Announcement

Collapse
No announcement yet.

Virus Attack

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Virus Attack

    Hello, I believe this is the right section for this.

    I want to get any feedback on this matter.

    Recently are network has been under attach from viruses. I don't know what started it all, but I suspect someone visited an offending site and got infected. The problem with that, is there are different variants infecting different machines, one being a machine not even being used and infecting a profile from a user that has not worked here for about 6 months.

    Am I right in thinking that someone maliciously infected this machine? First off, the users account is disabled on the domain, and second the machine that was infected is not even being used. The machine was powered on and connected to the network, but no one has logged onto that machine for months. So wouldn't that mean someone with admin rights would have to log onto that machine, access the users profile to gain access to that file directory?

    I know there can be quite a few possiblities and scenarios on how that profile/mahcine got infected, but how likely would it be that my assumption is right compared to any others?

    Any feedback or experiences would be appreciated on this matter.

    Pertri is one of the best places I've come for help and I've tried a few. I've even tried those pay per month sites, and the help there does not exceed the expert advise I get here. I just wanted to mention that and say thanks to you all that step up to help those who need it.

    So Thank You Petri Community!

  • #2
    Re: Virus Attack

    Viruses are tricky. I am wondering if maybe this user got infected, 6 months ago, and it was not caught until you started having other troubles.

    You don't have to have admin rights to get infected, otherwise all windows users would have to do to prevent them from getting infected is to use, user rights.

    I am guessing you got infected by a worm of some type, knowing what you are infected with would help determine how it spreads and how machines are infected.

    Other thing is you may want to test your DC if you have not done so already as it may be infected, thus infecting users.

    Comment


    • #3
      Re: Virus Attack

      Originally posted by Mudd View Post
      The problem with that, is there are different variants infecting different machines, one being a machine not even being used and infecting a profile from a user that has not worked here for about 6 months.
      Let's question our assumptions, since assumptions have a tendency to bite us.
      • How do you know that the computer isn't being used? Have you checked log files to see if there have been any logon events?
      • I'm curious to know how you determined the specificity of the profile that was infected. If no one logs into that profile, how did you know it was infected? (I'm assuming you did a scan and found an infected file in the profile folder, but again... assumptions have teeth. )


      Originally posted by Mudd View Post
      Am I right in thinking that someone maliciously infected this machine? First off, the users account is disabled on the domain, and second the machine that was infected is not even being used. The machine was powered on and connected to the network,
      If the user is disabled on the domain, then they can't log on. However, I'm not sure about what would happen if someone attempted to log on with cached credentials if the PC was taken off the network for a time, but I suspect that that is a red herring. The real issue is that if it's powered on and on the network, people or things can access it. It's possible that the virus used an exploit to an exposed service to gain access to the machine and place infected files in strategic areas which could include some or any user profiles that it detected on the machine. That very thing happened to a medium sized Windows network I worked on a few years ago.

      I'm slightly puzzled by something:

      Originally posted by Mudd View Post
      but no one has logged onto that machine for months.
      You're sure that no one has logged on, and yet...

      Originally posted by Mudd View Post
      So wouldn't that mean someone with admin rights would have to log onto that machine, access the users profile to gain access to that file directory?
      ...you wonder if someone has logged on. Are you wondering if someone has tampered with event logs to make it appear as if no one has logged on and yet someone has?

      Originally posted by Mudd View Post
      I know there can be quite a few possiblities and scenarios on how that profile/mahcine got infected, but how likely would it be that my assumption is right compared to any others?
      I think it's more likely that the machine was exploited via the network and infected files were placed in profile folders; the virus writer's intention being that users would then be compromised and the program could do its dirty deeds further.


      Originally posted by kgantt View Post
      You don't have to have admin rights to get infected,
      I'll disagree with you here, but am willing to admit being wrong if you can prove your hypothesis. I've never heard of a virus or worm infecting a PC from a user that was running a standard user account.

      Originally posted by kgantt View Post
      otherwise all windows users would have to do to prevent them from getting infected is to use, user rights.
      Actually, that is all that you have to do to prevent infections. That's why there has been such a huge push to get Windows users off of admin accounts and onto standard user accounts. That's why UAC is in Windows now because we all, even administrator accounts, are running as regular users and if a thing needs admin rights, UAC dialogs allow you to temporarily elevate privileges from your standard user token. That's why so many "problems" can be "solved" by right-clicking a program and choosing "run as administrator".

      I even know of one admin that moved all of his users to standard user accounts and removed all antivirus from all of the client PCs. After 3 years, he didn't have a single infection.

      Originally posted by kgantt View Post
      I am guessing you got infected by a worm of some type, knowing what you are infected with would help determine how it spreads and how machines are infected.
      Yes, Mudd, can you tell us specifically what virus and worms you're dealing with?

      Originally posted by kgantt View Post
      Other thing is you may want to test your DC if you have not done so already as it may be infected, thus infecting users.
      If a DC is infected, it's not going to have any extra power to infect client PCs or domain users than any other infected PC would. The only possibility I can think of is if a Domain Admin account was known and the virus was programmed to create GPOs via script that deployed the virus to all PCs. However, that's a problem with account credentials being compromised and not specific to the DC being infected because a GPO could technically be programmatically created on any PC in the domain that could communicate back to a DC.

      Mudd, if you want to worry about DCs, go ahead... but only because they're such a vital foundation to the network and not because they could be the source of the continued problem.
      Wesley David
      LinkedIn | Careers 2.0
      -------------------------------
      Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
      Vendor Neutral Certifications: CWNA
      Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
      Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

      Comment


      • #4
        Re: Virus Attack

        Why is a machine that is not being used get left running. Has you company not heard about Global Warming?

        If it was a virus and not just some malware then it is possible it had a date specific warhead. Unplug the blue cable and isolate it from the network then scan the crap out of it to determine what you are dealing with. Oh yes, put some auditing on your network so you don't have to play guessing games with who's on first coz I don't know who was on second.
        1 1 was a racehorse.
        2 2 was 1 2.
        1 1 1 1 race 1 day,
        2 2 1 1 2

        Comment


        • #5
          Re: Virus Attack

          Ok guys, most of the infecttions I was seeing were false-positives. Symantec was allerating to the fllash install as being an infection and caught me off guard. After some research I came to find out that a certain version of symantec was detecting these flash installs and risks.

          Sorry to waste your guys time, I do value and respect a lot of your guys's input and expertise.

          Now, there were other infections throughout, but since have died down to almost a complete halt.

          Thanks again for your input.

          Comment


          • #6
            Re: Virus Attack

            Well, if you use Symantec you definitely have at least ONE virus on your systems

            (Ducks for cover... )
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: Virus Attack

              Originally posted by Mudd View Post
              Sorry to waste your guys time, I do value and respect a lot of your guys's input and expertise.
              I'd hardly call this thread a waste of time. Any time a problem has a resolution there is something that can be learned. In this case, I had never heard of Symantec having issues with Flash and will now have that scrap of information in my mind which could very well come in handy in the future.

              Thanks for posting back with your findings.
              Wesley David
              LinkedIn | Careers 2.0
              -------------------------------
              Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
              Vendor Neutral Certifications: CWNA
              Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
              Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

              Comment

              Working...
              X