Re: Virus Alert - W32.Blaster.Worm

From: Kurt Kruegel (kurt@cybernex.net)
Date: Wed Aug 13 2003 - 12:58:17 GMT-3

oh daaaa
i guess i wanted to see how hard we were getting scanned
it's a 7200 vxr 512mb ram
using cef as normal switching mode
i had done this with sql slammer
and no problems

----- Original Message -----
From: "Brown, Patrick (NSOC-OCF}" <PBrown4@chartercom.com>
To: "'Kurt Kruegel '" <kurt@cybernex.net>; "'MADMAN '"
<dave@interprise.com>; "'Jung, Jin '" <jin.jung@lmco.com>
Cc: "''George Gittins' '" <g.gittins@edinburg.esc1.net>;
<ccielab@groupstudy.com>
Sent: Wednesday, August 13, 2003 11:53 AM
Subject: RE: Virus Alert - W32.Blaster.Worm

> Anytime you have the log option on the ACL, you are process switching
> packets. Take the log statment out of the ACL for 135 definitely. I would
> take it out for 4444 and 69 also dependant on the platform. This will
> definitely hose your box :)
>
> ex:
> ip access-list ext cisco-n-microsoft-problem
> deny tcp any any eq 135
> deny tcp any any eq 445
> deny tcp any any eq 593
> deny 53 any any
> deny 55 any any
> deny 77 any any
> deny pim any any
> permit ip any any
>
> Thanks,
>
> Patrick B
>
> -----Original Message-----
> From: Kurt Kruegel
> To: MADMAN; Jung, Jin
> Cc: 'George Gittins'; ccielab@groupstudy.com
> Sent: 8/13/2003 10:45 AM
> Subject: Re: Virus Alert - W32.Blaster.Worm
>
> i used the access-list to try to block it and cpu freaked out
> and we had to power cycle
> anyone see a problem with this ?
>
> access-list 115 deny tcp any eq 4444 any log
> access-list 115 deny tcp any eq 135 any log
> access-list 115 deny udp any eq 69 any log
> access-list 115 deny icmp any any redirect
> access-list 115 deny ip 0.0.0.0 0.255.255.255 any
> access-list 115 deny ip 255.0.0.0 0.255.255.255 any
> access-list 115 deny ip 1.0.0.0 0.255.255.255 any
> access-list 115 deny ip 2.0.0.0 0.255.255.255 any
> access-list 115 deny ip 127.0.0.0 0.255.255.255 any
> access-list 115 deny ip 169.254.0.0 0.0.255.255 any
> access-list 115 deny ip 192.0.2.0 0.0.0.255 any
> access-list 115 deny ip 10.0.0.0 0.255.255.255 any
> access-list 115 deny ip 172.16.0.0 0.15.255.255 any
> access-list 115 deny ip 192.168.0.0 0.0.255.255 any
> own nets deleted
> access-list 115 permit ip any any
>
>
> ----- Original Message -----
> From: "MADMAN" <dave@interprise.com>
> To: "Jung, Jin" <jin.jung@lmco.com>
> Cc: "'George Gittins'" <g.gittins@edinburg.esc1.net>;
> <ccielab@groupstudy.com>
> Sent: Wednesday, August 13, 2003 11:11 AM
> Subject: Re: Virus Alert - W32.Blaster.Worm
>
>
> > Jung, Jin wrote:
> > > Hi Brian,
> > > Did you block tcp and udp port 135 ?
> > > Does it brake windows netbios?
> > >
> > > I only blocked 4444 and 69, should I block 135 too?
> >
> > Yes.
> >
> > http://www.cert.org/advisories/CA-2003-20.html
> >
> > Dave
> >
> > >
> > > Thanks...
> > >
> > > -----Original Message-----
> > > From: George Gittins [mailto:g.gittins@edinburg.esc1.net]
> > > Sent: Wednesday, August 13, 2003 9:43 AM
> > > To: ccielab@groupstudy.com
> > > Subject: FW: Virus Alert - W32.Blaster.Worm
> > >
> > >
> > > Why port 135? Can you should a access -list
> > >
> > > George Gittins
> > > Network Maintenance Supervisor
> > > ECISD
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > > Brown, Patrick (NSOC-OCF}
> > > Sent: Tuesday, August 12, 2003 7:58 PM
> > > To: 'Snow, Tim '; ''ccielab@groupstudy.com' '
> > > Subject: RE: Virus Alert - W32.Blaster.Worm
> > >
> > > Getting about 20,000 hits a second on ACL referencing port 135.
> Plus
> Arp
> > > process is going through the roof until acl is applied.
> > >
> > > Patrick B
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Snow, Tim
> > > To: 'ccielab@groupstudy.com'
> > > Sent: 8/11/2003 10:14 PM
> > > Subject: Virus Alert - W32.Blaster.Worm
> > >
> > > Anyone else going through the W32.Blaster.Worm?
> > >
> > >
> http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm
> > > .htm
> > > l
> > >
> > > Big pain in the ....
> > >
> > > Tim
> > >
> > >
> > > Timothy Snow
> > > CCIE #12042
> > > EDS - Network Operations
> > > MS 3B
> > > 1075 W. Entrance Drive
> > > Auburn Hills, MI 48326
> > >
> > > * phone: +01-248-754-7900
> > > * mailto:timothy.snow@eds.com
> > > pager: 888-351-4584
> > > www.eds.com
> > >
> > >
> > >
> _______________________________________________________________________
> > > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> _______________________________________________________________________
> > > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> _______________________________________________________________________
> > > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> _______________________________________________________________________
> > > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> >
> >
> > --
> > David Madland
> > CCIE# 2016
> > Sr. Network Engineer
> > Qwest Communications
> > 612-664-3367
> >
> > "Government can do something for the people only in proportion as it
> > can do something to the people." -- Thomas Jefferson
> >
> >
> >
> _______________________________________________________________________
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:53:58 GMT-3