RE: New worm? 'readme.eml'
From: PIATT, BRET L (PB) (bp3847@sbc.com)Date: 09/26/01
- Previous message: Jensenne Roculan: "Vacation Troller, Please Ignore."
- Maybe in reply to: JKruser: "RE: New worm? 'readme.eml'"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <1FD70EE03885D411B9AB00508BCFDEAC04197948@msgsrv05.srv.pacbell.com> From: "PIATT, BRET L (PB)" <bp3847@sbc.com> To: "'focus-ids@securityfocus.com'" <focus-ids@securityfocus.com> Subject: RE: New worm? 'readme.eml' Date: Wed, 26 Sep 2001 09:12:57 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The problem with this is maintainablity. Security through obscurity
is never the correct solution. By doing this you're going to
increase the training time for any system adminstrators that have to
work on your servers and you may also cause many other applications
that rely on those files to stop working. The real key is making
sure all of the most recent security patches are applied to your
servers and that you have a contingency plan in place that allows
your business to continue functioning when the servers become
compromised.
An idea we've been throwing around and doing some research on is
using the NT embedded system toolkit to make a stripped down IIS
platform that will boot from a CD and run on a RAM disk. You have
only the needed files to run the web applications and installed with
this is a pwatch utility that has a list of known processes. If it
sees an abnormal process it alarms via snmp and reboots the server.
It is possible for somebody to DoS your site by finding a way to
exploit your server. One way to combat this is running multiple
servers behind a load balancer and blocking the IPs that cause a
server reboot for some period of time.
Bret Piatt - Network Security Engineer II - CCNP-CCDP-SCNA-RHCE-MCP
SBC DataComm - Advanced Security Services Group
- -----Original Message-----
From: Duane Waddle [mailto:waddle1@us.ibm.com]
Sent: Wednesday, September 19, 2001 6:38 AM
To: McCammon, Keith
Cc: focus-ids@securityfocus.com; focus-ms@securityfocus.com;
forensics@securityfocus.com; JKruser; Pedro Miller Rabinovitch;
'Ferris, Thomas M'
Subject: RE: New worm? 'readme.eml'
Another handy trick is to take cmd.exe, tftp.exe, ftp.exe (and a
whole host of others -- does anyone have an authoritative list?) out
of winnt\system32, and put them somewhere else, like c:\foo\bar, and
ACL the snot out of it, without using the local 'administrators'
group. Make a group, called 'bob' for instance, and put your local
admin acct(s), and any one else who should have to have access to
these (on a webserver, that should be a short list). This way the
'LocalSystem' account does not have access to these tools - if it
even finds them in the 1st place.
Hope this helps.
- --D
Duane Waddle
waddle1@us.ibm.com
"With sufficient thrust, pigs fly just fine..." -- RFC1925
"McCammon, Keith"
<Keith.McCammon@eadvan To: "'Ferris,
Thomas M'" <Thomas.Ferris@nmci-isf.com>,
cemed.com> JKruser
<jkruser@adelphia.net>, Pedro Miller Rabinovitch
<pedro@cipher.com.br>, forensics@securityfocus.com
09/18/01 04:33 PM cc:
focus-ms@securityfocus.com,
focus-ids@securityfocus.com
Subject: RE: New
worm? 'readme.eml'
There are a few things that you can do to mitigate risk:
1) Patch. Then patch again. This will keep out most of the nasties
most of the time.
2) Configure your firewall to inspect http if possible and drop on
common strings such as */cmd.exe*, *root.exe*, *.dll*, etc. This
keeps most of the known and surely nasties away from your web server.
3) Ensure that router ACLs and firewall rules are configured
correctly to drop un-established requests from your web servers to
the internet. In the event that numbers one and two both fail (not
very likely in a case like this), your server will be hosed, but at
least you won't pollute the rest of the world with the worm.
Hardly comprehensive, but it's a start!
Keith
- -----Original Message-----
From: Ferris, Thomas M [mailto:Thomas.Ferris@nmci-isf.com]
Sent: Tuesday, September 18, 2001 1:52 PM
To: JKruser; Pedro Miller Rabinovitch; forensics@securityfocus.com
Cc: focus-ms@securityfocus.com; focus-ids@securityfocus.com
Subject: RE: New worm? 'readme.eml'
What would be a good solution for this, or is there an exact plan of
attack to defend against this?
Thanks in Advance.
================
Thomas M. Ferris
IA - Incident Response
NMCI San Diego NOC
================
- -----Original Message-----
From: JKruser [mailto:jkruser@adelphia.net]
Sent: Tuesday, September 18, 2001 10:07
To: Pedro Miller Rabinovitch; forensics@securityfocus.com
Cc: focus-ms@securityfocus.com; focus-ids@securityfocus.com
Subject: RE: New worm? 'readme.eml'
I also see a very serious possibility of this work interacting with
the still prevalent sircam virus. Nimda, when it infects, opens share
drives on the infected PC...Sircam will scan for open shares on an
internal network or cable subnet and infect the remote PC without
user interaction. This could effectively increase the spread of
sircam exponentially and, due to the remailing capability of sircam,
could shut down mail servers in a short period of time.
I have not verified this possibility but it sounds feasible.
Claymore
the unprofound
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0
iQA/AwUBO7H+YV+IxmqPU329EQIxmgCghVQTDZ9hXcZdQpEHyScm5xgbO40An0It
Ktnf9aud1euPi+Mp4+EOXgKc
=6P97
-----END PGP SIGNATURE-----
- Previous message: Jensenne Roculan: "Vacation Troller, Please Ignore."
- Maybe in reply to: JKruser: "RE: New worm? 'readme.eml'"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
