Re: Blaster Recurrence

[Neil Anderson <cleidh_mor () btopenworld com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Our company and some of our clients had several occurrences of Blaster 
re-appearing on patched machines after the first patch - we had to re-patch 
with an updated patch.

We found that the most direct route for infection was remote users with 
laptop/VPN/no firewall...  Try restricting remote access and I would get 
those infected machines off the network, re-installed and patched *before* 
reconnection to the network, but that's stating the obvious ;)

Also, if you can, shutdown all currently unused switch ports so that foreign 
machines can't be connected without you knowing.  If you get someone who has 
to connect a foreign machine, scan it first.

Hope this helps.

Cheers,
Neil

Network Engineer.

On Friday 30 January 2004 17:54, E. Jimmy Allotey wrote:
> I am seeing some new occurences on reformatted machines on my network.
> They appeared on machines which were reformatted and connected to the
> network before installation of patches and anti-virus software
> (idiots!!!!) We have checked all the other machines here which were
> unaffected and they are fine.
>
> Our perimeters are blocked on all the named ports and yet the beast
> managed to get in....
>
> For fear of sounding stupid, does anybody have any ideas??
>
> E. Jimmy Allotey
> Network & Systems Security Engineer
> Tel: +233 24 310 788
>
>
> ---------------------------------------------------------------------------
> ---------------------------------------------------------------------------
> -
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFAHrSJ2h6w8BNEwKYRAuyAAJ9WH+udaCjUjYLdRJm6+7KeoFv9pgCeO6Gl
4y4xE+WDAi0/gxLcU1hofI0=
=f/G2
-----END PGP SIGNATURE-----


---------------------------------------------------------------------------
----------------------------------------------------------------------------