[Netpass-devel] NetPass/install.d sysctl.conf,NONE,1.1 install-ipvs.sh,1.4,1.5 iptables.sh,1.3,1.4 p
Brought to you by:
jeffmurphy
Menu
▾
▴
[Netpass-devel] NetPass/install.d sysctl.conf,NONE,1.1 install-ipvs.sh,1.4,1.5 iptables.sh,1.3,1.4 pages.sql,1.2,1.3 tables.sql,1.17,1.18
|
From: jeff m. <jef...@us...> - 2005-08-10 19:52:24
|
Update of /cvsroot/netpass/NetPass/install.d In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv8611/install.d Modified Files: install-ipvs.sh iptables.sh pages.sql tables.sql Added Files: sysctl.conf Log Message: bug fixes Index: iptables.sh =================================================================== RCS file: /cvsroot/netpass/NetPass/install.d/iptables.sh,v retrieving revision 1.3 retrieving revision 1.4 diff -u -d -r1.3 -r1.4 --- iptables.sh 17 Mar 2005 17:38:38 -0000 1.3 +++ iptables.sh 10 Aug 2005 19:52:15 -0000 1.4 @@ -93,6 +93,9 @@ #TRAP iptables -t nat -A PREROUTING -j ACCEPT -s $i -p udp --dport 162 #TRAP done +#API for i in %APICLIENTS% %NETPASSSERVERS% ; do +#API iptables -t nat -A PREROUTING -j ACCEPT -s $i -p tcp --dport 20003 +#API done # allow the netpass servers to talk to each other via mysql # 1186 = mysql cluster manager @@ -109,7 +112,7 @@ #### PUT CUSTOM RULES HERE #### #### SEE BELOW ALSO #### #### you'll also need to -#### add to the INPUT rules +#### add to the INPUT rules (further below) # allow adsm iptables -t nat -A PREROUTING -p tcp --dport 1500:1505 -s 128.205.7.80/32 -j ACCEPT @@ -163,6 +166,7 @@ iptables -A INPUT -p tcp --dport 1186 -j ACCEPT # MYSQL MGT iptables -A INPUT -p tcp --dport 2202 -j ACCEPT # MYSQL NDB iptables -A INPUT -p tcp --dport 3306 -j ACCEPT # MYSQL SRV +iptables -A INPUT -p tcp --dport 20003 -j ACCEPT # NPAPI #iptables -A INPUT -d 224.0.0.0/4 -j ACCEPT --- NEW FILE: sysctl.conf --- ## BEGIN-NETPASS # these settings allow for the netpass server to # handle up to 16384 clients net.ipv4.neigh.default.gc_thresh3 = 16384 net.ipv4.neigh.default.gc_thresh2 = 8192 net.ipv4.neigh.default.gc_thresh1 = 4096 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_fin_timeout = 3 ## END-NETPASS Index: tables.sql =================================================================== RCS file: /cvsroot/netpass/NetPass/install.d/tables.sql,v retrieving revision 1.17 retrieving revision 1.18 diff -u -d -r1.17 -r1.18 --- tables.sql 18 Jul 2005 13:23:31 -0000 1.17 +++ tables.sql 10 Aug 2005 19:52:15 -0000 1.18 @@ -193,6 +193,7 @@ action ENUM('start', 'stop', 'restart'), actionAs VARCHAR(16), status ENUM('pending', 'completed'), + serverid VARCHAR(128), PRIMARY KEY (rowid) ) ENGINE=NDBCLUSTER; Index: install-ipvs.sh =================================================================== RCS file: /cvsroot/netpass/NetPass/install.d/install-ipvs.sh,v retrieving revision 1.4 retrieving revision 1.5 diff -u -d -r1.4 -r1.5 --- install-ipvs.sh 4 Aug 2005 06:45:24 -0000 1.4 +++ install-ipvs.sh 10 Aug 2005 19:52:15 -0000 1.5 @@ -50,9 +50,12 @@ EOF cat <<EOF >>/etc/modprobe.conf -options ip_conntrack hashsize=1048576 # 512 MB RAM -#options ip_conntrack hashsize=2097152 # 1024 MB RAM -#options ip_conntrack hashsize=4194304 # 2048 MB RAM +# 512 MB RAM +options ip_conntrack hashsize=1048576 +# 1024 MB RAM +#options ip_conntrack hashsize=2097152 +# 2048 MB RAM +#options ip_conntrack hashsize=4194304 EOF /sbin/ipvsadm-save > /etc/sysconfig/ipvsadm @@ -62,4 +65,19 @@ up2date --nox -i perl-Digest-HMAC +cat <<EOF + +Edit /etc/modprobe.conf and adjust the hashsize line according to +how much memory this system has. + +Edit /etc/iptables.sh and adjust the local system rules section +and then execute: + + # /etc/iptables.sh + # /etc/init.d/iptables save + +to make the rules active. + +EOF + exit 0 Index: pages.sql =================================================================== RCS file: /cvsroot/netpass/NetPass/install.d/pages.sql,v retrieving revision 1.2 retrieving revision 1.3 diff -u -d -r1.2 -r1.3 --- pages.sql 17 May 2005 20:34:27 -0000 1.2 +++ pages.sql 10 Aug 2005 19:52:15 -0000 1.3 @@ -1,23 +1,48 @@ --- MySQL dump 8.23 +-- MySQL dump 10.9 -- -- Host: localhost Database: netpass ---------------------------------------------------------- --- Server version 4.0.21-log +-- ------------------------------------------------------ +-- Server version 4.1.13-max + +/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */; +/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */; +/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */; +/*!40101 SET NAMES utf8 */; +/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */; +/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */; +/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */; +/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */; -- -- Table structure for table `pages` -- -CREATE TABLE pages ( - name varchar(128) NOT NULL default '', - content text, - PRIMARY KEY (name) -) TYPE=MyISAM; +DROP TABLE IF EXISTS `pages`; +CREATE TABLE `pages` ( + `rowid` int(10) unsigned NOT NULL auto_increment, + `network` varchar(128) NOT NULL default 'default', + `name` varchar(128) NOT NULL default '', + `content` text, + PRIMARY KEY (`rowid`), + UNIQUE KEY `pages_idx1` (`name`,`network`) +) ENGINE=ndbcluster DEFAULT CHARSET=latin1; -- -- Dumping data for table `pages` -- -INSERT INTO pages (name, content) VALUES ('msg:welcome','\r\n<html><head></head><body><p>UB NetPass is a safety inspection program for student computers in ResNet. UB NetPass scans your computer for viruses, worms, and other vulnerabilities. Like a vehicle inspection program, your computer must pass before you are granted access to UB\'s network and the Internet.</p><p>If your computer fails inspection, you will be presented with instructions to help you correct any problems. Once you have corrected the problems identified by UB NetPass, you can have your computer re-scanned.</p><p><strong>You must have cookies enabled to use UB NetPass.</strong></p><!-- #BeginLibraryItem \"/Library/contact info.lbi\" --><p>If you do not understand this message or are having difficulty using UB NetPass, assistance is available from the CIT Help Desk. Professional repair and vulnerability remediation services are available from UBMicro.</p><table cellpadding=\"2\" border=\"0\"><caption>Contact Information </caption><tbody><tr><th scope=\"col\">CIT Help Desk</th><th scope=\"col\">UBMicro</th></tr><tr><td align=\"center\">255 Fronczak Hall<br />716-645-3542</td><td align=\"center\">109 The Commons<br />716-645-3554</td></tr></tbody></table><!-- #EndLibraryItem --><p>Please read the acceptable use policy, enter your UBITName and password and click the button to start the scan. </p></body></html>'),('msg:eula','\r\n<html><head></head><body><h2>UB ResNet Acceptable Use Policy</h2><h3>Conditions of Use</h3><p>To provide the highest quality access to information technologies, University Residence Halls & Apartments (URHA) and Computing & Information Technology (CIT) maintain a computing network that can connect each resident\'s personal computer to the Internet. This computing network is called ResNet. <br /></p><p>ResNet users are responsible for all network traffic originating from their computers. This includes, but is not limited to: email, Internet browsing, file transfers, and connections to other machines. </p><p>ResNet users are required to follow all University, Computing & Information Technology (CIT) and University Residence Halls rules and policies.<br /></p><p>As a condition of use, to initially connect to ResNet residents must ensure that their computer(s) present no identifiable risk to the network, i.e. the computer has anti-virus software installed and up-to-date critical operating system updates applied.<br /></p><p>At any time that there is credible evidence that a ResNet attached computer has become a risk to the network, ResNet access will be denied and the resident will be required to re-certify the computer\'s safe operation at his/her expense.<br /></p><p>Additionally, ResNet users must be aware that: </p><ol><li>ResNet must be used in accordance with all Copyright laws. This includes, but is not limited to, refraining from using your computer in a way that would violate those laws such as operating pirated software or MP3 servers. </li><li>URHA communication services, wiring and other hardware may not be modified or tampered with in any way. This includes attempting to extended the network beyond the area of its intended use (for example: Installing a hub or Remote Access Server). </li><li>ResNet must be used in accordance with URHA policies on Business Activity. It can not be used to post advertisements for personal business, or for the sale of products or services for commercial gain. </li><li>Harassment of other users, by any method, will not be tolerated. </li><li>ResNet can not be used to misrepresent or hide your personal identity. (for example: email sent from a fake address, or from any address that is not yours) </li></ol><p>Violating any of these conditions may result in: Suspension or loss of ResNet usage privilege, expulsion from University Residence Halls, discipline from other university bodies such as the Student Judiciary, criminal charges. Damage or theft of ResNet wiring or hardware is the financial responsibility of the residence members. If responsibility is traced to any individual or particular group of individuals, then they will be held personally responsible for the theft or damage. </p><p>ResNet users are also expected to be responsible network citizens. ResNet is a shared resource and as such, users should refrain from using any application which may interfere with the use of the network by others.</p><p>Think of your personal computer as your computing home. It is advisable to "lock the front door" so that people can not use your machine without your supervision. Using a power-on password, or a screen saver password are good ways to control access to both the information on your computer, and your computer\'s access to ResNet.</p></body></html>'),('msg:10024','<html><head></head><body>\r\n<h3>Problem: BackOrifice was found</h3>\r\n<h3>Description</h3>\r\n<p>BackOrifice<!-- #BeginLibraryItem \"/Library/is an app.lbi\" -->\r\nis an application that is designed to give unauthorized users full control over your computer. It is usually installed without the knowledge or permission of the computer\'s owner/user. Its presence is frequently a sign that the computer has been compromised.<!-- #EndLibraryItem --></p>\r\n<h3>Solution</h3><!-- #BeginLibraryItem \"/Library/reinstall.lbi\" -->\r\nExperts recommend a complete operating system reinstall. UB recommends you have this performed by a professional. Professional repair and vulnerability remediation services are available from UBMicro.<!-- #EndLibraryItem --></body></html>'),('msg:10036','\r\n<html><head></head><body>\r\n<h3>Problem: CDK Detect was found</h3>\r\n<h3>Description</h3>\r\nCDK Detect<!-- #BeginLibraryItem \"/Library/is an app.lbi\" -->\r\nis an application that is designed to give unauthorized users full control over your computer. It is usually installed without the knowledge or permission of the computer\'s owner/user. Its presence is frequently a sign that the computer has been compromised.<!-- #EndLibraryItem --><h3>Solution</h3>\r\n<p><!-- #BeginLibraryItem \"/Library/reinstall.lbi\" -->\r\nExperts recommend a complete operating system reinstall. UB recommends you have this performed by a professional. Professional repair and vulnerability remediation services are available from UBMicro.<!-- #EndLibraryItem --></p>\r\n</body></html>'),('msg:10390','\r\n<html><head></head><body><h3>Problem: mstream agent was found</h3>\r\n<h3>Description</h3>\r\nThe mstream agent <!-- #BeginLibraryItem \"/Library/client-server DDoS.lbi\" -->is\r\na client for a much larger identity consisting of a "master" that controls\r\none or more "slaves" (or agents). The agents are generally used to\r\nattack other machines, often at the same time in what is known as a Distributed\r\nDenial of Service (DDoS) attack. The presence of this agent on your computer\r\nmeans that your computer might be a part of such a network. <!-- #EndLibraryItem -->\r\n<h3>Solution</h3>\r\n<p><!-- #BeginLibraryItem \"/Library/no known.lbi\" --> No known removal instructions\r\n are available. Please try scanning your computer using Symantec AntiVirus\r\nsoftware. <!-- #EndLibraryItem --></p>\r\n</body></html>'),('msg:10391','\r\n<html><head></head><body><h3>Problem: mstream handler was found</h3>\r\n<h3>Description</h3>\r\nThe mstream handler <!-- #BeginLibraryItem \"/Library/client-server DDoS.lbi\" -->is\r\na client for a much larger identity consisting of a "master" that controls\r\none or more "slaves" (or agents). The agents are generally used to\r\nattack other machines, often at the same time in what is known as a Distributed\r\nDenial of Service (DDoS) attack. The presence of this agent on your computer\r\nmeans that your computer might be a part of such a network. <!-- #EndLibraryItem -->\r\n<h3>Solution</h3>\r\n<!-- #BeginLibraryItem \"/Library/no known.lbi\" -->No known removal instructions\r\nare available. Please try scanning your computer using your antivirus software. <!-- #EndLibraryItem -->\r\n</body></html>'),('msg:10309','\r\n<html><head>\r\n</head><body><h3>Problem: Wingate was found</h3>\r\n<h3>Description</h3>\r\nWhen Wingate is installed and configured with a blank password,\r\nother computers can establish an Internet connection\r\nthrough the Wingate computer. This allows the second computer to hide its Internet\r\nconnection. Anything the second computer does on the Internet will look like\r\nit was done by the Wingate computer, possibly stealing your Internet "identity." \r\n\r\n<h3>Solution</h3>\r\n\r\n<p><strong>For Wingate 4.0:</strong></p>\r\n<ol>\r\n<li>Double-click the Wingate icon in the system tray (near the clock). </li>\r\n<li>Click "OK" to login without a password. </li>\r\n<li>The following screen should be a change password window. In it enter a new, strong password. </li>\r\n</ol>\r\n<p><strong>For Wingate 6.0:</strong></p>\r\n<ol>\r\n<li>Open the "Gatekeeper" module on the Wingate Server. </li>\r\n<li>Click the "Users" tab and configure individual users from there. </li>\r\n</ol></body></html>'),('msg:10307','\r\n<html><head></head><body><h3>Problem: An instance of the Trin00 for Windows "agent" was found to be running and accepting connections on your computer.</h3><h3>Description</h3>The Trin00 for Windows "agent" <!-- #BeginLibraryItem \"/Library/client-server DDoS.lbi\" -->is\r\na client for a much larger identity consisting of a "master" that controls\r\none or more "slaves" (or agents). The agents are generally used to\r\nattack other machines, often at the same time in what is known as a Distributed\r\nDenial of Service (DDoS) attack. The presence of this agent on your computer\r\nmeans that your computer might be a part of such a network. <!-- #EndLibraryItem -->\r\n<h3>Solution</h3>\r\n<!-- #BeginLibraryItem \"/Library/antivirus.lbi\" -->\r\n<p>Remove the virus with Symantec AntiVirus. Symantec AntiVirus is available\r\n on your TechTools CD or via download from the TechTools Software Download site\r\n for <a href=\"http://wings.buffalo.edu/computing/software/download/win/nortonantivirus.html\">Windows</a> and <a href=\"http://wings.buffalo.edu/computing/software/download/mac/nortonantivirus.html\">Mac</a>.\r\n The Mac version is called Symantec\'s Norton AntiVirus. Installation instructions\r\n are available on the TechTools CD and our documentation website (<a href=\"http://wings.buffalo.edu/computing/documentation/win/norton.html\">Windows</a>, <a href=\"http://wings.buffalo.edu/computing/documentation/mac/norton.html\">Mac</a>). </p>\r\n<!-- #EndLibraryItem --><!-- #BeginLibraryItem \"/Library/verify removal.lbi\" -->\r\n<p><strong>Verify Removal</strong></p>\r\n<p>If Symantec reports finding an infected file, take note of the filename and\r\n verify its deletion by checking the following registry key:<br />\r\n HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run </p>\r\n<ol>\r\n <li>Click on the "Start" menu. </li>\r\n <li>Click "Run." </li>\r\n <li>Type "regedit" and press ENTER. </li>\r\n <li>In the registry editor click on the "File" (or "Registry")\r\n menu. </li>\r\n <li>Click "Export." </li>\r\n <li>Click "All" underneath where it says "Export Range." </li>\r\n <li>Enter a filename into the filename field. (ex: "reg backup") </li>\r\n <li>Click "Save." </li>\r\n <li>Expand the "HKEY_LOCAL_MACHINE" folder. </li>\r\n <li>Expand the "SOFTWARE" folder, then the "Microsoft," "Windows," and "CurrentVersion" folders. </li>\r\n <li>Click on the "Run" folder. </li>\r\n <li>In the right-hand window, the name/data pair for the name of the infected\r\n file will appear under the Name and Data sections, respectively. (ex: Name: "infectedfile" Data: "infectedfile.exe") </li\r\n>\r\n <li>Highlight the name of the infected file by clicking on it and press the\r\n DELETE key. </li>\r\n <li>Click "Yes" to delete. </li>\r\n</ol>\r\n<p>If your computer appears to still be infected after the scan a full reformat\r\n may be necessary.<!-- #BeginLibraryItem \"/Library/reinstall.lbi\" --> Experts\r\n recommend a complete operating system reinstall. UB recommends you have this\r\n performed by a professional. Professional repair and vulnerability remediation\r\n services are available from UBMicro.<!-- #EndLibraryItem --></p>\r\n<!-- #EndLibraryItem -->\r\n</body></html>'),('msg:10288','\r\n<html><head></head><body><h3>Problem: Trin00 "agent" was found</h3>\r\n<h3>Description</h3>\r\nThe Trin00 "agent" <!-- #BeginLibraryItem \"/Library/client-server DDoS.lbi\" -->is\r\na client for a much larger identity consisting of a "master" that controls\r\none or more "slaves" (or agents). The agents are generally used to\r\nattack other machines, often at the same time in what is known as a Distributed\r\nDenial of Service (DDoS) attack. The presence of this agent on your computer\r\nmeans that your computer might be a part of such a network. <!-- #EndLibraryItem -->\r\n<h3>Solution</h3>\r\n<!-- #BeginLibraryItem \"/Library/antivirus.lbi\" -->\r\n<p>Remove the virus with Symantec AntiVirus. Symantec AntiVirus is available\r\n on your TechTools CD or via download from the TechTools Software Download site\r\n for <a href=\"http://wings.buffalo.edu/computing/software/download/win/nortonantivirus.html\">Windows</a> and <a href=\"http://wings.buffalo.edu/computing/software/download/mac/nortonantivirus.html\">Mac</a>.\r\n The Mac version is called Symantec\'s Norton AntiVirus. Installation instructions\r\n are available on the TechTools CD and our documentation website (<a href=\"http://wings.buffalo.edu/computing/documentation/win/norton.html\">Windows</a>, <a href=\"http://wings.buffalo.edu/computing/documentation/mac/norton.html\">Mac</a>). </p>\r\n<!-- #EndLibraryItem -->\r\n</body></html>'),('msg:10283','\r\n<html><head></head><body><h3>Problem: TFN "agent" was found</h3>\r\n<h3>Description</h3>The TFN "agent" <!-- #BeginLibraryItem \"/Library/client-server DDoS.lbi\" -->is\r\na client for a much larger identity consisting of a "master" that controls\r\none or more "slaves" (or agents). The agents are generally used to\r\nattack other machines, often at the same time in what is known as a Distributed\r\nDenial of Service (DDoS) attack. The presence of this agent on your computer\r\nmeans that your computer might be a part of such a network. <!-- #EndLibraryItem -->\r\n<h3>Solution</h3>\r\n<!-- #BeginLibraryItem \"/Library/antivirus.lbi\" -->\r\n<p>Remove the virus with Symantec AntiVirus. Symantec AntiVirus is available\r\n on your TechTools CD or via download from the TechTools Software Download site\r\n for <a href=\"http://wings.buffalo.edu/computing/software/download/win/nortonantivirus.html\">Windows</a> and <a href=\"http://wings.buffalo.edu/computing/software/download/mac/nortonantivirus.html\">Mac</a>.\r\n The Mac version is called Symantec\'s Norton AntiVirus. Installation instructions\r\nare available on the TechTools CD and our documentation website (<a href=\"http://wings.buffalo.edu/computing/documentation/win/norton.html\">Windows</a>, <a href=\"http://wings.buffalo.edu/computing/documentation/mac/norton.html\">Mac</a>). </p>\r\n<!-- #EndLibraryItem -->\r\n</body></html>'),('msg:10270','\r\n<html><head></head><body><h3>Problem: Stacheldraht "agent" was found</h3>\r\n<h3>Description</h3>The Stacheldraht "agent" <!-- #BeginLibraryItem \"/Library/client-server DDoS.lbi\" -->is\r\na client for a much larger identity consisting of a "master" that controls\r\none or more "slaves" (or agents). The agents are generally used to\r\nattack other machines, often at the same time in what is known as a Distributed\r\nDenial of Service (DDoS) attack. The presence of this agent on your computer\r\nmeans that your computer might be a part of such a network. <!-- #EndLibraryItem -->\r\n<h3>Solution</h3>\r\n<!-- #BeginLibraryItem \"/Library/antivirus.lbi\" -->\r\n<p>Remove the virus with Symantec AntiVirus. Symantec AntiVirus is available\r\n on your TechTools CD or via download from the TechTools Software Download site\r\n for <a href=\"http://wings.buffalo.edu/computing/software/download/win/nortonantivirus.html\">Windows</a> and <a href=\"http://wings.buffalo.edu/computing/software/download/mac/nortonantivirus.html\">Mac</a>.\r\n The Mac version is called Symantec\'s Norton AntiVirus. Installation instructions\r\n are available on the TechTools CD and our documentation website (<a href=\"http://wings.buffalo.edu/computing/documentation/win/norton.html\">Windows</a>, <a href=\"http://wings.buffalo.edu/computing/documentation/mac/norton.html\">Mac</a>). </p>\r\n<!-- #EndLibraryItem -->\r\n</body></html>'),('msg:10203','\r\n<html><head></head><body><h3>Problem: rexecd server process was found</h3>\r\n<h3>Description</h3>Rexec is a daemon that allows code to be executed on the host computer by remote users, very often without requiring authentication. Because of this, the rexec server is thought to be highly insecure and unnecessary. It is also quite often the means by which intruders gain access to computers. <h3>Solution</h3>\r\n\r\n<p>It is generally recommended that users disable the rexec daemon, which will prevent from running in the future.</p>\r\n<ol><li>Use your preferred text editor to open /etc/inetd.conf. </li><li>Locate the rexecd line, which should look something like the following:<br />exec stream tcp nowait root /usr/lbin/rexecd rexecd </li><li>Place a hash/pound ("#") before the line to comment it out. </li><li>Save the inetd.conf file. </li><li>Locate the PIDs for any rexecd processes running by typing:<br />\r\nps aux | grep rexecd </li>\r\n <li>For all of the PIDs type:<br />kill HUP pid</li></ol></body></html>'),('msg:10166','\r\n<html><head></head><body>\r\n<h3>Problem: Anonymous FTP server</h3>\r\n<h3>Description</h3>\r\nAnonymous accounts are frequently targeted by hackers and viruses seeking to\r\nobtain unauthorized access to your computer. Your computer is running an FTP\r\nserver with an anonymous account and may be vulnerable to unauthorized remote\r\naccess.\r\n<h3>Solution</h3>You should disable all guest accounts that exist on your system, even if this disables the FTP service. </body></html>'),('msg:10147','\r\n<html><head></head><body>\r\n<h3>Problem: Nessus daemon ports were found</h3>\r\n<h3>Description</h3>The Nessus daemon allows remote users the ability to make the server scan other computers. The remote user must first have a valid username and password or valid public/private key. Howerver, should the Nessus server ever be found to be vulnerable, the Nessus server running on your computer would allow the vulnerability to be exploited. \r\n\r\n<h3>Solution</h3>\r\n\r\n<p>Removal/Remediation Steps: There are two means of resolving this vulnerability, both of which are recommended. Choose only one. </p><ol><li>Change the ports to which the that the Nessus daemon listens. </li><li>Block the ports to which you have Nessus listening. This can be done with ipchains (2.4x Linux kernel) or iptables (2.2x Linux kernel). </li></ol></body></html>'),('msg:10524','\r\n<html><head></head><body>\r\n<h3>Problem: Windows 95/98/ME SMB password verification vulnerability</h3>\r\n<h3>Description</h3>\r\nThis vulnerability will allow any unauthorized user to access the Windows 95/98/ME\r\nfile shared service with password protection. \r\n<h3>Solution</h3>\r\nDownload and update Windows with the appropriate patch: \r\n<ul>\r\n <li><a href=\"http://download.microsoft.com/download/win95/Update/11958/W95/EN-US/273991USA5.EXE\">Windows 95</a></li>\r\n <li><a href=\"http://download.microsoft.com/download/win98SE/Update/11958/W98/EN-US/273991USA8.EXE\">Windows\r\n 98</a></li>\r\n <li><a href=\"http://download.microsoft.com/download/winme/Update/11958/WinMe/EN-US/273991USAM.EXE\">Windows\r\n ME</a><br />\r\n </li>\r\n</ul>\r\n</body></html>'),('msg:10668','\r\n<html><head></head><body><h3>Problem: Windows Index Server vulnerability</h3><h3>Description</h3>\r\nYour computer is not patched for a Windows Index Server vulnerability. \r\n<p>There is a buffer overflow vulnerability in the Index Server 2.0 function\r\n to process a search request. Using this unchecked buffer, an attacker would\r\n be able to have the computer execute unauthorized and possibly malicious code\r\n in the Local System security context. This could compromise the machine and/or\r\n the network even further. </p>\r\n<h3>Solution</h3>\r\nDownload and install the following patch from Microsoft. \r\n<ol>\r\n <li><a href=\"http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29660\">Index Server 2.0 Buffer overflow</a></li>\r\n <li><a href=\"http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29631\">Index\r\n Server 2.0 "Malformed Hit-Highlighting" vulnerability</a></li>\r\n <li><a href=\"http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29561\">Indexing Service for Windows 2000 Pro, Windows 2000 Server and Windows 2000 Advanced Server</a><br />\r\n </li>\r\n</ol>\r\n<h3> </h3>\r\n</body></html>'),('msg:10132','<html><head></head><body>\r\n<h3>Problem: Kuang2 virus was found.</h3>\r\n<h3>Description</h3>\r\n<p>The Kuang2 virus infects all .exe files on the computer.<!-- #BeginLibraryItem \"/Library/server unauth.lbi\" -->\r\nIt installs a server that is designed to give unauthorized users full control over your computer.<!-- #EndLibraryItem --></p>\r\n<h3>Solution</h3>\r\n\r\n<!-- #BeginLibraryItem \"/Library/antivirus.lbi\" -->\r\n<p>Remove the virus with Symantec AntiVirus. Symantec AntiVirus is available\r\n on your TechTools CD or via download from the TechTools Software Download site\r\n for <a href=\"http://wings.buffalo.edu/computing/software/download/win/nortonantivirus.html\">Windows</a> and <a href=\"http://wings.buffalo.edu/computing/software/download/mac/nortonantivirus.html\">Mac</a>.\r\n The Mac version is called Symantec\'s Norton AntiVirus. Installation instructions\r\n are available on the TechTools CD and our documentation website (<a href=\"http://wings.buffalo.edu/computing/documentation/win/norton.html\">Windows</a>, <a href=\"http://wings.buffalo.edu/computing/documentation/mac/norton.html\">Mac</a>). </p>\r\n<!-- #EndLibraryItem --><!-- #BeginLibraryItem \"/Library/verify removal.lbi\" -->\r\n<p><strong>Verify Removal</strong></p>\r\n<p>If Symantec reports finding an infected file, take note of the filename and\r\n verify its deletion by checking the following registry key:<br />\r\n HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run </p>\r\n<ol>\r\n <li>Click on the "Start" menu. </li>\r\n <li>Click "Run." </li>\r\n <li>Type "regedit" and press ENTER. </li>\r\n <li>In the registry editor click on the "File" (or "Registry")\r\n menu. </li>\r\n <li>Click "Export." </li>\r\n <li>Click "All" underneath where it says "Export Range." </li>\r\n <li>Enter a filename into the filename field. (ex: "reg backup") </li>\r\n <li>Click "Save." </li>\r\n <li>Expand the "HKEY_LOCAL_MACHINE" folder. </li>\r\n <li>Expand the "SOFTWARE" folder, then the "Microsoft," "Windows," and "CurrentVersion" folders. </li>\r\n <li>Click on the "Run" folder. </li>\r\n <li>In the right-hand window, the name/data pair for the name of the infected\r\n file will appear under the Name and Data sections, respectively. (ex: Name: "infectedfile" Data: "infectedfile.exe") </li\r\n>\r\n <li>Highlight the name of the infected file by clicking on it and press the\r\n DELETE key. </li>\r\n <li>Click "Yes" to delete. </li>\r\n</ol>\r\n<p>If your computer appears to still be infected after the scan a full reformat\r\n may be necessary.<!-- #BeginLibraryItem \"/Library/reinstall.lbi\" --> Experts\r\n recommend a complete operating system reinstall. UB recommends you have this\r\n performed by a professional. Professional repair and vulnerability remediation\r\n services are available from UBMicro.<!-- #EndLibraryItem --></p>\r\n<!-- #EndLibraryItem -->\r\n</body></html>'),('msg:10093','\r\n<html><head>\r\n</head><body>\r\n<h3>Problem: GateCrasher server found</h3>\r\n<h3>Description</h3>GateCrasher<!-- #BeginLibraryItem \"/Library/is an app.lbi\" -->\r\nis an application that is designed to give unauthorized users full control over your computer. It is usually installed without the knowledge or permission of the computer\'s owner/user. Its presence is frequently a sign that the computer has been compromised.<!-- #EndLibraryItem --><h3>Solution</h3>\r\n<p>Remove GateCrasher</p> \r\n<ol>\r\n<li>Click "Start." </li>\r\n<li>Click "Run." </li>\r\n<li>Type "cmd" and press ENTER. </li>\r\n<li>In the command window, type "telnet localhost 6969" and press ENTER. </li>\r\n<li>At the prompt, type "gatecrasher" and press ENTER. </li>\r\n<li>Type "uninstall" and press ENTER. </li>\r\n</ol>\r\n<p>Verify removal by checking the following registry key:<br />\r\n HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/"Explore" = "Explore.exe"</p>\r\n<p>Removal Verification</p>\r\n<ol>\r\n<li>Click on the "Start" menu. </li>\r\n<li>Click "Run." </li>\r\n<li>Type "regedit" and press ENTER. </li>\r\n<li>In the registry editor click on the "File" (or "Registry") menu. </li>\r\n<li>Click "Export." </li>\r\n<li>Click "All" underneath where it says "Export Range." </li>\r\n<li>Enter a filename into the filename field. (ex: "reg backup") </li>\r\n<li>Click "Save." </li>\r\n<li>Expand the "HKEY_LOCAL_MACHINE" folder. </li>\r\n<li>Expand the "SOFTWARE" folder, then the "Microsoft," "Windows," and "CurrentVersion" folders. </li>\r\n<li>Click on the "Run" folder. </li>\r\n<li>In the right-hand window, the name/data pair "Explore" and "Explore.exe" will appear under the Name and Data sections, respectively. </li>\r\n<li>Highlight "Explore" by clicking on it and press the DELETE key. </li>\r\n<li>Click "Yes" to delete. </li>\r\n</ol></body></html>\r\n'),('msg:10079','\r\n<html><head></head><body>\r\n<h3>Problem: Anonymous IIS FTP account</h3>\r\n<h3>Description</h3>\r\nAnonymous accounts are frequently targeted by hackers and viruses seeking to obtain unauthorized access to your computer. Your computer is running an FTP server with an anonymous account and may be vulnerable to unauthorized remote access.\r\n<h3>Solution</h3>\r\n<p>Disable the anonymous IIS FTP account:</p>\r\n<ol>\r\n<li>From within the IIS Manager, right-click the FTP site. Next, click on the directory, and then the virtual directory or file. \r\nClick "Properties." </li>\r\n<li>Click the "Security Accounts" tab. </li>\r\n<li>Uncheck the "Allow Anonymous Connections" checkbox. </li>\r\n</ol>\r\n\r\nWindows NT 4.0 Users: If the latest Windows Update Service Pack has not been installed on your computer, anonymous access \r\nmay be available even with the anonymous logon disabled. Download the latest Service Packs and all Critical \r\nUpdates from <a href=\"http://windowsupdate.microsoft.com/\">Microsoft Windows Update</a>. You may be instructed to restart \r\nyour computer several times in order to apply all Security Updates and Service Packs. For further help and instructions \r\non using windows update, go to: <a href=\"http://wings.buffalo.edu/computing/Documentation/win/winupdate.html\">Windows Update \r\nDocumentation </a>\r\n</body></html>'),('msg:11835','\r\n<html><head></head>\r\n<body><h3>Problem: Windows RPC service vulnerability</h3><h3>Description</h3>RPC (Remote Procedure Call) allows commands to be executed on your computer remotely. This usually requires authentication by legitimate users. However, a vulnerability has been discovered that allows commands to be executed through a buffer overflow attack without any authentication. Please note that there have been several other vulnerabilities discovered in the Windows RPC service, and that this is not the one being exploited by the Blaster worm <h3>Solution</h3><ol><li>Click "Start." </li><li>Click "Control Panel."<br />If using the Classic View, click the "Switch to Category View" link on the left side. </li><li>Click "Network and Internet Connections." </li><li>Click "Network Connections." </li><li>Right-click "Local Area Connection", then click "properties."<br /> </li><li>Click the "Advanced" tab. </li><li>Click the checkbox labeled "Protect my computer and network by limiting or preventing access to this computer from the Internet." </li><li>Click "OK." </li></ol><p><!-- #BeginLibraryItem \"/Library/MS Update.lbi\" -->Please update Windows at <a href=\"http://windowsupdate.microsoft.com/\">Microsoft Windows Update</a> and apply all Critical Updates and Service Packs. You may be instructed to restart your computer several times in order to apply all Security Updates and Service Packs. For further help and instructions on using windows update, go to the <a href=\"http://wings.buffalo.edu/computing/Documentation/win/winupdate.html\">Microsoft Windows Update documentation page</a> <!-- #EndLibraryItem --></p><!-- #BeginLibraryItem \"/Library/antivirus.lbi\" --><p>Remove the virus with Symantec AntiVirus. Symantec AntiVirus is available on your TechTools CD or via download from the TechTools Software Download site for <a href=\"http://wings.buffalo.edu/computing/software/download/win/nortonantivirus.html\">Windows</a> and <a href=\"http://wings.buffalo.edu/computing/software/download/mac/nortonantivirus.html\">Mac</a>. The Mac version is called Symantec\'s Norton AntiVirus. Installation instructions are available on the TechTools CD and our documentation website (<a href=\"http://wings.buffalo.edu/computing/documentation/win/norton.html\">Windows</a>, <a href=\"http://wings.buffalo.edu/computing/documentation/mac/norton.html\">Mac</a>). </p><h3>Attention WinXP SP2 Users</h3><p>If you have installed Windows XP Service Pack 2 please enable Windows Firewall:</p><ol><li>Click "Start." </li><li>Click "Control Panel." </li><li>Click the "Security Center." </li><li>Under "Manage security settings for" click "Windows Firewall." </li><li>Click the radio button labeled "On (Recommended)." </li><li>Click "OK."</li></ol><!-- #EndLibraryItem -->\r\n</body></html>'),('msg:12114','\r\n<html><head></head><body><h3>Problem: Outdated ISS BlackICE</h3><h3>Description</h3>\r\n<p>An outdated version of ISS BlackICE was found on your computer. Vulnerabilities\r\n are found for security products on a regular basis. It is \r\n recommended that outdated software be updated as soon as new versions are available.\r\n Continuing to run outdated versions of security products can expose your computer\r\n to \r\n intruders and viruses that are capable of exploiting the vulnerabilities that\r\n the new \r\n versions may correct.\r\n</p>\r\n<h3>Solution</h3>\r\n<p><a href=\"http://blackice.iss.net/update_center/\">Download and install</a> the\r\n latest update for the version of ISS BlackICE on your computer. \r\n</p>\r\n</body></html>'),('msg:test','\r\n<html><head></head>\r\n<body>test<br />\r\n</body></html>'),('msg:multi_mac','\r\n<html><head></head>\r\n<body style=\"visibility: visible;\"><p>This computer has successfully completed UB NetPass registration, but UB NetPass has determined that there is an unregistered or quarantined device sharing this port.</p><p>You may have received this message if:</p><ul><li>you have <strong>a switch or hub and another computer</strong> plugged into the switch or hub has not successfully registered or is quarantined. Scan all computers attached to your network port to successfully complete UB NetPass registration.</li><li>you have a <strong>Playstation</strong> or <strong>Microsoft X-Box</strong> plugged into your switch or hub. Please contact the <a href=\"http://helpdesk.buffalo.edu\">CIT Help Desk</a>.</li><li>you have a <strong>wireless network</strong> connection on your computer and it is bridged. Please <a href=\"http://wings.buffalo.edu/computing/documentation/win/XPBridges.htm\">disable the bridge</a>.</li><li>you have a <strong>Firewire port</strong> and Windows XP has bridged the connection. Please <a href=\"http://wings.buffalo.edu/computing/documentation/win/XPBridges.htm\">disable the bridge</a>.</li></ul><p>If you unplug the network cable of the quarantined or not registered computer it may take up to 5 minutes until your access is restored.</p><p>If you do not understand this message or are having difficulty using UB NetPass, assistance is available from the CIT Help Desk. Professional repair and vulnerability remediation services are available from UBMicro.</p><table cellpadding=\"2\" border=\"0\"><caption>Contact Information </caption><tbody><tr><th scope=\"col\">CIT Help Desk</th><th scope=\"col\">UBMicro</th></tr><tr><td align=\"center\">225 Fronczak Hall<br />716-645-3542</td><td align=\"center\">109 The Commons<br />716-645-3554</td></tr></tbody></table><!-- #EndLibraryItem --><p> </p>\r\n</body></html>'),('msg:scan_completed','\r\n<html><head></head><body><h2><p>Click Continue to view scan results.</p></h2></body></html>'),('msg:you_passed','\r\n<html><head></head><body><h2>This computer has successfully completed UB NetPass registration.</h2><p>We have not detected any vulnerabilities on your computer. You will be able to connect to the Internet in a few moments.</p><p><strong>Important note:</strong> UB NetPass cannot detect vulnerabilities if you have a firewall enabled.</p><p>You will be prompted for your UBITName and password by the UB ResNet firewall before you can connect to the Internet.</p><p><a href=\"$original_destination\">Click here to proceed to $original_destination</a> </p></body></html>'),('msg:being_scanned','\r\n<html><head></head><body><h2>Scanning</h2><p>UB NetPass is scanning your computer for vulnerabilities. The scan may take several minutes.</p></body></html>'),('msg:10409','\r\n<html><head></head><body><h3>Problem: SubSeven was found</h3>\r\n<h3>Description</h3>\r\nSubSeven <!-- #BeginLibraryItem \"/Library/is an app.lbi\" --> is an application\r\nthat is designed to give unauthorized users full control over your computer.\r\nIt is usually installed without the knowledge or permission of the computer\'s\r\nowner/user. Its presence is frequently a sign that the computer has been compromised.<!-- #EndLibraryItem -->\r\n<h3>Solution</h3>\r\n<!-- #BeginLibraryItem \"/Library/antivirus.lbi\" -->\r\n<p>Remove the virus with Symantec AntiVirus. Symantec AntiVirus is available\r\n on your TechTools CD or via download from the TechTools Software Download site\r\n for <a href=\"http://wings.buffalo.edu/computing/software/download/win/nortonantivirus.html\">Windows</a> and <a href=\"http://wings.buffalo.edu/computing/software/download/mac/nortonantivirus.html\">Mac</a>.\r\n The Mac version is called Symantec\'s Norton AntiVirus. Installation instructions\r\n are available on the TechTools CD and our documentation website (<a href=\"http://wings.buffalo.edu/computing/documentation/win/norton.html\">Windows</a>, <a href=\"http://wings.buffalo.edu/computing/documentation/mac/norton.html\">Mac</a>). </p>\r\n<!-- #EndLibraryItem -->\r\n</body></html>'),('msg:10646','\r\n<html><head></head><body>\r\n<h3>Problem: Lion worm may have infected your computer</h3>\r\n<h3>Description</h3>\r\nSSH is running on port 33568, which is an indication of this virus. The Lion\r\nworm infects Linux machines via a vulnerability in BIND. It then emails out the\r\npassword and shadow files to the attacker. The versions of BIND that are vulnerable\r\nare 8.2, 8.2-P1, 8.2.1, 8.2.2-Px. \r\n<h3>Solution</h3>\r\nNo known removal instructions are available for the Lion worm. Please see any available antivirus packages for possible remediation. Patches for the BIND vulnerability are available at the <a href=\"http://www.sans.org/y2k/lion.htm\">SANS website</a>. \r\n</body></html>'),('msg:10673','\r\n<html><head></head><body><h3>Problem: Microsoft SQL Server with a blank "sa" password.</h3>\r\n<h3>Description</h3>\r\nBy default, the "sa" login has full rights to the SQL server. When\r\nit is blank (NULL), it allows unlimited access to anyone. The Slammer worm exploits\r\nthis by connecting to SQL servers with blank passwords for the "sa" account\r\nand installs itself in an attempt to spread even further. \r\n<h3>Solution</h3><ol><li>Click "Start." </li><li>Click "Run." </li><li>Type "cmd" and press ENTER. </li><li>Type "osql U sa" to connect to the local, default instance of the Microsoft SQL Server Desktop Engine. Otherwise, if you are running a named instance, type "osql U sa S SERVERNAME/INSTANCENAME," where SERVERNAME and INSTANCENAME get replaced with the name of the server and instance, respectively. Then press ENTER. </li><li>At the "Password:" prompt, press ENTER. </li><li>Type " sp_password @old = null, @new = "complexpwd", @loginame ="sa" " where "complexpwd" is replaced with your new password. </li><li>Type "go." </li><li>Type "exit." </li></ol>\r\n</body></html>'),('msg:10685','\r\n<html><head></head><body>\r\n<h3>Problem: Several IIS vulnerabilities found</h3>\r\n<h3>Description</h3>\r\nUsing these vulnerabilities, an attacker could cause your computer to execute\r\nmalicious code remotely. \r\n<h3>Solution</h3>\r\n<p>Download and install the appropriate patch from Microsoft: </p>\r\n<ul>\r\n <li><a href=\"http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32061\">Microsoft IIS 4.0</a> </li>\r\n <li><a href=\"http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32011\">Microsoft IIS 5.0</a> </li>\r\n</ul>\r\n</body></html>'),('msg:10713','\r\n<html><head></head><body>\r\n<h3>Problem: CodeRed Worm found </h3>\r\n<h3>Description</h3>\r\nThe "Code Red" worm is a malicious self-propagating worm that exploits\r\nMicrosoft Internet Information Server (IIS)-enabled systems that are susceptible\r\nto a buffer overflow vulnerability.\r\n<h3>Solution</h3>\r\n<!-- #BeginLibraryItem \"/Library/antivirus.lbi\" -->\r\n<p>Remove the virus with Symantec AntiVirus. Symantec AntiVirus is available\r\n on your TechTools CD or via download from the TechTools Software Download site\r\n for <a href=\"http://wings.buffalo.edu/computing/software/download/win/nortonantivirus.html\">Windows</a> and <a href=\"http://wings.buffalo.edu/computing/software/download/mac/nortonantivirus.html\">Mac</a>.\r\n The Mac version is called Symantec\'s Norton AntiVirus. Installation instructions\r\n are available on the TechTools CD and our documentation website (<a href=\"http://wings.buffalo.edu/computing/documentation/win/norton.html\">Windows</a>, <a href=\"http://wings.buffalo.edu/computing/documentation/mac/norton.html\">Mac</a>). </p>\r\n<!-- #EndLibraryItem -->\r\n<p>Download and install the appropriate Microsoft patch:</p>\r\n <ul>\r\n <li><a href=\"http://www.microsoft.com/ntserver/nts/downloads/critical/q269862/default.asp\">Microsoft IIS\r\n 4.0</a> \r\n </li>\r\n <li><a href=\"http://www.microsoft.com/windows2000/downloads/critical/q269862/default.asp\">Microsoft\r\n IIS 5.0</a>\r\n </li>\r\n </ul>\r\n</body></html>'),('msg:10798','\r\n<html><head></head><body>\r\n<h3>Problem: PC Anywhere was found with a blank password</h3>\r\n<h3>Description</h3>\r\nA blank PC Anywhere password allows anyone to connect to your computer and \r\noperate it with complete control. \r\n<h3>Solution</h3><ol><li>Open the PC Anywhere application as an administrator. </li><li>Right-click on the Host object you are using and click "Properties." </li><li>Click the "Caller Access Tab." </li><li>Switch the authentication type to "Windows" or "PC Anywhere." </li><li>If you are using the "PC Anywhere" authentication, set a strong password. </li></ol>\r\n</body></html>'),('msg:10935','\r\n<html><head>\r\n</head><body>\r\n<h3>Problem: IIS ASP ISAPI filter buffer overflow vulnerability</h3>\r\n<h3>Description</h3>\r\nThis vulnerability allows an attacker the ability to execute code on your computer\r\nfrom a remote location. This could allow your machine to be compromised, granting\r\nfull access to the attacker. \r\n<h3>Solution</h3>\r\n<p>Download and install the appropriate patches.</p>\r\n<p><strong>Microsoft IIS 4.0: </strong></p>\r\n <ul>\r\n <li><a href=\"http://www.microsoft.com/ntserver/nts/downloads/security/q319733/default.asp\">Windows\r\n NT 4.0 Workstation, Windows NT 4.0 Server, or Windows NT 4.0 Server,\r\n Enterprise Edition</a> </li>\r\n <li> <a href=\"http://www.microsoft.com/ntserver/terminalserver/downloads/critical/q317636/default.asp\">Windows\r\n NT 4.0 Server, Terminal Server Edition (Included in the Windows NT Server\r\n 4.0, Terminal Server Edition Security Rollup Package)</a> <br />\r\n \r\n </li>\r\n </ul>\r\n<p><strong>Microsoft IIS 5.0: </strong></p>\r\n\r\n<ul>\r\n <li><!-- #BeginLibraryItem \"/Library/MS Update.lbi\" -->Please update Windows at <a href=\"http://windowsupdate.microsoft.com/\">Microsoft\r\n Windows Update</a> and apply all Critical Updates and Service Packs. You\r\n may be instructed to restart your computer several times in order to apply\r\n all Security Updates and Service Packs. For further help and instructions\r\n on using windows update, go to the <a href=\"http://wings.buffalo.edu/computing/Documentation/win/winupdate.html\">Microsoft\r\n Windows Update documentation page</a> <!-- #EndLibraryItem --></li>\r\n <li> <a href=\"http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37857\">Microsoft IIS 5.1</a></li>\r\n</ul>\r\n</body></html>'),('msg:11000','\r\n<html><head></head><body>\r\n<h3>Problem: FTP server with well known account names with blank passwords</h3>\r\n<h3>Description</h3>\r\n<p>Usernames with blank passwords exposes whatever system resources\r\n accessible to that username to the outside world. This is even more serious when\r\n the usernames are well known and standardized. \r\n</p>\r\n<h3>Solution</h3>\r\n\r\n<p>Apply complex passwords to all user accounts on the FTP server. In Windows NT/2000/XP,\r\n this may require editing operating system users. \r\n</p>\r\n</body></html>'),('msg:11028','\r\n<html><head></head><body>\r\n<h3>Problem: .HTR filter buffer overflow vulnerability</h3>\r\n<h3>Description</h3>\r\n<p>An attacker can use this vulnerability to execute code on your computer from a remote location. This could allow your machine to be compromised, granting full access to the attacker. </p>\r\n<h3>Solution</h3>\r\n<p>Download and install the appropriate patches.</p>\r\n\r\n<ul>\r\n <li> <a href=\"http://www.microsoft.com/ntserver/nts/downloads/security/q321599/default.asp\">Microsoft\r\n IIS 4.0</a> </li>\r\n <li> Microsoft IIS 5.0: <!-- #BeginLibraryItem \"/Library/MS Update.lbi\" -->Please\r\n update Windows at <a href=\"http://windowsupdate.microsoft.com/\">Microsoft\r\n Windows Update</a> and apply all Critical Updates and Service Packs. You\r\n may be instructed to restart your computer several times in order to apply\r\n all Security Updates and Service Packs. For further help and instructions\r\n on using windows update, go to the <a href=\"http://wings.buffalo.edu/computing/Documentation/win/winupdate.html\">Microsoft\r\n Windows Update documentation page</a> <!-- #EndLibraryItem --></li>\r\n</ul>\r\n</body></html>'),('msg:11123','\r\n<html><head></head><body><h3>Problem: Radmin was found running on your machine.</h3><h3>Description</h3>\r\n\r\n<p>Radmin is a remote control program, much like Windows XPs Remote\r\n Desktop. If an insecure password is set for this service, it could grant an\r\n unauthorized user complete access to your computer. </p>\r\n<h3>Solution</h3>\r\n \r\n <p>Please make sure that you have a strong password set for any accounts with login access to radmin. If it is not needed, disable radmin so that it will not run in the future. </p>\r\n</body></html>'),('msg:11135','\r\n<html><head></head><body><h3>Problem: Bugbear Worm was found</h3>\r\n<h3>Description</h3>\r\nBugbear is a worm that propagates through Windows file shares and email. Bugbear\r\ntakes advantage of a flaw in Internet Explorer 5.01 and IE 5.5 which causes\r\nIE to automatically execute an attachment without the user\'s knowledge or intervention. <br />\r\n<br />\r\nBugbear is capable of allowing remote access to certain resources, disabling\r\nfirewall and antivirus software, and performing key logging operations. \r\n<h3>Solution</h3><ol><li>Disable/close all Windows file shares. </li><li><!-- #BeginLibraryItem \"/Library/MS Update.lbi\" -->Please\r\n update Windows at <a href=\"http://windowsupdate.microsoft.com/\">Microsoft\r\n Windows Update</a> and apply all Critical Updates and Service Packs. You\r\n may be instructed to restart your computer several times in order to apply\r\n all Security Updates and Service Packs. For further help and instructions\r\n on using windows update, go to the <a href=\"http://wings.buffalo.edu/computing/Documentation/win/winupdate.html\">Microsoft\r\n Windows Update documentation page</a> <!-- #EndLibraryItem --></li>\r\n <li>Download and run Symantec\'s <a href=\"http://securityresponse.symantec.com/avcenter/venc/data/w32...@mm...ml\">BugBear\r\n removal utility</a>. It will scan\r\n for the BugBear virus and remove it.<br /><br /></li></ol>\r\n</body></html>'),('msg:11160','\r\n<html><head></head><body>\r\n<h3>Problem: FTP server with blank Administrator password</h3>\r\n<h3>Description</h3>\r\n<p>Because the Administrator account usually has full access to the file system,\r\n running an FTP server with a blank Administrator password\r\n allows anyone who attempts to login using that configuration the same access\r\n permissions as an authorized Administrator. </p>\r\n<h3>Solution</h3>\r\n<p>Set the password for the Administrator within the FTP server. This may require changing the password for the Windows Administrator, depending on the FTP server and the version of Windows. Please make sure to create a strong password. </p>\r\n</body></html>'),('msg:11187','\r\n<html><head></head><body><h3>Problem: Parasite Mothership was found</h3>\r\n<h3>Description</h3>\r\n<p>The Parasite Mothership listens for incoming connections; it can be\r\n used to grant an unauthorized user access to your computer. </p>\r\n<h3>Solution</h3>\r\n<!-- #BeginLibraryItem \"/Library/reinstall.lbi\" --> Experts recommend a complete\r\noperating system reinstall. UB recommends you have this performed by a professional.\r\nProfessional repair and vulnerability remediation services are available from\r\nUBMicro.<!-- #EndLibraryItem -->\r\n</body></html>'),('msg:11214','\r\n<html><head></head><body>\r\n<h3>Problem: Microsoft SQL buffer overflow vulnerability </h3><h3>Description</h3>\r\n<p>These vulnerabilities allow remote code to be executed on your computer, which could grant SYSTEM level access to unauthorized users if exploited. This vulnerability is also being exploited by the Sapphire worm. </p>\r\n<h3>Solution</h3>\r\n\r\n<p>Download and install the appropriate Microsoft patch:</p>\r\n<ul>\r\n <li> <a href=\"http://support.microsoft.com/default.aspx?scid=kb;en-us;327068&sd=tech\">Microsoft\r\n SQL Server 7.0</a> (Must be running SQL Server Service Pack 4)</li>\r\n <li><a href=\"http://support.microsoft.com/default.aspx?scid=kb;en-us;316333&sd=tech\">Microsoft\r\n SQL Server 2000</a> (Must be running SQL Server Service Pack 2)</li>\r\n</ul>\r\n<!-- #BeginLibraryItem \"/Library/antivirus.lbi\" -->\r\n<p>Remove the virus with Symantec AntiVirus. Symantec AntiVirus is available\r\n on your TechTools CD or via download from the TechTools Software Download site\r\n for <a href=\"http://wings.buffalo.edu/computing/software/download/win/nortonantivirus.html\">Windows</a> and <a href=\"http://wings.buffalo.edu/computing/software/download/mac/nortonantivirus.html\">Mac</a>.\r\n The Mac version is called Symantec\'s Norton AntiVirus. Installation instructions\r\n are available on the TechTools CD and our documentation website (<a href=\"http://wings.buffalo.edu/computing/documentation/win/norton.html\">Windows</a>, <a href=\"http://wings.buffalo.edu/computing/documentation/mac/norton.html\">Mac</a>). </p>\r\n<!-- #EndLibraryItem -->\r\n</body></html>'),('msg:11412','\r\n<html><head></head><body>\r\n<h3>Problem: IIS WebDAV vulnerability</h3>\r\n<h3>Description</h3>\r\n<p>There is a buffer overflow vulnerability in the WebDAV server, which can be used to execute code remotely within the LocalSystem security context. This could compromise the system and grant access to unauthorized users. </p>\r\n<h3>Solution</h3>\r\n<!-- #BeginLibraryItem \"/Library/MS Update.lbi\" -->Please update Windows at <a href=\"http://windowsupdate.microsoft.com/\">Microsoft\r\nWindows Update</a> and apply all Critical Updates and Service Packs. You may\r\nbe instructed to restart your computer several times in order to apply all Security\r\nUpdates and Service Packs. For further help and instructions on using windows\r\nupdate, go to the <a href=\"http://wings.buffalo.edu/computing/Documentation/win/winupdate.html\">Microsoft\r\nWindows Update documentation page</a> <!-- #EndLibraryItem -->\r\n</body></html>'),('msg:11633','\r\n<html><head></head><body><h3>Problem: Lovgate virus was found</h3>\r\n<h3>Description</h3>\r\n<p>The Lovgate virus propagates through email and listens on certain ports. </p>\r\n<h3>Solution</h3>\r\n<!-- #BeginLibraryItem \"/Library/antivirus.lbi\" -->\r\n<p>Remove the virus with Symantec AntiVirus. Symantec AntiVirus is available\r\n on your TechTools CD or via download from the TechTools Software Download site\r\n for <a href=\"http://wings.buffalo.edu/computing/software/download/win/nortonantivirus.html\">Windows</a> and <a href=\"http://wings.buffalo.edu/computing/software/download/mac/nortonantivirus.html\">Mac</a>.\r\n The Mac version is called Symantec\'s Norton AntiVirus. Installation instructions\r\n are available on the TechTools CD and our documentation website (<a href=\"http://wings.buffalo.edu/computing/documentation/win/norton.html\">Windows</a>, <a href=\"http://wings.buffalo.edu/computing/documentation/mac/norton.html\">Mac</a>). </p>\r\n<!-- #EndLibraryItem -->\r\n</body></html>'),('msg:11707','\r\n<html><head></head><body><h3>Problem: BugBear.B worm found</h3>\r\n<h3>Description</h3>\r\n<p>Bugbear is capable of allowing remote access to certain resources, disabling\r\n firewall and antivirus software, performing key logging operations, as well as\r\n other malicious actions.\r\n</p>\r\n<h3>Solution</h3>\r\n<!-- #BeginLibraryItem \"/Library/antivirus.lbi\" -->\r\n<p>Remove the virus with Symantec AntiVirus. Symantec AntiVirus is available\r\n on your TechTools CD or via download from the TechTools Software Download site\r\n for <a href=\"http://wings.buffalo.edu/computing/software/download/win/nortonantivirus.html\">Windows</a> and <a href=\"http://wings.buffalo.edu/computing/software/download/mac/nortonantivirus.html\">Mac</a>.\r\n The Mac version is called Symantec\'s Norton AntiVirus. Installation instructions\r\n are available on the TechTools CD and our documentation website (<a href=\"http://wings.buffalo.edu/computing/documentation/win/norton.html\">Windows</a>, <a href=\"http://wings.buffalo.edu/computing/documentation/mac/norton.html\">Mac</a>). </p>\r\n<!-- #EndLibraryItem -->\r\n</body></html>'),('msg:PQUAR-resnetaction-1st','\r\n<html><head></head><body><h3>Your ResNet connection has been disabled</h3><p>We have received and investigated a report of potentially damaging network activity originating from your computer. </p><p>Your ResNet connection has been disabled to prevent further adverse effects from this incident. Because we believe this is a technology problem and not intentional, your UBITName will remain active and you will still be able to use University resources via CIT Public Site computers.</p><p>We recommend that you have your computer repaired professionally. UBMicro offers a service, for a fee, to remediate these problems and help you prevent further similar problems in the future.</p><p>Since this is your first incident, we will place trust in your ability to ensure that your computer has been properly repaired. <a href=\"https://wings.buffalo.edu/computing/dce/resnet\">Notify us</a> when your computer has been repaired so we may restore your network connection. </p><p>Subsequent incidents will require that your computer repair be certified by us at your cost. Please do not move your computer to another network port or attempt to connect via UBWireless or the dial-up modem services. Changing your connection will be considered a second incident and you will face sanctions.</p><p>We have intentionally send you multiple copies of this message to be certain we reach you. If you have any questions or believe you have received this notice in error, please contact the ResNet Team Leader at (716)-645-5070. For any other problems, please contact the CIT Help Desk or UBMicro.</p><p>\r\n<table cellspacing=\"1\" cellpadding=\"1\" border=\"0\"><tbody><tr><td>CIT Help Desk</td><td>UB Micro</td></tr><tr><td>255 Fronczak Hall</td><td>109 The Commons</td></tr><tr><td>(716) 645-3542</td><td>(716) 645-3554</td></tr><tr><td>cit...@bu...</td><td>ub...@bu...</td></tr><tr><td><a href=\"http://helpdesk.buffalo.edu/\">helpdesk.buffalo.edu</a></td><td><a href=\"http://helpdesk.buffalo.edu/\">www.ubmicro.buffalo.edu</a></td></tr></tbody></table>\r\n</p></body></html>'),('msg:11819','\r\n<html><head></head><body><h3>Problem: TFTPd server was found</h3>\r\n<h3>Description</h3>\r\nImproperly configuring the TFTPd server could result in your computer being compromised.\r\nIf it is not needed, it should be disabled.\r\n<h3>Solution</h3>\r\n\r\n<p>If you are running a UNIX machine (or variant of UNIX) and the TFTPd server is not required (i.e. by SunOS systems supporting diskless workstations), then disable it. This can be done by following these steps: </p>\r\n<ol><li>Use your preferred text editor to open /etc/inetd.conf. </li>\r\n <li>Locate the tftpd line. </li>\r\n<li>Place a hash/pound ("#")... [truncated message content] |
