Had a really strange virus break out on our network yesterday. Here’s the breakdown:

Trend Micro Office Scan detected an initiation on a workstation at 12:21 PM. The virus was located in the file C:\Program Files\RealVNC\VNC4\WinVNC4.exe. This is a legitimate file and location for us as we have VNC server installed on workstations for remote admin. Trend reported the virus name as Trojan_Generic and it could not be cleaned or quarantine. It propagated through an unknown transport to random machines on the WAN in a matter of 10 minutes.

15 machines got infected before I shut down the MS Exchange services just in case it was using the address book as a transport. It didn’t seem logical that this was the propagation mechanism but the outbreak seemed to subside. We then removed VNC from the machines that got infected and I restarted the Exchange services. Two more machines were infected after this but no more. Several other workstations on the network had VNC server and the port open but were not ever infected.

One more interesting lead I have is that the machine where the outbreak initiated was the only one on the network with ports 6697 and 9234 recently opened for a custom IRC application. These have been closed. Anyone with any information about this outbreak is welcome to leave a comment.

_______________________________________________________

Update: 07-26-2006

Turns out this was a “false-positive” in Officescan virus definitions release 5.99.

Upgrading to the 6.07 definitions clears the problem.  I still think Trend Micro is the leader in the Anti-virus industry.

I had a full copy of Acrobat 6 on my machine at work. For some reason only known to Adobe it decided to start hosing and wouldn’t open any documents. It just froze a blank white box on the center of my display. So I uninstalled it and put on a copy of Acrobat 7 reader. I needed to open some documents damn it.

Acrobat 7 ran flawlessly. Once. Then any time I tried to open a subsequent document it gave me an hour glass and the Acrobat process chewed up 45-50% of my CPU with no results. What a piece of sh*#!

Flush Acrobat – Get Foxit PDF reader and never look back. Adobe should pay as much attention to these readers as they do Photoshop. And what’s to happen to all the wonderful Macromedia products now that they’ve entered the Adobe family as step-child applications? We will know shortly. Until I know I won’t give up my old copy of Dreamweaver.

I had the worst day trying to troubleshoot slow internet connection speeds with Time Warner today. Without SNMP interfaces on the 3Com OfficeConnect VPN Firewalls we use I couldn’t get a handle on where the problem was occurring. All I knew is that we didn’t have a lot of irregular traffic on any ports, the VPN stayed up (barely) and I had external URL and IP ping times as high as 2500 ms.

We’re going to be putting an SNMP compliant firewall/router at our core. Probably a 3Com Tipping Point. That will let me use PRTG Traffic Grapher to look at our bandwidth by interface in real time. Monitoring without SNMP sucks.

Yesterday we walked the back 9. It was HOT.

Among other things I went to the driving range. It was HOT.

Last weekend I spend over 16 hours working on an Exchange mail server migration from a MS Small Business Server to a stand alone Exchange instance on a Dell PowerEdge 2850. It all went relatively smoothly by installing the second Exchange server on the network as a second instance and moving the mailboxes using the wizard. The part that took the most time was moving the Outlook Web Access configuration.

For the record, you cannot run OWA from an instance of IIS other than on the Exchange server itself. But if you have only one public IP address on the firewall/router and have port 80 going to a different web server you can still access OWA on the Exchange server by using SSL port 443. Here’s how (assumes advanced IIS knowledge):

1. Using Port Address Translation on your firewall point port 443 to the internal IP address of your Exchange server.
2. Port 80 should already be going to your primary web server via PAT entry unless your running it in a DMZ.
3. Make sure your external DNS entries contain an entry for the new “webmail” host (an A record or CNAME pointing to the public IP of your firewall/router). ex: webmail.yourdomain.com
4. Create a CNAME (alias) in your internal DNS records for “webmail” pointing to the A record for your primary IIS server.
5. Create another A record or CNAME entry in your external DNS entries to include the name of the Exchange server. ex: “exchangeserver.yourdomain.com”. You should already have this entry internally or you didn’t set up your Exchange server right.
6. On the primary (port 80) IIS server create a new site called “OWA Alias”.
7. Create a host header for this site called “webmail.yourdomain.com”.
8. In the properties of this site select “Redirect this site to another URL” to a site on port 443 (https://exchangeserver.yourdomain.com).

Now when an internal or external user goes to “webmail.yourdomain.com” they will be redirected to “https://exchangeserver.yourdomain.com”. For users outside of your LAN this will push them back out the firewall and force them to come in over port 443 to the Exchange server. Internal users who type the “webmail.yourdomain.com” into a browser will be redirected to the https://exchangeserver.yourdomain.com as well thus providing a URL required for the certificate.

Note: you should always run OWA with a certificate so make sure ones installed for the “Default” site for the instance of IIS on the Exchange server. This certificate can come from a public Certificate Authority or can be generated by Microsoft Certificate Services running on the Exchange server itself. Because of the detail involved I won’t get into certificate issuance in this post. Pay close attention to the name of the host when generating the certificate request. It should be the same as the https host name (https://exchangeserver.yourdomain.com in my example).

Up until 3:00 today it’s felt like I’ve been working non-stop since July 1st.  I did take the 4th off.  But I did some work from home.  So I left at 3:00 today and made preparations to get my truck fixed.  The AC is out and there’s a thump coming from one of the tires.  It’s hot and annoying.

My mom turned 60 yesterday.  So did George Bush.  I never knew they were born on the same day until this past weekend when I was enlightened by CNN.  We celebrated her birthday on the 4th with many people at her house.  We would have gone over last night but I had to ride 30 minutes out to RTP to restart an IIS server.  I need to remember to expense those trips.

I’m playing golf tomorrow if I have to do it in the dark.  I have a 1:00 tee time and it would take a court ruling banning the sport to make me miss it.  Let’s see, what else?

I might have a new cell number soon.  Weird, I know, in the age of portable numbers.  But the new phone will be paid for by Pack Rat so their support calls will quit chewing up the minutes on the family plan we have on Dad’s account.  He didn’t like it that we ran up the bill voting on American Idol.  I feel 15 again.