- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Thu, Feb 14, 2002 (Vol. 7, #13 - Issue #344)
This Is A Good One!
  This issue of W2Knews™ contains:
    • More on the IRS Audit Scam
    • Terminal Server On Linux? Yes And No.
    • Whoops! Simple Network Management Protocol (SNMP) has a flaw
    • MS Battles More Holes In Internet Explorer
    • AutoPilot Boosts A Maxed-out Mail Server
    • Run BlackICE Defender? Better Fix This Hole!
    • Symantec Flags Remote Admin As A Virus [grumble]
    • How Often Is YOUR Vulnerability Scanner Being Updated?
  5. W2Knews 'FAVE' LINKS
    • This Week's Links We Like. Tips, Hints And Fun Stuff
    • Small Business Server 2000 Best Practices
  SPONSOR: "pcAnywhere Killer"
Sunbelt Remote Admin Declared "pcAnywhere Killer" By User
You might want to give Remote Admin a try too. Currently the version
under NT4.0 is blisteringly fast, and soon a new version for W2K with
a new W2K-specific video driver will make it even faster on W2K. It's
as if you are there, with all the admin tools to control remote systems.
This puppy was "made by and for" system administrators. Pricing is dirt
cheap. Get your 30-day eval here:
Visit "pcAnywhere Killer" for more information.

More on the IRS Audit Scam

Many of you (thanks!) send me links to sites that document Internet hoaxes. This IRS scam is indeed on several of these sites. The reason I sent it anyway, is that I know the man who sent this, it's a trusted personal contact of mine, he is active in the Federal Law Enforcement Officers Association, and he received the warning from a federal agent. Based on that information, I thought it was legit.

However, I was sent an email from the IRS public relations people who indeed confirmed it was a hoax, earlier this year. It's a muddy world of "scam or hoax". The IRS told me though that there are real tax scams out there, and it's best to take it as a general warning about identity theft instead. You could send something like this to your users:

"There are a number of email scams that are taking place across the Internet. These scams ask for personal information such as social security numbers, bank account numbers, etc. Under no circumstances should you give out any personal or business information as a reply to unsolicited email.

"A current example that later turned out to be a bad publicity stunt is as follows: An email from a non-IRS source indicating that the taxpayer is under audit and needs to complete a questionnaire within 48 hours to avoid the assessment of penalties and interest. The e-mail refers to an "e-audit" and references IRS form 1040. The taxpayer is asked for social security numbers, bank account numbers and other confidential information. The IRS does not conduct e-audits, nor does it notify taxpayers of a pending audit via e-mail. Again, this one was not real, but there are many that are.

"A second example is referencing available funds from over-invoicing and supplies from foreign contracts. The email states the contractors are paid in full and that a portion of the remainder of the funds can be transferred to bank accounts in lieu of providing specific personal information. There is a whole slew of these, especially coming from Nigeria. You provide them with bank information and instead of them putting money on it, they empty your bank account".

I came to find that the best site to check for hoaxes is the following:

Two new buzzwords I ran into while reading Wired Magazine...

  1. Hackacdemy: special school where they learn to penetrate systems.
  2. Wetware Exploit: Social engineering to get passwords.
PS, you should check out the Fave Links. The zoom into the Olympics is amazing. Forward that link to your friends too!

Warm regards,
Stu Sjouwerman (email me with feedback: [email protected])

2001 Best Seller Double-Take provides real-time (and open file) data
replication. You can use it for either High Availability and/or
Disaster Recovery. It is your main job to prevent downtime for NT and
W2K networks. Double-Take is the industry leading product that will help
you do just that. Because it is not a matter of "if" disaster strikes.
Fires, floods and other mayhem always happens when you least expect it.
Visit DOWNTIME PREVENTION for more information.

Terminal Server On Linux? Yes And No.

In the last issue of W2Knews there was made mention of running MS Terminal Server on a Red Hat box. I have received MANY questions about that particular setup and have made a few clarifications as well. Here is a little background data: I had heard rumors that there was a Terminal Server client that ran well on Linux so I went to have a look. It was an amazingly short search to find the client, which is aptly named "rdesktop". The developer is a fellow in Australia named Matt Chapman. Nice piece of software. Download at the end of this article.

First of all, the setup is a Dell Optiplex GX110 with an Intel 933MHz processor with 512 MB of RAM. This setup is much more than is necessary to run Linux, but what can I say. :-) The version of Linux is Red Hat 7.2 (Enigma) and an out-of-the-box install (I know, I know but it was just to test the client). The client itself is a 48 KB download, 216 KB uncompressed. Once installed, the client is called from the command line and all parameters can be entered in the command. The client can be totally configured to do all of the basic option of the RDP client. The options are as follows:

  • Usage: rdesktop [options] server
    -u: user name
    -d: domain
    -s: shell
    -c: working directory
    -p: password (autologon)
    -n: client hostname
    -k: keyboard layout (hex)
    -g: desktop geometry (WxH)
    -f: full-screen mode
    -b: force bitmap updates
    -e: disable encryption (French TS)
    -m: do not send motion events
    -l: do not request license
The -l option is interesting, in that it doesn't request a license from the terminal server itself. With the use of some scripting, you could have the Red Hat box boot up, logon and start the rdesktop client all without the user doing anything. Once the client is started in full screen mode you really can't tell that your aren't on a Windows machine; even Ctrl-Alt-Del works. It really is a slick client and could potentially save you quite a bit of money.

If you run rdesktop, you will, at a minimum, save on one Windows license. Potentially more if you also used Sun's StarOffice. In either case, rdesktop is a pretty good implementation of the terminal server client and if you are using Linux, it will give you a way to connect to your MS server. We have mirrored the download here:


Whoops! Simple Network Management Protocol (SNMP) has a flaw

It was all over the news yesterday, it even made CNN. This hole may leave a large amount of devices open to an attack. It could allow attackers to gain control, or take down your network. Everything from servers to routers to printers use the protocol. More than 200 vendors' products are affected, and millions of devices.

The Oulu University Secure Programming Group from Finland found the hole in V1 of SNMP. They then alerted CERT (Computer Emergency Response Team). Ever since they have been working with all parties to fix this liability. So far, no exploits have been reported.

CERT said that the hole is in stuff from MS, HP, Cisco, Novell, 3Com and many others. Some of these have patches ready but many others are still in the process of making fixes available.

BACKGROUND: SNMP is a dinosaur and hails from the late '80s. At that time, security was not as big a deal as it is now. However, the foundation of email turns out to be built on quicksand. Or, if you will, you just found out that your datacenter was built on an allegedly extinct volcano. The problems were caused by programming errors that have been in the SNMP implementations for a long time, but only recently discovered.

A further complication is that SNMP V1 is debugged, stable and works great. Getting to V3 (which is more secure) is a mother of an upgrade. CERT suggests disabling SNMP if you do not need it on that machine. If you absolutely must run SNMP, get the patch from your hardware or software vendor. They are all working on patches right now. It also makes sense for you to filter traffic destined for SNMP ports (assuming the system doing the filtering is patched).

To block SNMP access, block traffic to ports 161 and 162 for TCP and UDP. In addition, if you are using Cisco, block UDP for port 1993. This will help minimize the potential this hole will be exploited. Here is the link to the original CERT advisory:

Here is what MS told CERT what the best fix is. Better check:

And here is Microsoft's Security Bulletin:

MS Battles More Holes In Internet Explorer

MS released a patch this week that fixes a whopping six holes in IE. At the same time a nasty new worm was wiggling its way into users' machines threatening to overwrite certain PC files.

The so called "cumulative" fix repairs holes in IE V5.01, 5.5 and 6.0. MS gave the holes a "critical" rating. That means it's time to push this patch out, after TESTING, TESTING and MORE TESTING! Here it is:


AutoPilot Boosts A Maxed-out Mail Server

Sunbelt is now running two newsletters. W2Knews and WinXPnews. The latter is a more consumer/power user oriented list, so the circulation is (waay) higher. Sending WinXPnews pegged the Compaq server we have in a co-location up to 100% CPU for hours on end. The send speed was about 20 messages per second. I had a look at that machine and found out we had not installed AutoPilot. It's a single Pentium 500, 512RAM Proliant.

So I decided to simply try AutoPilot and see if it would do anything. Nothing to lose with a CPU that's already maxed out. We installed it, rebooted the server and fired the same job back up, which had been set on "pause" during the install. And to my astonishment, after a minute of monitoring the system, AutoPilot kicked in and the CPU came down to about 60%, with mail send speed increasing to 32 messages per second. That was a massive performance improvement that made me a very happy camper. If you have really busy machines, try out AP. It might help significantly! Here's a 30-day eval:

Run BlackICE Defender? Better Fix This Hole!

A patch to fix a serious security "ping flood" vulnerability found in the popular Internet firewall program, BlackICE Defender, is now available.

You can download a product update to solve this problem at:

But since I'm running BlackICE at my home office and ran into problems with this update, ISS also published a workaround that will protect systems running BlackICE Defender and BlackICE Defender for Server: It is very important that you implement this workaround or apply the product update as soon as possible.

  1. Go to your Program Files directory and open the Network ICE folder.
  2. Open the BlackICE folder, and open the firewall.ini file.
  3. Go to the [MANUAL ICMP ACCEPT] section, and add the following line:
    REJECT, 8:0, ICMP, 2001-10-15 20:28:53, PERPETUAL, 4000, BIGUI
  4. Save the firewall.ini file.
  5. The next time you open BlackICE, click OK when the following pop-up window appears: "A configuration file change was detected."

Symantec Flags Remote Admin As A Virus [grumble]

One of the Sunbelt Radmin users sent us this:

"I've been using Remote Admin for about 6 months and love it! The latest Norton AntiVirus updates flagged Remote Admins r_server.exe as infected, but RA's tech support was quick to respond and let me know it was a "false-positive" reaction and that they were working with Norton to fix the problem. I highly back your recommendation of this product!"

In the mean time, Symantec fixed this error but it is a bit odd for a company that produces a remote control tool to plug a competitive remote control tool in its virus list, just after that company advertised itself as a "pcAnywhere Killer". I have to assume it was a mistake and no ill will. But still...[grumble] Radmin can be found here and is NO virus.

How Often Is YOUR Vulnerability Scanner Being Updated?

"Holes" in your systems and networks are invitations for crackers to come and visit. Just like virus protection software that often gets updates every night, your vulnerability scanners should get updates soon and often. Some products only get updates once a month. That is just not good enough. Here is a question from a user about Retina's update schedule.

Q: I just finished reading the article from network-fusion. Good work. Does your company have a response to the fact that it missed a few vulnerabilities that the other scanners picked up?

A: eEye updates its Retina Network Scanner on a regular basis with the latest vulnerabilities discovered by security research organization. These updates occur on a weekly basis, and in some cases on a daily basis depending on the severity.

In the case of the two vulnerabilities that Retina did not find in the Network World review, these were addressed immediately and can now be detected by the latest version of the product. To receive the latest version of the product, use the AUTO-UPDATE feature in Retina.

eEye prides itself on the comprehensive nature of its scanning database. eEye is one of the premiere network security research companies, in addition to being a developer of best-of-breed security software. eEye allocates a significant portion of its resources to security research for two reasons:

  1. to maintain the integrity of the Retina product;
  2. to further the overall state of computing security.
Retina incorporates a powerful AUTO-UPDATE feature that provides you with easy access to your most recent updates to the vulnerability database. You can launch the update feature manually, or you can set it to run at regular intervals. Here is an eval version of the just designated #1 vulnerability scanner by Network World Magazine:

This Week's Links We Like. Tips, Hints And Fun Stuff

  • Pretty cool cartoon/graphics on PC screen. This stuff gets good.
  • Waaay cool MPEG zooming in on Earth straight to the Olympics. Forward this one to your friends that have not yet subscribed to W2Knews!
  • Housecall is a quick virus scan you can run on one machine. Recommended!
  • This site is a very useful resource if you want to cluster Windows.

    Small Business Server 2000 Best Practices

    Finally, the third-party Microsoft Small Business Server 2000 book that everyone has been waiting for. Based on shipping code and written six months after the SBS 2000 release, this book is packed with real world, detailed SBS 2000 topics. The planning, setup, administration and management topics dominate the first half of the book and include references to KBase articles, hard learned workarounds and in-the-trenches best practices. It's here: