nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: management interface accessability (was Re: Worm / UDP1434)

From: "Johannes Ullrich" <jullrich () euclidian com>
Date: Sun, 26 Jan 2003 12:52:53 -0500



Therein lies the rub.  I'm curious -- every medium or large company I'm 
aware of had Code Red on the inside of the firewalls.  What happened 
this time?  Did it get inside?  If so, has anyone analyzed how?


I haven't seen any wide spread behind the firewall exposure so far.

I think unlike code red / nimda, there are a few factors that 
help:

- most people with firewall block 1434. This is not true for port 80,
as the web server is usually intended for the public.

- the worm is memory resident. Road warriors that are infected at home
or while traveling are unlikely to introduce this worm into the company
LAN as they come to work on Monday.
 
- this worm only uses port 1434 UDP. Nimda made it past a lot of firewalls
and NAT devices by spreading via e-mail and web clients.


-- 
--------------------------------------------------------------------
jullrich () euclidian com             Collaborative Intrusion Detection
                                         join http://www.dshield.org
Previous By Date Next
Previous By Thread Next

Current thread: