[Gloucs] I-WORM/Opas.A

bjh gloucs at mailman.lug.org.uk
Tue Dec 31 21:49:01 2002


***Message Response
****************************************************
----- Original Message -----
From: "Guy Edwards" <guy_j_edwards@hotpop.com>
To: "MAILING LIST" <gloucs@mailman.lug.org.uk>
Sent: Tuesday, December 31, 2002 11:08 AM
Subject: Re: [Gloucs] I-WORM/Opas.A


On Tue, 2002-12-31 at 10:30, bjh wrote:
> The problem with blocking Ports is that you appear to need Ports 137 to
139
> for networking and that was the path of the worm attack...

You need 137, 138 and 139 For netbios (smb) file and print sharing on
your internal network but not on the external network (internet).
*****************
*** Thanks, am aware of that, but good point for others watching this
exchange of info!!!!!!!!!
*****************
I'd put in a nice quick to setup Smoothwall firewall (which also does
dial up) box, £7 for a P133 from Hemplan, plus you'll need one network
card and whatever you need for your outgoing connection (external modem
or network card). About 30-45 minutes to set up. Tell your client
machines to use the Smoothwall box's IP address as the gateway and it's
done (perhaps a little more than that). That'll stop most(all?) of the
portscan type attacks.
*****************
*** We use BT Highway ISDN connection for internet access together with a
Freeserve Anytime Account which enables us to make extensive use of the
Freeserve "FREE" web page facilities for testing of Clients web sites we
produce (at present we have about 25 of these sites being tested), prior to
going live with full Domain in normal manner (Thanks Freeserve!).
The arrangement is very cost effective even when comparing against ADSL
services...
Any idea if Smoothwall will work using the BT ISDN connection???
We have other old computers that sound as if they could be used for the
purpose... Could one  be used with the Sitecom Wireless Networking
Adapters - to communicate with our two main PC's???
*****************
After that you might want to try setting up a Linux based mailserver
that takes things like vbs and other files off you emails and/or scans
attachments with some of the free open source virus scanners. (I know
nothing much about this)

A samba box controlling all you logons and password authentication will
mean you can password protect all the fileshares to make it harder for
worms to spread (it would have stopped Sircam I believe (from the
symantec link) but not some of the newer worms)
*****************
*** Interesting...
*****************
Next you could upgrade all the client computers to Mandrake 9.0 ;-) or
maybe Windows 2000 if you're stuck with MS for some reason.
*****************
*** From previous off network dialogue with John Mckeown I think we would
probably go for SuSE 8.1 combined with Win4Lin so that we can still operate
a number of windows based programmes we use for business purposes and are
proven performers - We had actually been thinking of Mandrake 9.0 (had got
as far as getting the Distro CD's for the system - but John had a number of
problems with Mandrake from what he said. We use Macromedia Dreamweaver MX
for a lot of our design work and would be reluctant to change to another
website production programme... Incidently I notice in Linux Magazine that
SeSE has a Firewall package as part of the Install....
*****************

> The interesting thing is that since we activated ZoneAlarm Pro as the
> Firewall, we have had attacks about every four seconds to Port 137 every
> time we go online, which underlines how far this thing has spread, and the
> repeat visits to our system by other infected systems based on the IP
> address numbers originating the attacks...

You might want to tell the person originating the attacks as they might
not know they're infected? Either that or it might be your ISP doing
routine checks, although every 4 seconds sounds a bit over the top.
Blueyonder constantly portscan me.
*****************
*** The hits have been coming from all over the world and are separate from
any of the ISP hits...
*****************
Guy
*****************
*** Thanks for the thoughts... Barrie

_______________________________________________
gloucs mailing list
gloucs@mailman.lug.org.uk
http://mailman.lug.org.uk/mailman/listinfo/gloucs