[Dshield] Re: Possible variant of Blaster/Nachi/Welchia? (more)
afrayer at frayernet.com
Sat Sep 27 10:08:19 GMT 2003
On Fri, 2003-09-26 at 14:08, Steven D. Smith wrote:
> Unlike W32.Sobig.E at mm, Sobig.F will not open the following ports to listen for incoming UDP
> datagrams, as was previously reported.
> Network administrators should do the following:
> Block outbound traffic on port 8998/udp.
> Monitor NTP requests (port 123/udp), as these could be coming from infected computers.
> (The frequency of such checks for an infected computer should be once per hour.)
I suppose I'm late getting in the game, but for those of us keeping
score, is there a list somewhere of ports net admins should be blocking?
I thought I had them covered, but people keep mentioning some higher UDP
ports that I'm not so sure about, and I know that I don't know which
ones have been compromised.
While I'm at it, let me assume someone compromised a port that's been in
use by something legit. I can't very well close that port without
shutting off access to the legit service, so how can I protect the
network in those instances?
Alan Frayer,CNE,CNI,CIW CI,MCP,Net+ - afrayer at frayernet.com
Seeking an IT Mgmt/Network Admin position in the Tampa Bay Region
If you would like to discuss an opportunity with me, please e-mail.
More information about the list