Re: Blaster Recurrence

From: Neil Anderson (cleidh_mor_at_btopenworld.com)
Date: 02/02/04

  • Next message: Craig Bumpstead: "Type od DDoS in MyDoom????" 
    To: <incidents@securityfocus.com>
Date: Mon, 2 Feb 2004 20:35:18 +0000

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Our company and some of our clients had several occurrences of Blaster
    re-appearing on patched machines after the first patch - we had to re-patch
    with an updated patch.

    We found that the most direct route for infection was remote users with
    laptop/VPN/no firewall... Try restricting remote access and I would get
    those infected machines off the network, re-installed and patched *before*
    reconnection to the network, but that's stating the obvious ;)

    Also, if you can, shutdown all currently unused switch ports so that foreign
    machines can't be connected without you knowing. If you get someone who has
    to connect a foreign machine, scan it first.

    Hope this helps.

    Cheers,
    Neil

    Network Engineer.

    On Friday 30 January 2004 17:54, E. Jimmy Allotey wrote:
    > I am seeing some new occurences on reformatted machines on my network.
    > They appeared on machines which were reformatted and connected to the
    > network before installation of patches and anti-virus software
    > (idiots!!!!) We have checked all the other machines here which were
    > unaffected and they are fine.
    >
    > Our perimeters are blocked on all the named ports and yet the beast
    > managed to get in....
    >
    > For fear of sounding stupid, does anybody have any ideas??
    >
    > E. Jimmy Allotey
    > Network & Systems Security Engineer
    > Tel: +233 24 310 788
    >
    >
    > ---------------------------------------------------------------------------
    > ---------------------------------------------------------------------------
    >-
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.2 (GNU/Linux)

    iD8DBQFAHrSJ2h6w8BNEwKYRAuyAAJ9WH+udaCjUjYLdRJm6+7KeoFv9pgCeO6Gl
    4y4xE+WDAi0/gxLcU1hofI0=
    =f/G2
    -----END PGP SIGNATURE-----

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Craig Bumpstead: "Type od DDoS in MyDoom????"

    Relevant Pages

    • Re: Great SWT Program
      ... network, what do *you* mean? ... applying smaller patches to all the Linux systems, ... The other thing I didn't say is that the couple of dozen machines ... OS patches are a different matter. ...
      (comp.lang.java.programmer)
    • Re: Deploying patches with a script
      ... > to deploy patches and hotfixes across a network through scripts. ... I didn't want to spend as many hours patching machines with KB824146 exploit ... Setup a network share with full privileges for the account you will patch ...
      (microsoft.public.security)
    • Re: Can find Vista box, cant share folders or printers.
      ... When I click 'Network' on the laptop the ... I've disabled Norton and Windows firewall entirely to make sure that's not ... public folder sharing - on ... start by running the Network Setup Wizard on all machines (see ...
      (microsoft.public.windows.vista.networking_sharing)
    • Re: XP to Vista -- only halfway there
      ... concerning networks that combine Vista and XP machines. ... I am setting up an inhouse network that links together three machines, ... by 1) a misconfigured firewall or overlooked firewall (including stateful ...
      (microsoft.public.windows.vista.networking_sharing)
    • Re: compromised machines
      ... with all the latest patches. ... When you say IDS/IPS, ... > list of machines. ... Copies the following files to open network ...
      (Incidents)