OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: DNS/Hosts file issues - Update #6 - final

From: BROWN Nick (Nick.BROWNCOE.INT)
Date: Mon Oct 06 2003 - 13:02:00 CDT

It's pretty easy to clean up most issues of this kind if you can reduce the
patch to "that which can run silently in a .BAT file" and either call it
from a logon script, or (as on our site) execute it as part of a weekly or
daily batch job which runs on all PCs from a server.

On our site we have a job which visits all our (1500) PCs twice daily,
running a selection of checks: scan event log looking for bad blocks or
services which didn't start, dump auto-run components of the registry
looking for new "interesting" items, check to see that homesick users (we're
an international organisation !) haven't changed their PC's time zone, etc.
This saves us lots of breakdowns and often catches new malware infections
before any other network defense mechanism notices them.

For this DNS problem, the code is roughly as follows:
                REGDMP
"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP\Parameters" |
find /i "DataBasePath" | findstr /i /v /c:"REG_EXPAND_SZ
%%SystemRoot%%\\System32\\drivers\\etc" >afile
                if errorlevel 1 goto no_prob
                REM Corrective or alert action goes here, eg:
                NET SEND operator "Hijacked TCPIP database path on
%COMPUTERNAME%"
                REGINI correct-registry-entries.INI
                :no_prob

For some versions of Windows this requires REGDMP from the NT resource kit.

Using this code, I found 2 (two) machines with the problem and fixed them in
half an hour.

This idea can be extended to detect HOSTS files which, while not redirected,
have had their contents "hijacked". For example, on our site, almost nobody
needs to change their HOSTS file. So any file whose size is not the default
(say, 537 bytes, OS and language-version dependent), is worth checking:

        REM Create "hosts.ok" if user is known to have made "responsible"
changes to HOSTS
                if exist %SystemRoot%\System32\drivers\etc\hosts.ok goto
no_prob
                dir %SystemRoot%\System32\drivers\etc\hosts | findstr /v
/c:" 537 " >afile
                if errorlevel 1 goto no_prob
                REM Corrective or alert action goes here, eg:
                NET SEND operator "HOSTS file on %COMPUTERNAME% changed from
default"
                copy Valid-hosts.txt %SystemRoot%\System32\drivers\etc\hosts
                :no_prob

---------------------------------------------------------------
|\ | o _ |/ Life's like a jigsaw
| \| | |_ |\ You get the straight bits
                    But there's something missing in the middle

Nick Brown, Strasbourg, France (Nick(dot)Brown(at)coe(dot)int)
---------------------------------------------------------------

-----
Want to reply to the person who sent this message?

This list is configured such that just hitting reply is going to result in
the message coming to the list, not to the individual who sent the message.
This was done to help reduce the number of Out of Office messages posters
received. So if you want to send a reply just to the poster, you''ll have to
copy their email address out of the message and place it in your TO: field.
-----