[Dshield] Re: Possible variant of Blaster/Nachi/Welchia? (more)

Alan Frayer afrayer at frayernet.com
Sat Sep 27 10:08:19 GMT 2003


On Fri, 2003-09-26 at 14:08, Steven D. Smith wrote:
>                                                                                                  
>    Unlike W32.Sobig.E at mm, Sobig.F will not open the following ports to listen for incoming UDP    
>    datagrams, as was previously reported.                                                         
>          995/udp                                                                                  
>          996/udp                                                                                  
>          997/udp                                                                                  
>          998/udp                                                                                  
>          999/udp                                                                                  
>                                                                                                   
>                                                                                                   
>    Network administrators should do the following:                                                
>          Block outbound traffic on port 8998/udp.                                                 
>          Monitor NTP requests (port 123/udp), as these could be coming from infected computers.   
>          (The frequency of such checks for an infected computer should be once per hour.)         

I suppose I'm late getting in the game, but for those of us keeping
score, is there a list somewhere of ports net admins should be blocking?
I thought I had them covered, but people keep mentioning some higher UDP
ports that I'm not so sure about, and I know that I don't know which
ones have been compromised.

While I'm at it, let me assume someone compromised a port that's been in
use by something legit. I can't very well close that port without
shutting off access to the legit service, so how can I protect the
network in those instances?

________________________________________________________________________
Alan Frayer,CNE,CNI,CIW CI,MCP,Net+ - afrayer at frayernet.com
Seeking an IT Mgmt/Network Admin position in the Tampa Bay Region
If you would like to discuss an opportunity with me, please e-mail.





More information about the list mailing list