Messages from the Ether

Killing a trojan

My laptop got infected with something on Thursday (I think) and so Saturday morning was spent cleaning it and every other machine on the network. Symptoms: Google search results looked a little wonky, odd font?, and clicking any of the result links would pop open a new window with advertising crap. I should have save the page for reference. The HTML had a mishmash of odd links replacing what it said the URLs were. Fuckers.

A quick search came up with Malwarebytes' Anti-Malware utility. First run on my laptop found ~16 infected files and registry entries. Clean, reboot, and rerun. Second found four. Third and subsequent runs found one: Rootkit.Agent in a file under C:\System Volume Information\_restore*. Each pass, it would be a different .sys file. Cleaned up the two desktop machines; the web server was completely clean. Lisa's laptop had Rootkit.Agent also. :-(

I had accepted that I would have to scorched Earth both laptops, but then found a reference to FileASSASSIN (also from Malwarebytes) in a forum talking about that particular pest. I rebooted in safe mode, ran the malware scan (since the file changed after each cleaning), found the currently infected file, and used FileASSASSIN to delete it. Reboot back in normal mode and both laptops scanned clean.

According to ThreatExpert, it's a rootkit and a trojan. I have my doubts that it's gone so will be running more scans. Let's just say you shouldn't accept any emailed files from me for the foreseeable future...

Data Deposit Box

While looking for software to help my brother set up a blog for his real estate business, I got lost in a cascade of tasks and never got back to address his request. First, I decided to try out Drupal for him by setting it up on my server. Ah, but to set that up, I want to first perform some database (MySQL) and scripting (PHP) upgrades that were long overdue. And before I do any upgrades, I need to fix the sorry state of backup that exists on the ether network. At this point, I've bottomed out in my spelunking adventure and can begin.

I was using Mozy for backup, but it wouldn't install on Windows server, wouldn't grab data from network shares, and would only allow backups from one machine. To get it to kindof work, I had a Windows backup scheduled and then had Mozy (attempt to) backup the bakup file. Being ~1.5 GIG, it usually failed to upload. Several coworkers use Carbonite and several others use DropBox. I'd heard Carbonite was like Mozy, but saw that it doesn't support my older Window machines (XP and Vista only). DropBox works with a specific folder structure and doesn't allow you to "assign" folders as DropBox folders. Their interface is beatiful and simple, but if they won't grab my pst files or my database files it's of little use.

I did a quick search and found Sanjay Parekh's article from two years ago comparing various services. He has different requirements than me, but provides a good overview. From those services reviewed, Data Deposit Box ended up working the best: any number of machines, network shares, and $2/GB/month. The only downside is that it's currently Windows-only. I've been using it for maybe two weeks and--although I haven't had a restore emergency--have been completely satisfied.

(three machines from the network show up in DDB's web browser admin interface, files are shareable and retrievable anywhere)

Earthlink and dynamic IP addresses

So, over the past three days our home DSL account through Earthlink has been averaging 15 IP addresses a day. Considering that I've worked from home the past two days and have had, or rather should have had, a constant VPN connection to my office network, that's kinda shady. I called Earthlink support at 12:45 this afternoon and "asked" them about their policy of high-adrenaline IP assignment.

They wanted to verify how I could possibly know what my IP address was (?!?), and then tried to blame it on (a) my router (did you purchase that from Earthlink?), (b) the various what's-my-IP web sites (what URLs did you visit?), and (c) my company's VPN (contact your network administrator). They then tried to upsell me to a static IP. Dynamic IPs I understand are dynamic, but when I get cycled through up to three different addresses in a five-minute period ... fuck you Earthlink.

Well, since the call at 12:45, I've had ... three updates. At 10:49, 11:09, and 11:29 (my first activity in several hours). Weird that it was smoothe sailing after my disgruntled complaint about them trying to make me pay extra for a fixed IP address because of their shitty service. They can't be that responsive to angry calls. Going on vacation this weekend, so the question is on hold until next week. Atnex is the likely candidate with high ratings at DSL Reports.

Configuring ZoneAlarm and ShoutCAST

ZoneAlarm doesn't play well with SHOUTcast. The only way around getting these two to work together is to configure ZoneAlarm in "Program Control" > Main > "Program Control" and select Med[ium] (High is the default). This may not be the best security choice for your setup, but it will allow clients to get in to your SHOUTcast server.

I had recently had a couple of minor crashes and lost my ZoneAlarm settings, so I had to re-learn this configuration. All the while kicking myself for not having it stored in my brain from years ago. The following links made me realize that few others have solved (and published) this: RANDOM: Shoutcast and Zone Alarm, WINAMP.COM | Forums - cannot see your station (diffrent), IORSN - SHOUTcast Network Configuration - Test 1.

Server update

Late Wednesday, I decided to do some end-of-year security checks on my Web server. I keep up with Windows updates, but I hadn't run Microsoft Baseline Security Analyzer in a while so that was step one. It made a few good recommendations concerning default IIS Web sites that I'd never removed (just disabled) and the fact that I didn't disable the Guest user. The fatal recommendation was to run something called IIS Lockdown from Microsoft which further cleans up stray IIS settings that could cause problems.

I'm not sure exactly what happened when I ran it, but the result was the elimination of all of my Web sites from IIS (the settings, not the files). Yipes. My fault was two-fold: I should have had IIS backed up and I should have researched more closely what the lockdown app was going to do. Anyway, the past few days--late into the evening Wednesday, a good portion of last night when I got RadioWave (JSPs) and my blog (Perl) up, and today when I finally got my development wiki (PHP) back--were exhausting. Oddly, getting Tomcat working was the biggest headache, mostly because IIS seems to be erratic about refreshing with refresh (the Web site), restart (the server), or reboot (the machine). I need to write down all of the peculiarities as soon as possible before I forget, especially because I found others describing some of the symptoms but with no solutions. I've already updated my notes on configuring MediaWiki with some new links, but there's some more to add. Getting Perl working was effortless. Getting PHP was a little more difficult because it involved some rarely-documented stuff.

All-in-all, it was a good re-learning experience and I was able to clean up many of the spurious settings from my Tomcat config files. The irony now is that my Web server is probably more insecure (I probably shouldn't advertise that, should I?) because of the gobal changes that were just made. I think I'll be locking down IIS on my own from now on, thank you.

Configuring MediaWiki on IIS

This entry is a repository of links and instructions covering how to install MediaWiki on a Windows 2000 IIS machine (ongoing).

WAP woes

We live in lofts that used to be state government offices. The walls have metal studs instead of wood ones (nudge nudge), so our condo has a couple of dead spots for the wireless network. Enter the wireless extension point!

Blast! LinkSys doesn't appear to have one. But wait!! D-link has one!

The path I must take is clear now. Still, it would be nice to pay only $40 instead of $70...