Security Basics mailing list archives

RE: Possible Malware?

From: "Cleghorn, Lance A" <CLEGHORNL08 () students ecu edu>
Date: Fri, 5 Oct 2012 23:18:50 +0000

Kurt,

You are spot on for password aging purposes.  That value is indeed defaulted to 90 days 
(http://blogs.msdn.com/b/john_daskalakis/archive/2010/02/01/9956266.aspx)  However, Kerberos can have a value as low as 
5 minutes clock skew to knock a domain account off.  I think the default is much higher but it is still in units of 
hours or less than a few days. http://technet.microsoft.com/en-us/library/cc780011%28v=ws.10%29.aspx

It just seems to me that the odd administrator account change could be a group policy blow back and time could be the 
culprit.  I'm curious to see now what the problem actually was.

Lance 
________________________________________
From: listbounce () securityfocus com [listbounce () securityfocus com] on behalf of Kurt Buff [kurt.buff () gmail com]
Sent: Friday, October 05, 2012 4:16 PM
To: security-basics () securityfocus com
Subject: Re: Possible Malware?

Regarding time - it's very unlikely as a culprit in this instance.
Unless it's a very long time (on the order of 90+ days) time
differences in and of themselves don't break the machine trust with
the domain. Failure of validation, yes. Break trust with domain, not
so much.

Kurt

On Fri, Oct 5, 2012 at 11:48 AM, Cleghorn, Lance A
<CLEGHORNL08 () students ecu edu> wrote:

The keyboard and mouse losing function is odd; however, losing a trust relationship with your domain can be caused by 
a variety of things.
1. Check your time on the local PC, different time zones and big differences in date or time will kick you off the 
domain.
2. Check the computer account in AD and see if it is locked out.  It may need to be reset.
3. Provisioning, if you use provisioning in your domain it may need to be re-provisioned.

First troubleshooting step to try is bouncing the PC off and on the domain.  Add the PC to a workgroup (if you are 
using win 7 you have to at least type a character in the password prompt) then restart or ipconfig /flushdns and 
ipconfig /renew and add the PC back to the domain.

If you get an error putting the PC back on the domain then troubleshoot that particular error.

Hope this helps,
Lance Cleghorn, CCNP

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Joseph Hargis
Sent: Friday, October 05, 2012 12:25 PM
To: security-basics () securityfocus com
Subject: Possible Malware?

Hello List,

I have a Windows 7 PC connected to a domain exhibiting the following
behavior:

1. The user logged off the machine to go to lunch. When she returned she was unable to logon and the machine 
displayed an error stating that the machine had lost the trust relationship with the domain.

2. The local administrator account has been removed from the local administrators group.

3. When the network cable was unplugged, the keyboard and mouse quit functioning.

Admittedly, I'm new to malware hunting. But to me, this behavior is suspicious. Does this ring any bells with anyone?

Thank you,

Joe Hargis

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and 
who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell 
if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your 
Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing 
management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------




------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase,
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Possible Malware? Joseph Hargis (Oct 05)
- Re: Possible Malware? Kurt Buff (Oct 05)
- Re: Possible Malware? Khaled Zayed (Oct 05)
  - Re: Possible Malware? Kurt Buff (Oct 05)
- RE: Possible Malware? Cleghorn, Lance A (Oct 05)
  - Re: Possible Malware? Kurt Buff (Oct 05)
    - RE: Possible Malware? Cleghorn, Lance A (Oct 08)
- <Possible follow-ups>
- Re: Possible Malware? badimuh (Oct 05)
- Re: Possible Malware? Paul Pottorff (Oct 05)