Re: Slammed by the SASSER?

[James Riden <j.riden () MASSEY AC NZ>]

Eric Pancer <epancer () SECURITY DEPAUL EDU> writes:

> Monte Schmeiser wrote on Thu, 2004-10-07 at 22:14:24 -0700...
>
> > Does anyone have any initial thoughts on what might be going on and how
> > we should attack this problem.  At this point we are just going to
> > continue cleaning and patching workstations but are stumped with the
> > Exchange problem.
>
> Can you take a sample of machines and put them into a network with a
> transparent bridge just upstream? Then you can watch all network
> traffic and get a sense of whats going on from that small sample.
> Post your flows and we can assist more.

Definitely. We run a Linux/snort box plugged into the SPAN port of a
couple of major routers - this can pick up traffic based on
signatures, but will also show up machines which are currently
portscanning. Blaster showed up as linear scans on 135/tcp, Sasser as
more random scans on 445/tcp etc. RxBot shows up because it's busy
"phoning home" on IRC.

Even if you can get a box together with just tcpdump and perl for
analysis tools, that would help you enormously. Try to get some good
packet-sniffing capability together for next time - yes, there
probably will be a next time.

If you can post some traffic summaries (captures may be very big)
here, or to the incidents mailing list, someone can probably help out.

Once you know what it is, you can write VBScript to terminate
processes, delete registry keys and run e.g. "fixwelch.exe", or
whatever, on remote computers which are generating a lot of traffic,
or try to block the propagation method, etc.

cheers,
 Jamie
--
James Riden / j.riden () massey ac nz / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.