Re-Infection with Blaster Worm

From: Ostberg, Alex (aostberg_at_state.mt.us)
Date: 08/18/03

  • Next message: Tim: "Re: msblast and RFC 1918 addresses" 
    To: incidents@securityfocus.com, "'focus-virus@securityfocus.com'" <focus-virus@securityfocus.com>, "'FOCUS-MS@securityfocus.com'" <FOCUS-MS@securityfocus.com>
Date: Mon, 18 Aug 2003 11:23:26 -0600

    We have had several cases reported to us here of machines that were cleaned,
    patched, and then re-introduced to the network that ran fine for the past 4
    days, and then boom this morning at around 10 am MST they became
    re-infected. Has anyone else seen this kind of incident?

    We had gone so far as to check the dates, versions, and sizes, of the three
    dlls involved in the patch, in addition to the add remove programs showing
    that it was patched, in addition to the patch file listed in the system root
    folder, in addition to scanning the machine with the Eeye blaster scanning
    tool and the Microsoft blaster scanning tool and also scanning it with the
    FixBlast.exe tool from Symantec and the Stinger.exe tool from
    McAfee.....Everyone of these had shown that the machine was clean and
    patched on Friday, and then boom, mid-morning this morning the machine gets
    re-infected.

    Any suggestions, ideas, or experiences would be much appreciated.

    Thanks,
    Alex O. Ostberg
    Data Security Analyst / State of Montana

    ---------------------------------------------------------------------------
    Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Ensure Reliable Performance of Mission Critical Applications
     - Precisely Define and Implement Network Security and Performance Policies
    **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    Visit us at:
    http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
    ----------------------------------------------------------------------------

  • Next message: Tim: "Re: msblast and RFC 1918 addresses"

    Relevant Pages

    • Re: Increasing ICMP Echo Requests
      ... >>We're seeing the same ICMP pattern. ... >Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ... > - Precisely Define and Implement Network Security and Performance ...
      (Incidents)
    • RE: is this the start of something naughty?
      ... Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... - Ensure Reliable Performance of Mission Critical Applications ... - Precisely Define and Implement Network Security and Performance Policies ...
      (Incidents)
    • Re: is this the start of something naughty?
      ... > Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ... > - Precisely Define and Implement Network Security and Performance ... electronique a ete verifie par un logiciel anti-virus ...
      (Incidents)
    • RE: msblast.exe worm FINDINGS (DDoS) ---> Can someone please confirm?
      ... the outbound attacks. ... Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... - Ensure Reliable Performance of Mission Critical Applications ... - Precisely Define and Implement Network Security and Performance Policies ...
      (Incidents)
    • Re: Where are the Farbers of yesteryear?
      ... I'm not sure there's a standard "network neutrality" law at this point, ... consumer-grade business connectivity and "true" business connectivity is ... banning traffic shaping would be an enormously stupid move. ... downloads always expand to fill the the available space. ...
      (rec.arts.sf.fandom)