|
Posted by Cloud9Flyer on August 21, 2007, 11:19 am
Please log in for more thread options
I am running Windows 2003 R2 and had the box compromised by a virus.
Symantec cleaned it all up I think, but I keep getting reinfections.
After investigating the windows firewall, it had been disabled.
Further, it appears that a group policy has been applied to it that I
can't edit.
When I open the firewall admin, I see an entry in the exceptions:
2941:TCP is allowed from all IPs. The problem is, I cannot edit it,
it's grayed out. Also, explorer.exe has been added to the list and is
also grayed out (that might have been there before though, I'm not
sure). In the exception config box, all entries do say group policy =
no. However, when I run "netsh firewall show state" it says "Group
policy version = Windows Firewall" which from what I'm reading, means
that it's using a group policy indeed. Also, when I run gpedit.msc
and go to Admin templates -> ... -> Windows Firewall, it indicates
"Not configured" for every entry.
So, can anybody tell me how I can remove this port exception from my
firewall configuration? I'm pretty much baffled at this point. Can I
remove the group policy from the machine altogether (at least for the
firewall, my other servers show they're not using group policy)? If
so, how do I do that?
These servers are not on a domain, by the way, they are stand-alone
boxes, if that's relevant to your answers.
Thanks a bunch in advance for your help.
|
|
Posted by Leythos on August 21, 2007, 1:37 pm
Please log in for more thread options
sean.blaes@hifiit.com says...
>
> I am running Windows 2003 R2 and had the box compromised by a virus.
Unless you're just trying to clean it for the experience and fun, wipe
it and rebuild it.
There is no way to be sure that a machine is 100% clean using any
automated tools and certainly not by even a skilled network admin.
While I've cleaned some, I've never "certified" them as clean for
customers, and I never will. The only "SECURE" way to clean a
compromised box is to wipe (flatten) completely and rebuild in a clean
area.
You need to keep your servers behind a proper firewall too, do not
connect them without an appliance in front of them - and I'm not talking
some cheap NAT router that claims to be a firewall.
--
Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)
|
|
Posted by Cloud9Flyer on August 21, 2007, 2:04 pm
Please log in for more thread options I totally agree, normally. But regretfully we're dealing with a
horrible ISP that will take weeks to wipe the box. We also have no
clean area to do a reinstall in because it's remote. Also, it's
supposed to be behind a firewall, but I just don't think the ISP has
very strict rules on the firewall.
> sean.bl...@hifiit.com says...
>
>
>
> > I am running Windows 2003 R2 and had the box compromised by a virus.
>
> Unless you're just trying to clean it for the experience and fun, wipe
> it and rebuild it.
>
> There is no way to be sure that a machine is 100% clean using any
> automated tools and certainly not by even a skilled network admin.
>
> While I've cleaned some, I've never "certified" them as clean for
> customers, and I never will. The only "SECURE" way to clean a
> compromised box is to wipe (flatten) completely and rebuild in a clean
> area.
>
> You need to keep your servers behind a proper firewall too, do not
> connect them without an appliance in front of them - and I'm not talking
> some cheap NAT router that claims to be a firewall.
>
> --
>
> Leythos
> - Igitur qui desiderat pacem, praeparet bellum.
> - Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> spam999f...@rrohio.com (remove 999 for proper email address)
|
|
Posted by Leythos on August 21, 2007, 9:10 pm
Please log in for more thread options sean.blaes@hifiit.com says...
> I totally agree, normally. But regretfully we're dealing with a
> horrible ISP that will take weeks to wipe the box. We also have no
> clean area to do a reinstall in because it's remote. Also, it's
> supposed to be behind a firewall, but I just don't think the ISP has
> very strict rules on the firewall.
Why are you using ISP's hardware if they have shown they can't protect
the OS/apps?
Either get your own servers and firewall or find another ISP to host
your applications.
--
Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)
|
|
Posted by Cloud9Flyer on August 21, 2007, 10:56 pm
Please log in for more thread options > sean.bl...@hifiit.com says...
>
> > I totally agree, normally. But regretfully we're dealing with a
> > horrible ISP that will take weeks to wipe the box. We also have no
> > clean area to do a reinstall in because it's remote. Also, it's
> > supposed to be behind a firewall, but I just don't think the ISP has
> > very strict rules on the firewall.
>
> Why are you using ISP's hardware if they have shown they can't protect
> the OS/apps?
>
> Either get your own servers and firewall or find another ISP to host
> your applications.
>
> --
>
> Leythos
> - Igitur qui desiderat pacem, praeparet bellum.
> - Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> spam999f...@rrohio.com (remove 999 for proper email
It's political. The client's CEO and the owner of the ISP are old
drinking buddies. I've tried to get the servers moved, but the boss
won't let it happen.
At any rate, my hands being tied how they are, we're way off-topic. I
would LOVE to move the server to a better ISP, and I would LOVE to
have the machine rebuilt, but I cannot make that happen in any
reasonable amount of time. So, I have to work with the cards I'm
dealt. I don't like it more than anybody else.
Does anybody have any ideas on how to clean this up? I need to get
this port out of the firewall, but I can't figure out where it's
hiding. I deleted a registry entry for windows Firewall, and it now
shows the policy = none when I do the show state, so that's good.
But, that open port is still open and grayed out so I can't modify
it. Does anybody have any idea where this might be hiding.
|
| Similar Threads | Posted | | Firewall/security center settings | April 4, 2006, 9:15 am |
| Firewall Settings when Joing a Domain | June 24, 2008, 2:42 pm |
| Does Windows Server 2003 need Mcafee virus scan? | January 4, 2006, 11:47 am |
| Compromised Web Server? Anybody recognize these programs? | January 9, 2008, 9:11 am |
| ftp + windows firewall | September 20, 2006, 6:02 am |
| Does the SCW break Windows Firewall? | August 18, 2005, 1:49 am |
| Firewall of Windows 2003 | October 2, 2005, 1:31 am |
| What's wrong with Windows 2k3 firewall? HELP ME PLEASE! | October 9, 2005, 6:53 pm |
| i want to enable the windows firewall on a DC | October 28, 2005, 5:37 am |
| Windows 2003 firewall | November 22, 2005, 12:09 pm |
|
XML Sitemap