Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Mother Nature - Please Help Us Cool Our Server Room

Published: 2006-10-13
Last Updated: 2006-10-14 12:43:07 UTC
by David Goldsmith (Version: 2)
0 comment(s)
Earlier this week, the weather forecast was for cooler weather in our area by this time.  We could really use a small Ice Age in our server room right now.  ;-)

What happens when you put 40000 BTU/hr of equipment in a server room with 3 tons of AC cooling capacity?  For those less familiar with server room and HVAC design, 1 ton of cooling capacity can handle 12000 BTU/hr of heat generated by equipment.  So the answer is - we have probably exceeded our cooling capacity.  I say probably since most of the servers aren't drawing the full power possible from their power supplies.  While most large companies with data centers or server rooms probably have sufficent space and capacity for growth, small and medium size companies may perhaps be more limited.  

Several employers ago, in a small office, we used a closet as our server room.  Yes, really, a closet.  Now at the time, we only had 1 server and 1 frame relay router and we did have an air vent in the closet, but we were pretty restricted in terms of future growth due to the lack of ability to handle heat dissipation.  Eventually we did move the equipment to an actual room which had better airflow.

Currently, where I work, we have a server room that we designed more than 4 years ago.  We have a Liebert air handler with a 3-ton condenser outside.  When we started, we had two computer racks, 1 comm rack and we planned extra capacity to be able to add 2 more racks of equipment.   We had sufficient dedicated power circuits, generator capacity and cooling capacity to handle this planned growth.

Four years and now four racks later, with many more smaller computers packed with multiple CPUs and lots of disk drives, plus miscellaneous other equipment, we walk into the server room and notice that it's a little warm at times.  When one or more admins work in the room for 30 minutes or so, we notice it gets much warmer.  The human body is a pretty good furnace.

We are currently researching options to either upgrade our main AC system to have a higher capacity or to add additional small cooling units in the room up on the walls.

This is just a reminder that as IT admins, in addition to protecting our data by making backups, patching systems to remove vulnerabilities and using defenses such as firewalls to reduce the potential unwanted exposure of of our data, we also need to be cognizant of our physical infrastructure and capacity.  

If we don't have enough power, our systems turn off.  Operationally, this is bad but at least the system will most likely boot back up once power is restored.  

If we don't have enough cooling, again our systems may go offline, perhaps in a more permanent manner.  While not as a result of our current AC issue, we have previously seen servers where the CPUs melted down and caused a fire in a server.

Update 1:

We got a post from Alan with some information about how to determine the heat load of your equipment:
	max BTU/hr = 3.412 * (max Watts)
max Watts = Volts * max amperage


max BTU/hr = 3.412 * Volts * max amperage
He also passed along rack configuration links from Dell and IBM that help you determine the total power and colling requirements for the equipment in it.
0 comment(s)

New UrSnif/Haxdoor Variant

Published: 2006-10-13
Last Updated: 2006-10-14 03:30:26 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
A number of readers reported a new variant of "Haxdoor" attachements. As usual, AV will not pick up this new virus for the most part. See below for a sample e-mail as submitted by our reader Derek. He ran the attachement through virustotal. Only e-Trust, Ikrasus and Panda picked it up as suspect.

Thank you for ordering from our internet shop. If you paid with a 
credit card, the charge on your statement will be from name of our shop.

This email is to confirm the receipt of your order. Please do not reply
as this email was sent from our automated confirmation system.

Date : 08 Oct 2006 - 12:40
Order ID : 37679041

Payment by Credit card

Product : Quantity : Price
WJM-PSP - Sony VAIO SZ370 C2D T7200 : 1 : 2,449.99

Subtotal : 2,449.99
Shipping : 32.88
TOTAL : 2,482.87

Your Order Summary located in the attachment file ( self-extracting
archive with "37679041.pdf" file ).

PDF (Portable Document Format) files are created by Adobe Acrobat
software and can be viewed with Adobe Acrobat Reader. If you do not
already have this viewer configured on a local drive, you may download
it for free from Adobe's Web site.

We will ship your order from the warehouse nearest to you that has your
items in stock (NY, TN, UT & CA). We strive to ship all orders the same
day, but please allow 24hrs for processing.

You will receive another email with tracking information soon.

We hope you enjoy your order! Thank you for shopping with us!

One of our reader (Matthew) has notified us that McAfee is able to identify this new
trojan and had already provided "extra.dat" support to allow customers to update
their definitions (all platforms).

Running through VirusTotal again, other anti-virus scanners are starting to detect
this malware. Below are those with positive results:
Authentium 4.93.8 10.13.2006 W32/Goldun.NK
AVG 386 10.13.2006 Downloader.Generic2.TFP
BitDefender 7.2 10.14.2006 Trojan.Downloader.Agent.APP
ClamAV devel-20060426 10.13.2006 Trojan.Downloader.Small-2854
eTrust-InoculateIT 23.73.22 10.13.2006 Win32/Ursnif.MJI!Trojan
eTrust-Vet 30.3.3131 10.13.2006 Win32/Ursnif!downloader
DrWeb 4.33 10.14.2006 Trojan.DownLoader.14120
Fortinet 10.13.2006 W32/Dloader.AYT!tr.dldr
F-Prot 3.16f 10.13.2006 security risk named W32/Goldun.NK
F-Prot4 10.13.2006 W32/Goldun.NK
Ikarus 10.13.2006 Win32.Outbreak
Kaspersky 10.14.2006
McAfee 4873 10.13.2006 Downloader-AXM
Microsoft 1.1603 10.14.2006 TrojanDownloader:Win32/Agent.EP
NOD32v2 1.1803 10.13.2006 Win32/TrojanDownloader.Small.NPO
Norman 5.80.02 10.13.2006 W32/DLoader.BAOZ
Panda 10.14.2006 Trj/SpyForms.J

0 comment(s)

Java Trojan/Bot

Published: 2006-10-13
Last Updated: 2006-10-13 18:49:37 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
Jan sent us a nice trojan he found on a friend's defaced website. After 20 seconds, the defaced site will redirect users to the java applet which appears to implement a full featured bot. You should see a java security popup notifying you that the applet is signed by an "Unknown User". As always, do not click 'OK' but deny.

Given that it is written in Java, this bot could potentially work on different operating systems.

0 comment(s)

0-Day Thursday: PoC for Powerpoint Vulnerability

Published: 2006-10-13
Last Updated: 2006-10-13 14:32:02 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
Late yesterday, the MSRC blog reported a new public PoC for a yet unpatched Powerpoint vulnerability. I guess the game is still going on. We have seen it many times over the last few months where a new exploit was published just after patch tuesday.

Details: MSRC Blog
0 comment(s)
Diary Archives