[Gloucs] I-WORM/Opas.A

Mark gloucs at mailman.lug.org.uk
Tue Dec 31 12:22:01 2002 

On 31 Dec 2002, Guy Edwards wrote:

> On Tue, 2002-12-31 at 10:30, bjh wrote:
> > The problem with blocking Ports is that you appear to need Ports 137 to=
 139
> > for networking and that was the path of the worm attack...
>
> You need 137, 138 and 139 For netbios (smb) file and print sharing on
> your internal network but not on the external network (internet).

on nt based kernels also filter 445

>
> I'd put in a nice quick to setup Smoothwall firewall (which also does
> dial up) box, =A37 for a P133 from Hemplan, plus you'll need one network
> card and whatever you need for your outgoing connection (external modem
> or network card). About 30-45 minutes to set up. Tell your client
> machines to use the Smoothwall box's IP address as the gateway and it's
> done (perhaps a little more than that). That'll stop most(all?) of the
> portscan type attacks.
>
> After that you might want to try setting up a Linux based mailserver
> that takes things like vbs and other files off you emails and/or scans
> attachments with some of the free open source virus scanners. (I know
> nothing much about this)
>
> A samba box controlling all you logons and password authentication will
> mean you can password protect all the fileshares to make it harder for
> worms to spread (it would have stopped Sircam I believe (from the
> symantec link) but not some of the newer worms)
>
> Next you could upgrade all the client computers to Mandrake 9.0 ;-) or
> maybe Windows 2000 if you're stuck with MS for some reason.
>
> > The interesting thing is that since we activated ZoneAlarm Pro as the
> > Firewall, we have had attacks about every four seconds to Port 137 ever=
y
> > time we go online, which underlines how far this thing has spread, and =
the
> > repeat visits to our system by other infected systems based on the IP
> > address numbers originating the attacks...
>
> You might want to tell the person originating the attacks as they might
> not know they're infected? Either that or it might be your ISP doing
> routine checks, although every 4 seconds sounds a bit over the top.
> Blueyonder constantly portscan me.
>

should really notify the ISP not the originating host, then the ISP can
follow it up and see when it started in their logs and if its attacking
more than one destination (in the age of point and click i imagine it is
attacking a range!)


we sell our soul when using BY..



> Guy
>

Mark


>
>
> _______________________________________________
> gloucs mailing list
> gloucs@mailman.lug.org.uk
> http://mailman.lug.org.uk/mailman/listinfo/gloucs
>
>