Educause Security Discussion mailing list archives
Re: Slammed by the SASSER?
From: James Riden <j.riden () MASSEY AC NZ>
Date: Sat, 9 Oct 2004 13:54:27 +1300
Eric Pancer <epancer () SECURITY DEPAUL EDU> writes:
Monte Schmeiser wrote on Thu, 2004-10-07 at 22:14:24 -0700...Does anyone have any initial thoughts on what might be going on and how we should attack this problem. At this point we are just going to continue cleaning and patching workstations but are stumped with the Exchange problem.Can you take a sample of machines and put them into a network with a transparent bridge just upstream? Then you can watch all network traffic and get a sense of whats going on from that small sample. Post your flows and we can assist more.
Definitely. We run a Linux/snort box plugged into the SPAN port of a couple of major routers - this can pick up traffic based on signatures, but will also show up machines which are currently portscanning. Blaster showed up as linear scans on 135/tcp, Sasser as more random scans on 445/tcp etc. RxBot shows up because it's busy "phoning home" on IRC. Even if you can get a box together with just tcpdump and perl for analysis tools, that would help you enormously. Try to get some good packet-sniffing capability together for next time - yes, there probably will be a next time. If you can post some traffic summaries (captures may be very big) here, or to the incidents mailing list, someone can probably help out. Once you know what it is, you can write VBScript to terminate processes, delete registry keys and run e.g. "fixwelch.exe", or whatever, on remote computers which are generating a lot of traffic, or try to block the propagation method, etc. cheers, Jamie -- James Riden / j.riden () massey ac nz / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/ ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Slammed by the SASSER? Monte Schmeiser (Oct 07)
- <Possible follow-ups>
- Re: Slammed by the SASSER? Eric Pancer (Oct 07)
- Re: Slammed by the SASSER? Monte Schmeiser (Oct 07)
- Re: Slammed by the SASSER? James Riden (Oct 08)