lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <OFCCC5CCBB.DA87C1A2-ONC1256E7A.0036F63D-C1256E7A.0038932A@mca.org.mt>
Date: Sun, 18 Apr 2004 12:17:56 +0200
From: aborg@....org.mt
To: <bugtraq@...urityfocus.com>, NTBugtraq@...tserv.ntbugtraq.com
Subject: MS Patches last Mon - Recap






Hi all ...

Following my post on bugtraq last Fri and after having waded through the
deluge of replies, here is a quick recap of things:

1) Thu morning several of my users could not login.  WinXP and Win2k
complained that the time between the server and client is different.  I can
workaround this since we happen to have cached logon credentials so all I
needed to do was unplug the network cable, get them to log in and plug it
in again.  Different things worked for different people.  NET TIME \\MYPDC
/SET /Y worked for the 1st one.  NET TIME \\MYBACKUPDOMAINCONTROLLER /SET
/Y worked for the 2nd.  I don't know why the first command did not fix the
problem for User2 (and yes, I did reboot server and client meanwhile)  A
number of other things were required to get things moving for the others.

2) Fri morning I had a few more people who were working on Thu finding
themselves unable to login.  At this point I began to suspect the MS
patches from Wed.  I hadn't before since at first glance the patches did
not affect any time-related or login-related functionality.  However,
research on the MS site shows that the time feature uses RPC to coordinate
the time between client and server and this set alarm bells ringing.

3) On Sat I found out that even client computers WITHOUT the patches
installed could not login properly.  I tried uninstalling the patches from
both the PDC and BDC one by one but this did not solve anything.

4) On Sat I went through all the emails.  Thanks for all your help but I
was aware that NET TIME exists, how to use it, how to set it up to always
coordinate time with the PDC and how to set the PDC to sync with an
external time source.  I also am aware that Kerberos allows for a 5 min
difference and am quite sure that our servers are still set up that way.  I
also have net time in the logon script and all of these suggestions - while
welcome - had already been tried.

5) Thanks also to all the people who wrote in to tell me that they too have
similar problems - I counted about 20 all in all.  It is reassuring to know
that I'm not the only one.  Unfortunately, reinstalling Windows on my
server is not an option I would like to consider.  And rebooting the
clients and servers didn't work either.

6) It is entirely possible therefore that the uninstaller of these patches
is not comprehensive enough to uninstall all the items/reg keys that it
sets up.  I am going to look for a list of changes and ensure that they
have been revoked.  This statement assumes that the patches are at fault
here - and while I am aware that a reboot could trigger any number of
pending uninstalls/installs I had recently rebooted the machines and
nothing had been removed/added until the patches.  I had initially toyed
with the idea that this may be some kind of trojan and/or virus but cannot
identify any kind of errant process or item in the registry that would add
weight to this theory.  Suggestions are welcome.  However, if everyone else
is working then what's different between my network and theirs?

7) I am now in a situation whereby after having uninstalled the patches
from my PDC and BDC and rebooting both machines, I am unable to login to my
BDC.  This is critical for me and it is why I am here tapping away at my PC
on a Sunday at 12:16 (I'm in Europe).  I intend to stay here at the office
until the problem is sorted so feel free to email at any time.  I will post
an update as soon as I have one.

Thanks for all your help so far.  Let's see if we can nail this bugger.

Antoine Borg
Network Administrator

Malta Communications Authority
Suite 43/44, "Il-Piazzetta"
Tower Road
Sliema SLM 16
Malta G.C.

Mob: +356 79 271852

---------
"There is something about inevitability that offends human nature.  Man is
a creature of hope and invention, both of which belie the idea that things
cannot be changed. But man is also a creature prone to error, and sometimes
that makes inevitable the things that he so often seeks to avoid."



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ