[Gloucs] I-WORM/Opas.A

[Guy Edwards]

On Tue, 2002-12-31 at 10:30, bjh wrote:
> The problem with blocking Ports is that you appear to need Ports 137 to 1=
39
> for networking and that was the path of the worm attack...

You need 137, 138 and 139 For netbios (smb) file and print sharing on
your internal network but not on the external network (internet).=20

I'd put in a nice quick to setup Smoothwall firewall (which also does
dial up) box, =A37 for a P133 from Hemplan, plus you'll need one network
card and whatever you need for your outgoing connection (external modem
or network card). About 30-45 minutes to set up. Tell your client
machines to use the Smoothwall box's IP address as the gateway and it's
done (perhaps a little more than that). That'll stop most(all?) of the
portscan type attacks.

After that you might want to try setting up a Linux based mailserver
that takes things like vbs and other files off you emails and/or scans
attachments with some of the free open source virus scanners. (I know
nothing much about this)

A samba box controlling all you logons and password authentication will
mean you can password protect all the fileshares to make it harder for
worms to spread (it would have stopped Sircam I believe (from the
symantec link) but not some of the newer worms)

Next you could upgrade all the client computers to Mandrake 9.0 ;-) or
maybe Windows 2000 if you're stuck with MS for some reason.

> The interesting thing is that since we activated ZoneAlarm Pro as the
> Firewall, we have had attacks about every four seconds to Port 137 every
> time we go online, which underlines how far this thing has spread, and th=
e
> repeat visits to our system by other infected systems based on the IP
> address numbers originating the attacks...

You might want to tell the person originating the attacks as they might
not know they're infected? Either that or it might be your ISP doing
routine checks, although every 4 seconds sounds a bit over the top.
Blueyonder constantly portscan me.

Guy