Full Disclosure mailing list archives
RE: another new worm submission
From: "Perrymon, Josh L." <PerrymonJ () bek com>
Date: Sun, 6 Jun 2004 22:35:46 -0500
I agree. Anyone that would have those ports open has a *lot more to worry about that cleaning a few worm infections. That's not the case here. This infection was caused by a remote user not a Lan user. With several hundred laptops it's hard have 0 exposure. As with any growing security practice and today's decreased budgets areas of focus are determined on risk exposure. Anywho- I found the Trojan to be backdoor.nibu.g- although Symantec AV didn't pick it up until tonight. I think this is a good example that perimeter security is only part of the battle. Tomorrow's morning meeting will stress the importance of desktop firewalls again and a good patch management process. You can talk until your blue in the face to upper management but I find 90% to be reactive. Oh well- JP -----Original Message----- From: Ron DuFresne [mailto:dufresne () winternet com] Sent: Saturday, June 05, 2004 5:38 PM To: Jerry Heidtke Cc: Paul Schmehl; full-disclosure () netsys com Subject: Re: [Full-disclosure] another new worm submission [SNIP]
How are these system getting compromised? Why don't you have this patch deployed yet? Why are these systems reachable from the Internet over port 445?For someone who knows nothing about his network, you sure are willing to make a lot of assumptions. You admit you don't know how the systems were compromised and you don't know what compromised them, yet you castigate him for leaving port 445 open and not patching and you assume this happened *remotely*?
[SNIP]
You're right, I made an assumption that the systems were being compromised remotely rather than being deliberately and maliciously hacked by insiders. Would this somehow be less of a problem? Having systems with routable addresses reachable through port 445 is the most likely avenue of compromise, if this is not the case then Josh would be well advised to determine exactly what is going on with his network.
Agreed here, anyone sitting with exposed windows specific ports on the insecure Internet <e.g. 445, 135-139, udp as well as tcp, etc> is pretty much deserving of what hits them these days. Without tackling that side of the coin, it's going to be pretty hard for these folks to determine if the troubles they are facing is internal or not. Without control of the perimiter choke point, how can one even think to start to look at controls of the whole danged wire inside? Perhaps we need to adapt personal firewall day to a monthly thing for the next 5 years or more to help these clueless souls. [SNIP] Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- another new worm submission Perrymon, Josh L. (Jun 04)
- Re: another new worm submission Axel Pettinger (Jun 04)
- Re: another new worm submission insecure (Jun 04)
- Re: another new worm submission Paul Schmehl (Jun 04)
- Re: another new worm submission Jerry Heidtke (Jun 04)
- Re: another new worm submission Ron DuFresne (Jun 05)
- Re: another new worm submission Paul Schmehl (Jun 04)
- Re: another new worm submission Christoph Gruber (Jun 07)
- Re: another new worm submission Christoph Gruber (Jun 08)
- Re: another new worm submission Christoph Gruber (Jun 08)
- Re: another new worm submission Christoph Gruber (Jun 08)
- <Possible follow-ups>
- RE: another new worm submission Perrymon, Josh L. (Jun 06)
- RE: another new worm submission Schmehl, Paul L (Jun 07)