OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: McCammon, Keith (Keith.McCammoneadvancemed.com)
Date: Tue Sep 18 2001 - 16:33:41 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    There are a few things that you can do to mitigate risk:

    1) Patch. Then patch again. This will keep out most of the nasties most of
    the time.

    2) Configure your firewall to inspect http if possible and drop on common
    strings such as */cmd.exe*, *root.exe*, *.dll*, etc. This keeps most of the
    known and surely nasties away from your web server.

    3) Ensure that router ACLs and firewall rules are configured correctly to
    drop un-established requests from your web servers to the internet. In the
    event that numbers one and two both fail (not very likely in a case like
    this), your server will be hosed, but at least you won't pollute the rest of
    the world with the worm.

    Hardly comprehensive, but it's a start!

    Keith

    -----Original Message-----
    From: Ferris, Thomas M [mailto:Thomas.Ferrisnmci-isf.com]
    Sent: Tuesday, September 18, 2001 1:52 PM
    To: JKruser; Pedro Miller Rabinovitch; forensicssecurityfocus.com
    Cc: focus-mssecurityfocus.com; focus-idssecurityfocus.com
    Subject: RE: New worm? 'readme.eml'

    What would be a good solution for this, or is there an exact plan of
    attack to defend against this?

    Thanks in Advance.

    ================
    Thomas M. Ferris
    IA - Incident Response
    NMCI San Diego NOC
    ================

    -----Original Message-----
    From: JKruser [mailto:jkruseradelphia.net]
    Sent: Tuesday, September 18, 2001 10:07
    To: Pedro Miller Rabinovitch; forensicssecurityfocus.com
    Cc: focus-mssecurityfocus.com; focus-idssecurityfocus.com
    Subject: RE: New worm? 'readme.eml'

    I also see a very serious possibility of this work interacting with the
    still prevalent sircam virus. Nimda, when it infects, opens share drives
    on
    the infected PC...Sircam will scan for open shares on an internal
    network or
    cable subnet and infect the remote PC without user interaction. This
    could
    effectively increase the spread of sircam exponentially and, due to the
    remailing capability of sircam, could shut down mail servers in a short
    period of time.

    I have not verified this possibility but it sounds feasible.

    Claymore
    the unprofound