Urgent warning

[corydoras]

davidP:

...They rather spoilt it however by stating they'd known about the problem since 16th July and had been thinking about what to do about it since then. Personally I'd sack whoever hadn't made a decision in 4 weeks thus allowing a known potential problem to become a genuine emergency!

The bods who should be sacked are those who are responsible for your firewall configuration. This was not a virus, it was a worm. It did not get into your or anyone elses network via email, but through the internet via the firewall. If UDP ports 135, 137, 138, and 445 and TCP ports 135, 139, 445, and 593 were blocked at the firewall the worm would not have gotten in.

 

IMHO there is no reason at all that any of these ports should be open on 99.999% of most corporate firewalls.

[Newt]

I dunno. Port 135 has to be open if you want to use Exchange Server for email. End point mapping. And depending on how you have IIS configured, you may need 593 open as well.

 

As for 137/8/9 - if you are running a pure 2K AD system with only DNS, you can certainly lock these down. And depending on how your dial-in users connect, you may be able to shut them on the firewall. But they have to be open on the internal routers for most real-world network configurations if you want WINS and the like to work. And with a large enough WAN, some user, somewhere is gonna get bit so once the critters that use the NETBIOS ports get inside, they can travel freely thru the entire WAN.

[*Ant*]

Simple 'eh! :confused:

[Newt]

Ant - nope. Not simple. Or if it is, we "networking professionals" would never admit it.

 

corydoras - just noticed the Nemo Me Impune Lacessit in your signature. I like it.

 

Not sure if your police do the same as ours but when an officer is killed and fellow officers drape their badge with a black mourning stripe, many use just that phrase on it.

 

quote:

---

Nemo Me Impune Lacessit

- This latin term, often associated with mourning bands and Police Memorial Day, means literally; "No one injures (attacks) me with impunity". The motto of the Order of the Thistle. It was first used on the coins of James VI. of Scotland (James I. of England). How it became associated with the badge mourning band is unclear, however, those of Scottish and Irish descent, who held positions in the ranks of police departments over the years, may well have been the influence.

---

[Rogerb]

Newt I'm sure I have read that Port 4444 is in there somewhere as well - at Firewall level I think. What's that about then? If it means nothing post back and I will try and find the link.

 

Cheers.

Roger.

[Newt]

Rogerb - Ports 69 & 4444: MSblast.exe would do the following

 

- Look (send data) on TCP port 135 for suitable systems and then try to exploit the DCOM RPC vulnerability (flaws in the worm meant it didn't always succeed) to allow it to take the following actions on the vulnerable computer.

 

- Create a hidden Cmd.exe remote shell that listens on TCP port 4444 and will obey certain commands. One such command causes the target system to:

 

- Set up tftp (trivial file transfer protocol) on UDP port 69 to download a copy of msblast.exe from an infected system.

 

- Scan for other vulnerable systems and do the above to them.

 

Interesting side-note tidbit is that an even newer worm was written by someone and released. It's action was to patch the DCOM security hole and remove msblast.exe. So, an anti-virus virus.

[Rogerb]

Newt:

 

Interesting side-note tidbit is that an even newer worm was written by someone and released. It's action was to patch the DCOM security hole and remove msblast.exe. So, an anti-virus virus.

Fascinating!!! Now I wonder who would do that???

 

Thanks for the explanation.

Roger.