virus/worms killing a network...

Jeff Vian jvian10 at charter.net
Sun Aug 1 06:36:53 UTC 2004 

On Sat, 2004-07-31 at 23:09, Cristiano Soares wrote:
> The virus get into the user machine by e-mail from other ISPs. Thats noway i
> can block e-mail ports. I blocked ports TCP 4444,135,445 and UDP 69, known
> as ports that w32.blaster and others worms use to spread in the network. I
> really want to be able to scan every package that pass through the firewall
> and see from witch host its comming from. Ex: host-192.168.1.175 is sending
> strange packages that maybe a virus attack.
> 
> Thanks
> 
> Cristiano
> 

Just add the log option to the firewall rules for your internal hosts. 
Thus everything seen will be logged.  You then can scan the logs for
those hosts and see what ports they are trying to access, etc.



> 
> ----- Original Message ----- 
> From: "Jeff Vian" <jvian10 at charter.net>
> To: <lsomike at futzin.com>; "For users of Fedora Core releases"
> <fedora-list at redhat.com>
> Sent: Saturday, July 31, 2004 7:01 PM
> Subject: Re: virus/worms killing a network...
> 
> 
> > On Sat, 2004-07-31 at 16:14, Mike Klinke wrote:
> > > On Saturday 31 July 2004 15:56, Jeff Vian wrote:
> > >
> > > > > Assuming that your FC2 box is also acting as a firewall I'm
> > > > > curious as to how your network machines are getting infected. If
> > > > > you're not running a firewall you may strongly want to consider
> > > > > one.
> > > > >
> > > > > Regards, Mike Klinke
> > > >
> > > > Simple answer --
> > > > 1)  Uneducated users who open everything they get in the mail or by
> > > > instant messaging.
> > > > 2)  No virus protection software loaded/not updated.
> > > >
> > > > The firewall would not block mail, and clueless users are the most
> > > > dangerous thing on any network.
> > >
> > > If my memory serves me the msblaster worm spread primarily by way of
> > > the MS bug addressed by:
> > >
> > > http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
> > >
> >
> > That is the one he said was primary.  However, he did say others viruses
> > were in the mix as well.  And once it opened the back door from the
> > first machine it could then possibly provide access to outsiders to the
> > entire network.
> >
> > > but you're right that there was a e-mail vector as well. The other
> > > person needs to answer my question above before assuming it's only
> > > due to "stupid users."
> > >
> >
> > I agree that an answer to how the first infection got thru the firewall
> > (and if he has one) is the real issue here. Once the first one was
> > infected the rest are vulnerable because the source is inside any
> > firewall he had.
> >
> > > Regards,  Mike Klinke
> > >
> >
> >
> > -- 
> > fedora-list mailing list
> > fedora-list at redhat.com
> > To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
> >
> >
> 
>

More information about the fedora-list mailing list