[unisog] Handling Code Red & Future Worms

Jose Nazario jose at biocserver.BIOC.cwru.edu
Mon Aug 6 18:26:48 GMT 2001

On Mon, 6 Aug 2001, E. Larry Lidz wrote:

> Currently, we only get notified of compromised machines over the
> weekend if they're attacking outward.

CR2 has the nice ability to evade this in large measure as it will stay
locally and scan locally. we're also focusing our efforts on our outbound
pipe for signature traffic and have been caught off guard by CR2. logfile
analysis on web servers around the campus helps turn them up, though.
slower, by many orders of magnitude.

> So, my question is: anyone have any good ideas how to handle this,
> other than having staff around 7 days a week?

various tools can help you identify when a new machine pops up on the
network. a new layer 2 entry on your switches, a new DHCP client, etc ...
so why not scan the machine right away and, if it's a server, kill it at
the nearest device that can filter it.

you do have a 'no unauthorized servers' clause in your AUP, right? and who
in their dead brain loads up an IIS server on a weekend like this? break
out the LART, someone needs a lesson.

just some thoughts. yeah, i'm feeling a bit annoyed today with some

jose nazario						     jose at cwru.edu
	      	     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
				       PGP key ID 0xFD37F4E5 (pgp.mit.edu)

More information about the unisog mailing list