Security Incidents mailing list archives
RE: Pubstro rash
From: k levinson <levinson_k () yahoo com>
Date: Thu, 17 Mar 2005 14:09:40 -0800 (PST)
-----Original Message----- From: David Gillett [mailto:gillettdavid () fhda edu]
3. Instead of a random high port, the installed FTP
server
listens on port 53. Which I can't block, because
DNS may
need to use it, right?
No. Destination ports TCP/UDP 53 should not be allowed inbound to your workstations. Dest ports TCP/UDP 53 are only needed in to your network if you have your own DNS server for resolution of your own domain names by clients on the Internet, and then it should only be to your DNS server. It sounds like your firewall rules could use some inspection. Said another way, the rule on your firewall that permits Internet hacker:port x -> your network:port 53 is a different than the rule that permits your clients:x -> Internet DNS:53, and blocking the former rule should have no effect on your internal clients accessing Internet DNS. You may also seriously want to consider setting up your own DNS server, even a Windows one, so that no clients can send outbound to dest port TCP/UDP 53 to the Internet, only your DNS server. A proxy server or firewall that proxies is a possibility as well, to try to ensure that port 53 traffic is DNS and not something else being tunneled. Using NAT between your workstations and the Internet might have prevented some or all of this, if it is possible to do this in your environment.
5. At this point, I don't know how the machines are
getting
compromised initially. I'd appreciate if anyone
else is seeing
this pattern and has some insight they'd care to
share. These things are usually because of something well known, such as a missing patch, or via a security problem that has nothing to do with a patch, like a bad password or poorly configured settings. You can of course run MBSA from Microsoft to find what patches are missing, free from www.microsoft.com/mbsa. If MBSA states that all patches are installed, then it might be fruitful to hypothesize about other possible vectors. Knowing what ports are open inbound to the workstations and what if anything up to date AV scanners showed might be useful too. - Karl __________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/
Current thread:
- RE: Pubstro rash David Gillett (Mar 17)
- RE: Pubstro rash Nick FitzGerald (Mar 17)
- <Possible follow-ups>
- RE: Pubstro rash k levinson (Mar 17)
- RE: Pubstro rash David LeBlanc (Mar 18)
- Re: Pubstro rash Brian Eckman (Mar 28)
- RE: Pubstro rash Joshua Berry (Mar 18)
- Re: Pubstro rash Jeff Kell (Mar 18)
- Re: Pubstro rash Valdis . Kletnieks (Mar 18)