[unisog] Nachi and NetFlow

Sheil, Sean SEAN at mail.nwmissouri.edu
Thu Oct 30 16:48:14 GMT 2003


Thanks, I had forgotten about the problem with RAS.  However, on the
machines that I have seen, they have been infected.  Guess I needed
something else to add to my plate.  We are down to personal machines now.  I
managed to get ~3000 machines updated last week with SUS.

sean



-----Original Message-----
From: Harris, Michael C. [mailto:HarrisMC at health.missouri.edu] 
Sent: Thursday, October 30, 2003 8:30 AM
To: unisog at sans.org
Cc: Sheil, Sean
Subject: RE: [unisog] Nachi and NetFlow


One possible scenario we have encountered that matches your symptoms:

We had found several machines to be exhibiting the on again and off again
behavior 
what we found is that the host was actually a RAS server and users connected
were infected

Welchia/Blaster is not on the host you see connected to your network it is
on a machine dialed into its RAS service and is trying to propagate using
one of the RAS pool addresses that is also why NAV on the local device cant
find the infection.

-------------------------------------------------------------------
Michael C Harris
System Security Analyst - GSEC
University of Missouri Health Center harrismc at health.missouri.edu  KC0PAH
-------------------------------------------------------------------



More information about the unisog mailing list