Re: management interface accessability (was Re: Worm / UDP1434)

["Steven M. Bellovin" <smb () research att com>]

In message <20030126172907.GA31694 () f00f org>, Chris Wedgwood writes:
> On Sun, Jan 26, 2003 at 01:37:16AM +0000, Paul Vixie wrote:
>
> > ... If you are relying on their ACL's to protect your telnet and
> > snmp access, but are otherwise allowing their management interfaces
> > to hear traffic from the whole Internet, then you should turn in
> > your badge and go back to bagging groceries or whatever it is you
> > used to do.
>
> Some would argue this should apply to those exposing MSSQL to the
> outside world such that it could even receive malicious port 1434
> packets...

Therein lies the rub.  I'm curious -- every medium or large company I'm 
aware of had Code Red on the inside of the firewalls.  What happened 
this time?  Did it get inside?  If so, has anyone analyzed how?


                --Steve Bellovin, http://www.research.att.com/~smb (me)
                http://www.wilyhacker.com (2nd edition of "Firewalls" book)