Re: Blaster Recurrence

From: Neil Anderson (cleidh_mor_at_btopenworld.com)
Date: 02/02/04

  • Next message: Craig Bumpstead: "Type od DDoS in MyDoom????"
    To: <incidents@securityfocus.com>
    Date: Mon, 2 Feb 2004 20:35:18 +0000
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Our company and some of our clients had several occurrences of Blaster
    re-appearing on patched machines after the first patch - we had to re-patch
    with an updated patch.

    We found that the most direct route for infection was remote users with
    laptop/VPN/no firewall... Try restricting remote access and I would get
    those infected machines off the network, re-installed and patched *before*
    reconnection to the network, but that's stating the obvious ;)

    Also, if you can, shutdown all currently unused switch ports so that foreign
    machines can't be connected without you knowing. If you get someone who has
    to connect a foreign machine, scan it first.

    Hope this helps.

    Cheers,
    Neil

    Network Engineer.

    On Friday 30 January 2004 17:54, E. Jimmy Allotey wrote:
    > I am seeing some new occurences on reformatted machines on my network.
    > They appeared on machines which were reformatted and connected to the
    > network before installation of patches and anti-virus software
    > (idiots!!!!) We have checked all the other machines here which were
    > unaffected and they are fine.
    >
    > Our perimeters are blocked on all the named ports and yet the beast
    > managed to get in....
    >
    > For fear of sounding stupid, does anybody have any ideas??
    >
    > E. Jimmy Allotey
    > Network & Systems Security Engineer
    > Tel: +233 24 310 788
    >
    >
    > ---------------------------------------------------------------------------
    > ---------------------------------------------------------------------------
    >-
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.2 (GNU/Linux)

    iD8DBQFAHrSJ2h6w8BNEwKYRAuyAAJ9WH+udaCjUjYLdRJm6+7KeoFv9pgCeO6Gl
    4y4xE+WDAi0/gxLcU1hofI0=
    =f/G2
    -----END PGP SIGNATURE-----

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Craig Bumpstead: "Type od DDoS in MyDoom????"