Re: Sasser Like behaviour
workinghard_at_news.postalias
Date: 08/04/04
- Next message: Mike Bright MSP: "Re: Quick Launch"
- Previous message: Brandon: "Re: No Boot"
- In reply to: Lanwench [MVP - Exchange]: "Re: Sasser Like behaviour"
- Next in thread: Feng Mao: "Re: Sasser Like behaviour"
- Reply: Feng Mao: "Re: Sasser Like behaviour"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 4 Aug 2004 20:58:22 +0200
Hello there,
All machines are fully patched, SUS is inplace and working, testing SP2 RC2
for XP for our new roll out (planning to be a 99 % XP SP2 shop by October
2004)... awaiting eagerly WUS ... which looks very promissing.
I really would like to find the culprit, just to prove to upper management
I'm more than a nagging sysadmin. No tool is indicating any infection on
the machines we tested ... I hope to get the network guy in next week for
access to the firewall logs and some sniffing (I'm legally not allowed to
do it).
Thanks for your input (and you as well Feng Mao)
I'll post back any findings on the cause
"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in message
news:uynJJIjeEHA.2560@TK2MSFTNGP09.phx.gbl...
> workinghard@news.postalias wrote:
> > Hello,
> >
> > They have all been patched. I straightend that out straight away.
> > That made the issue go away, nut there must be something causing it.
> > I have no control over the fire wall. Admin is notavailable. It's
> > checkpoint. As far as I know if the session is initiated from the
> > client it will pass any communication. I tend to believe that we
> > have somwhere an internal machine (or external machine that has been
> > brought in) that is trying to infect ours or is scanning them,
> > attacking them ...
>
> Very likely. Keep everyone patched all the time! Got SUS in place?
>
> > we've been checking for any malware associated
> > with 04-011 and 04-012 but we do not find a thing ... quiet worry
> > some. I hope to gain access to the firewall next week ...
>
> You can try a scan to see what ports are open from the Internet - try
> www.grc.com for one.
> >
> >
> > Thx for your time.
> >
> >
> > "Lanwench [MVP - Exchange]"
> > <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in
> > message news:ehVj5ybeEHA.4068@TK2MSFTNGP11.phx.gbl...
> >> Patch them all with critical updates - this is a must.
> >>
> >> What kind of firewall, and what inbound ports are open?
> >>
> >>
> >> workinghard@news.postalias wrote:
> >>> Hello,
> >>>
> >>> All PC's (XP SP1 an Windows 2000) not patched with MS04-011 and
> >>> onwards show the sasser symptoms since 02/08/2004 (same shutdown
> >>> message etc....). No sasser or variants (bobax etc ...) found what
> >>> so ever with any tool or manually on any machine. Patching with
> >>> MS04-011 and higher has helped to remediate the problem. Since we
> >>> can not locate the origin of the problem (we don't find any worm)
> >>> what might be exploiting this vunerability. Any remote tools to
> >>> exploit the vunerability? Our one and only network admin, the only
> >>> one who has access to that level is away ... no firewall logs or
> >>> networkscans available ...
> >>>
> >>> Any info or pointers would be great,
> >>>
> >>> Thx
>
>
- Next message: Mike Bright MSP: "Re: Quick Launch"
- Previous message: Brandon: "Re: No Boot"
- In reply to: Lanwench [MVP - Exchange]: "Re: Sasser Like behaviour"
- Next in thread: Feng Mao: "Re: Sasser Like behaviour"
- Reply: Feng Mao: "Re: Sasser Like behaviour"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
