Re: Q328691 ?

[Jon <warchild () spoofed org>]

> There's been some dicussion at the link below. One
> person says he's been aware of this for a number of
> weeks, and that weak passwords may playing a part.
>
> http://arstechnica.infopop.net/OpenTopic/page?a=tpc&s=50009562&f=12009443&m=6340983235

If it is a simply an attack against machines with weak and/or nonexistant
passwords on administrative accounts, frankly I'm not suprised in the
least.  

We all know of large networks who were very lenient regarding the access to
the standard web ports.  The likes of CodeRed, Nimda, and their spawn have
changed things quite a bit.  It took incidents of such a magnitude to get
things cleaned up. 

I certainly can't speak for all providers, but for every provider that I
know of that does block in/outbound netbios traffic, I can name 2 that
don't.  I understand that blocking said traffic can have a negative impact
on productivity and whathaveyou, but I also have a pretty good
understanding of what risk *not* blocking this traffic poses.

I know I'm probably just restating the obvious...

It will be interesting to see what the real cause of these incidents boils
down to.  If it is indeed an attack against weak passwords, this is
obviously nothing new and the same attack could trivially be mounted
against weak administrative passwords on UNIX boxen via ssh, telnet, or
your program of choice.  On the other hand, if the cause is some
yet-to-be-disclosed bug, the problem could go any number of directions.

My $.03.

Cheers and good luck,

-jon

 



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com