtime for the rebuild!
- We have some servers we have been planning to move in to replace this one. I think I will need to get that project moving at a higher rate.
- Andrew 8)
- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Orin Wells
- Sent: Sunday, August 21, 2005 9:45 PM
- To: [email protected]; [email protected]
- Subject: RE: [Declude.JunkMail] OT - Losing DNS connectivity
- At 07:50 PM 8/21/2005, Colbeck, Andrew wrote:
- Orin, you've probably already licked the problem by now,
- Not certain. For all of Saturday and most of today we couldn't keep the DNS link for more than an hour. I am crossing my fingers right now as we are into the second hour here. I am not ready to celebrate. We did throw about every tool we could find at the problem. It is amazing how many one will see that the other skip right over. What I don't know is how some of them seem to continue to infect after they are cleared. But the logs are starting to look "normal" again.
- but I'll point out that since you posted this, there have been other reports of this infection,
- I tried to find any and was not successful. The only one I found didn't seem relevant. As with all searches you have to know the right question to ask to get the good hits. Maybe I didn't.
- and just as all roads lead to Rome, all Google searches lead to:
- http://www.sophos.com/virusinfo/analyses/w32tilebotj.html
- Yes, that sounds like one of the buggers. Found Aug 18th would explain how none of the tools I have used saw it other than NetShield but it never got rid of it entirely. In fact, it is still there.
- The upshot being that you either got the infection before you patched against the P2P vulnerability,
- I think this is it.
- or someone else on your network has been trojaned and the bot was instructed to infect your computer(s) via NT shares with a weak password.
- The Advanced page on that Sophos link will be handy, as it shows what registry settings the bot was has likely mucked with on your server.
- When it is "running" (orans) you can't get rid of these things.
- Luckily for you, it seems that orans.sys never got a foothold, as that is the module that would act as the backdoor for the "new 0wner".
- No foothold, but I can't seem to eradicate it yet. I will keep at it until I find something that does it.
- Andrew 8)
- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Orin Wells
- Sent: Saturday, August 20, 2005 8:12 PM
- To: [email protected]
- Subject: [Declude.JunkMail] OT - Losing DNS connectivity
- I am hoping one of you wise folks can give me a clue what to do about a problem we are experiencing. A couple of days ago I discovered that our server with iMail and Declude was not delivering email outside the server. This was revealed by the typical "unable to deliver after 20 tries". When I looked into it I discovered that it was unable to resolve Domain names within Internet Explorer if I tried to check that and when I went to nslookup it would not display the DNS entries for any of our domains although it "thought" it was connecting to the dns servers. In addition I would receive a "connection failed" when I tried to use an FTP connection.
- Reboot resolved this for a bit Then it came back - always the same.
- A bit of sequential (more or less) history.
- I had not defragged our server for a bit and this led to the first system reboot for several months. I defragged but the system was still a bit unstable and acting funny. This was the point last week when everyone was panicking about the new worms so we updated with the latest Microsoft updates (Windows 2000 we are running Service Pack 4).
- In looking at the system I recognized some spyware. I installed the Microsoft anti-sypware Beta Sure enough it found several buggers that had somehow gotten into the system. Apparently they didn't activate until we rebooted the first time. I have no idea how they got on the server because it is not "generally" used for browsing and only three of us have access to do it in the first place.
- In looking at the system logs I see where there is a file orans.sys the keeps getting nailed by McAfee's Netshield. I noticed in the last reboot today the following "The orans service failed to start due to the following error: Access is denied." coming from the Service Control Manager. I haven't yet found this in the Registery so I don't know how it is being kicked. Even though NetShield is "deleting it" t seems to keep coming back and I have yet to figure out how. It is in winnt/system32 with a size of 0 and I am unable to really delete it.
- Also in the log is an entry from time to time "The server was unable to find a free connection 1 times in the last 60 seconds" - sometimes it is more than 1 time. This seems to be intermittent. I suppose it is possible this could lead to a DNS loss, but if I try to use ipconfig/registerdns it accomplishes nothing. The server farm seems uninterested in the possibility we may have a flaky network card, cable or switch. They looked at the computer and saw some extra exe files and since "every one" of their email servers had experienced attacks of various nature and they said iMail was especially hammered, they wanted to blame intrusions. I have deleted everything I could find that didn't belong on the server and will probably run a couple of scan packages (suggestions welcome). But at this point I am bewildered.
- I have been unable to find anyone else in any of the forums (imail and declude) or through Google who appears to have encountered this - especially recently,
- Any suggestions on what to do would be most welcome.
- I will have to reboot the server in order to get the DNS connected long enough to get outgoing email kicked out and this delivered. I know of no other way to re-attach the DNS servers. Any thoughts on that?
- There are times I really hate fooling with servers.
- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
