[Dshield] Re: Possible variant of Blaster/Nachi/Welchia? (more)
areust at comcast.net
Sat Sep 27 16:21:55 GMT 2003
My First thing would let the boss know that I am shutting off Time Services
for a short period of time within the network. Right now you have a small
brush fire and the computers on the network should be able to keep track of
their own time. So if you can turn that port completely Off, you then have
a small number of machines to deal with. If you allow it to continue the
you will have a forest fire.
Yes that goes against the grain about maintaining integrity of the network
services. "They" use legitimate services against us. Then we have to adjust
tactics to bring network services back to a normal state as quickly as
You could also use the registry editor to connect to the affected machines
and browse to HKEY_LOCAL_Machine \ Software \ Microsoft \ Windows \ Run
Remove the turd.
Depending on the W32 version, Check \ RunOnce, \ RunOnceEX Keys
Yes NT 4.0 and Win9.x uses a slightly different Key \ Windows NT (if
Then using the Resource Kit
shutdown \\badcomputer /R /T:10 /C
Then Monitor as the machine comes back up.
If you really wanted to be Brutal create a script in your "netlogin"
directory and add the key to the \RUN portion
shutdown \\%Computername% /R T:45 "You have a computer that is causing
Network Problems, Please contact the Help Desk and Identify you Name and
Location. Someone will come to help correct the Problem." /C
So until that is removed from the registry it puts them in a 45 second loop.
Then back to education about Virus Signatures etc. Owners of the infected
machine(s) should have special education.
Users are stupid - the higher the education level of the user, the more stupid.
At 06:07 AM 9/27/2003 -0400, you wrote:
>On Fri, 2003-09-26 at 14:08, Steven D. Smith wrote:
> > Unlike W32.Sobig.E at mm, Sobig.F will not open the following ports to
> listen for incoming UDP
> > datagrams, as was previously
> > 995/udp
> > 996/udp
> > 997/udp
> > 998/udp
> > 999/udp
> > Network administrators should do the
> > Block outbound traffic on port
> > Monitor NTP requests (port 123/udp), as these could be coming
> from infected computers.
> > (The frequency of such checks for an infected computer should
> be once per hour.)
>I suppose I'm late getting in the game, but for those of us keeping
>score, is there a list somewhere of ports net admins should be blocking?
>I thought I had them covered, but people keep mentioning some higher UDP
>ports that I'm not so sure about, and I know that I don't know which
>ones have been compromised.
>While I'm at it, let me assume someone compromised a port that's been in
>use by something legit. I can't very well close that port without
>shutting off access to the legit service, so how can I protect the
>network in those instances?
>Alan Frayer,CNE,CNI,CIW CI,MCP,Net+ - afrayer at frayernet.com
>Seeking an IT Mgmt/Network Admin position in the Tampa Bay Region
>If you would like to discuss an opportunity with me, please e-mail.
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see:
More information about the list