Hi Matti,
> he is using windows 2000 Server without a firewall Interesting concept ;-) ============================================ Am Mittwoch, 17. August 2005 um 10:43 schrieben Sie: > I assume he is using windows 2000 Server without a firewall and did > not follow the advisories in MS05-039 > http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx > "Firewall best practices and standard default firewall configurations > can help protect networks from attacks that originate outside the > enterprise perimeter. Best practices recommend that systems that are > connected to the Internet have a minimal number of ports exposed." > Microsoft has tested the following workarounds. While these workarounds will > not > correct the underlying vulnerability, they help block known attack vectors. > When a > workaround reduces functionality, it is identified in the following section. > Note Other protocols, such as Internetwork Packet Exchange (IPX) and > Sequenced Packet > Exchange (SPX), could be vulnerable to this issue. If you are using > vulnerable protocols > such as IPX and SPX, you should block the appropriate ports for those > protocols. For > more information about IPX and SPX, visit the following Microsoft Web site. > Note As mentioned in the ?Mitigating Factors? section, Windows XP Service > Pack 2 and > Windows Server 2003 are vulnerable to this issue primarily from locally > logged on users. > The following workarounds are designed primarily for earlier operating system > versions > that are vulnerable to anonymous network-based attacks. > ? Block TCP ports 139 and 445 at the firewall: > These ports are used to initiate a connection with the affected protocol. > Blocking them > at the firewall, both inbound and outbound, will help prevent systems that > are behind > that firewall from attempts to exploit this vulnerability. We recommend that > you block > all unsolicited inbound communication from the Internet to help prevent > attacks that may > use other ports. For more information about ports, visit the following Web > site. > > ? To help protect from network-based attempts to exploit this vulnerability, > use a > personal firewall, such as the Internet Connection Firewall, which is > included with Windows XP Service Pack 1. > By default, the Internet Connection Firewall feature in Windows XP Service > Pack 1 helps > protect your Internet connection by blocking unsolicited incoming traffic. We > recommend > that you block all unsolicited incoming communication from the Internet. > To enable the Internet Connection Firewall feature by using the Network Setup > Wizard, follow these steps: > 1. > Click Start, and then click Control Panel. > > 2. > In the default Category View, click Network and Internet Connections, and > then click > Setup or change your home or small office network. The Internet Connection > Firewall > feature is enabled when you select a configuration in the Network Setup > Wizard that > indicates that your system is connected directly to the Internet. > > To configure Internet Connection Firewall manually for a connection, follow > these steps: > 1. > Click Start, and then click Control Panel. > > 2. > In the default Category View, click Networking and Internet Connections, and > then click Network Connections. > > 3. > Right-click the connection on which you want to enable Internet Connection > Firewall, and then click Properties. > > 4. > Click the Advanced tab. > > 5. > Click to select the Protect my computer or network by limiting or preventing > access to > this computer from the Internet check box, and then click OK. > > Note If you want to enable certain programs and services to communicate > through the > firewall, click Settings on the Advanced tab, and then select the programs, > the > protocols, and the services that are required. > > Or apply the patches. > Matti >> Hi, >> did you investigate, how this virus came into your mail server? >> ============================================ >> Am Mittwoch, 17. August 2005 um 00:14 schrieben Sie: >>> VIRUS WARNING >>> ------------- >>> For the past 2 days, our server that runs IMail was bringing the rest of >>> our network to >>> a crawl. If we disconnected this server from the network, then the network >>> would restore >>> to normal. Just in case anyone else is having network problems, >>> this may be the cause. Here's what we did to fix it. >>> In the Windows Task Manager, look for either of two programs/processes: >>> mousebm.exe >>> mousesync.exe >>> You will not be able to end these processes from Task Manager. You must >>> first open the >>> Registry Editor and search for the following folders and delete them: >>> HKLM/System/ControlSet001/Services/Mousebm >>> HKLM/System/ControlSet001/Services/Mousesync >>> HKLM/System/ControlSet002/Services/Mousebm >>> HKLM/System/ControlSet002/Services/Mousesync >>> Then reboot the server. After rebooting, you will now be able >>> to delete the two offending files. They are located in: >>> c:\winnt\system32\mousebm.exe >>> c:\winnt\system32\mousesync.exe >>> If you find that the offending files re-appear in the Task >>> Manager, look for the following file and delete it: >>> c:\winnt\system32\i >>> You will have to repeat the above steps again. >>> We searched Trend Micro, Symantec, McAfee, and Google for these files, but >>> none of >>> these web sites had any information on them. Perhaps, this >>> virus has not yet been identified by them. >>> Good luck! >>> --- >>> [This E-mail scanned for viruses by Declude Virus] >>> To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html >>> List Archive: >>> http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ >>> Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ >> ============================================ >> -- > >> Mit freundlichen Grüssen >> -------------------------------------------- >> Merlin Consulting >> Martin Schaible >> Bahnhofstrasse 27 >> CH-8702 Zollikon >> Phone: +41 44 391 30 00 >> Fax: +41 44 391 32 49 >> Mail: mailto:[EMAIL PROTECTED] >> URL: http://www.merlinconsulting.ch >> Support: http://support.merlinconsulting.ch >> GPS: N47 20.235 E8 34.226 >> -------------------------------------------- >> News - Neue Produkte: >> .:. NOD32 Antivirus System >> .:. BlueDragon >> .:. Kiwi Syslog Monitor >> .:. Paessler GmbH >> .:. Sawmill Loganalyzer >> .:. SmarterTools >> -------------------------------------------- >> To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html >> List Archive: >> http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ >> Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > - > Matti Haack - Hit Haack IT Service Gmbh > Poltlbauer Weg 4, D-94036 Passau > +49 851 50477-22 Fax: +49 851 50477-29 > http://www.haack-it.de > Dieses Dokument ist ausschliesslich fuer den Adressaten bestimmt. > Jegliche Art von Reproduktion, Verbreitung, Vervielfaeltigung, Modifikation, > Verteilung und/oder Publikation dieser E-Mail-Nachricht ist untersagt, > soweit dies nicht ausdruecklich genehmigt wurde. Jegliche Haftung für > Ansprueche, die aufgrund der Kommunikation per E-Mail begruendet > werden koennten, ist ausgeschlossen, soweit der Haftungsausschluss > gesetzlich zulaessig ist. > -- Ausgehende E-Mail wurde auf Viren gescannt -- > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ ============================================ -- Mit freundlichen Grüssen -------------------------------------------- Merlin Consulting Martin Schaible Bahnhofstrasse 27 CH-8702 Zollikon Phone: +41 44 391 30 00 Fax: +41 44 391 32 49 Mail: mailto:[EMAIL PROTECTED] URL: http://www.merlinconsulting.ch Support: http://support.merlinconsulting.ch GPS: N47 20.235 E8 34.226 -------------------------------------------- News - Neue Produkte: .:. NOD32 Antivirus System .:. BlueDragon .:. Kiwi Syslog Monitor .:. Paessler GmbH .:. Sawmill Loganalyzer .:. SmarterTools -------------------------------------------- To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
