sasser virus (was Re: [unisog] student fees for cleaning.)

Jason Richardson a00jer1 at wpo.cso.niu.edu
Fri May 7 20:20:29 GMT 2004


Sasser was more or less a non-event for us as well (at least for
everyone but me and a couple of other people), also on a network of 8000
or so machines.  I ended up blocking 6 infected machines on our
residence hall network and they were all on the same subnet where they
probably infected each other quickly.  Ports 135-139, 445, 5554, 9996,
and 31337 are all blocked at the border, between our res hall network
and our admin network, and between our dial-ups and wireless network and
our admin network.  We also learned some valuable lessons after Blaster
and Nachi/Welchia (like not forgetting to block those ports for the
dial-ups and wireless) and I have been nagging people mercilessly since
4/13 when the latest patches came out.  Even so, we had hundreds of
unpatched machines on our network so I consider us lucky that we didn't
have a major problem.  Hopefully we'll have the same experience with the
Sasser/Netsky combo worm that I see experts predicting is coming.

---
Jason Richardson, J.D., CISSP, CISM, CNE5
Manager, IT Security and Client Development
Enterprise Systems Support
Northern Illinois University
Voice: 815-753-1678
Fax: 815-753-2555
jasrich at niu.edu

>>> vanepp at sfu.ca 5/7/2004 2:49:58 PM >>>
<snip>
> 
> Additionally, rumor has it that the University Utah only had some
> ridiculously small number of sasser infections?  Anyone here from
> utah.edu who can help the rest of us who had quite a larger number
of
> infections?
> 
> Regards,
> -Peter
> -- 
> Peter Moody                             <peter at ucsc.edu>
> Information Security Administrator      831/459.5409
> Communications and Technology Services. UC, Santa Cruz.
> http://security.ucsc.edu/pgp/peter.moody.pub 
> :wq

	While I'm not from the U of Utah, sasser here was a non event.
There
were 5 or 7 machines hit last week sometime in one day and then 1 and
2s as
people bring in laptops or dial in from home among our 8,000+
machines.
	Ports 135, 137, 139, 445 are blocked in and out at the border
(and
attempting to scan out is logged and whacked) is presumably the reason
why
we didn't see a large number of infections. 500 or so machines (and
several
months of recovery) from blaster may have also helped convince those 
responsible for the machines that 1) an infection will get caught and
network
access will be removed, and 2) the pain of 1) isn't worth it :-).
Thanks to 
you kind beta testers on unisog they also got several warnings that
sasser 
was coming.
	Argus outside my border isn't even seeing an abnormal amount of

scanning from external sources.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada
_______________________________________________
unisog mailing list
unisog at lists.sans.org 
http://www.dshield.org/mailman/listinfo/unisog



More information about the unisog mailing list