[Dshield] DCOM morning after

Craig Shaw CraigS at caamb.mb.ca
Tue Aug 12 17:15:14 GMT 2003

OK, thought I'd weigh in here on the side of large enterprises...

Many companies make it a policy not to implement a fix until it has been
tested thoroughly. In some cases, a month isn't much time to test a given
hotfix or patch on a large network. Especially when you consider that
regular duties / fires / projects can interrupt that work. Many departments
have limited resources for this kind of thing.

So, if you're all protected and patched and snug, weathering the storm, that
great for you. But let's not start throwing stones at those poor, overworked
sysadmins who might not have the resources / support / staff combinations
you do.

For the record, we're a small shop, and patching is fairly easy for us to
accomplish because of the tools we have in place. However, I know many
organizations are not so lucky.

Craig Shaw
Systems Administrator
CAA Manitoba
(204) 262-6035
craigs at caamanitoba.com

-----Original Message-----
From: Doug [mailto:doug at dwhite.ws] 
Sent: 12-Aug-03 11:39
To: General DShield Discussion List
Subject: Re: [Dshield] DCOM morning after

I tend to agree with you.   One fact seems to describe the difference
networks and "large" networks, and that is the "large" number of excuses for
securing their systems.

Microsoft issued the patch on July 19, and announced it in a number of
including their security advisor newsletter.  They re-sent the security
on July 30, and again just yesterday.   Articles on TechNet have been
about it for some time and strongly recommending patching vulnerable
The tools are not only free, but readily available, and MS should not be
for the lack of use.

I guess in  a few cases there are system admins that are not granted the
authority to secure their systems and networks, and in other cases they are
Now they are paying the price.

I have seen on a number of forums I subscribe to as many excuses for not
applying the patches as I have heard of probes by the actual propagating
Now these people are throwing up their hands as their systems come down.
happens over and over as each new vulnerability comes to light, and it seems
that "they never learn."

Another side is the home computers that do not have "auto-update" enabled.
These systems, in most cases, do not have such complicated applications
that extensive testing is required before applying security updates, and
already be patched.

It would seem that by the time enough sdmins get the message, the DDOS
attack on
MS update will be underway, and updates may well be unavailable for a time.

At least on this one, I get to sit by and watch the problem grow, as I have
able to in previous instances (Think CodeRed/Nimbda) and the well over a
computers that have been infected with proxy server worms that enable the
unprecedented growth of spamming.

mailto:doug at dwhite.ws
----- Original Message ----- 
From: "Ben Robson" <ben at robson.ph>
To: "*Hobbit*" <hobbit at avian.org>
Cc: "General DShield Discussion List" <list at dshield.org>
Sent: Tuesday, August 12, 2003 11:01 AM
Subject: Re: [Dshield] DCOM morning after

| The thing that does it for me is that I can -almost- accept the home
| user community falling prey to this, but I am absolutely pole-axed at
| the concept that companies, money making organisations who's number one
| asset is information, are connecting unpatched systems to the Internet
| with out even turning on Microsoft's own IPSec tools, or installing some
| cheap -free-, do nothing/know nothing packet filter.
| I have been having conversations on this worm in nunmerous forums and
| without fail at least half the posts are stating that the author's
| organisation fell victim and is in the process of cleaning up.  I even
| read one posting from someone stating that their employer, "a major
| international bank" was infected.  I mean you got to be shitting me
| right!!!!!!! (pardon the language please).
| BenR.
| *Hobbit* wrote:
| >No, you're not the only one who's utterly floored by the idea that ANY
| >of this stuff would be accessible from outside any business, large or
| >small.  Even the little SOHO nat-boxes I'd expect to prevent this sort
| >of thing by default apparently aren't doing the job.
| >
| >Same with 139, 445, 1443 or whatever it was, etc.  It's just astounding
| >how lame the so-called "internet community" has become.  Until they
| >turn Redmond into a glass parking lot and start over, nobody is safe.
| >
| >_H*
| >
| >
| >
| _______________________________________________
| list mailing list
| list at dshield.org
| To change your subscription options (or unsubscribe), see:

list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list