My Doom Worm
Guy Fraser
guy at incentre.net
Tue Jan 4 18:27:25 UTC 2005
Just another good reason to use Linux.
As a network administrator I have setup Cisco NetFlows on
our core routers and check for anomalous traffic from
time to time. I have found a couple customers with
SMTP engine type viruses. I have set up ingress and egress
filters on most of our routers, and filter a few ports used
by specific worms. We also block ports 139 and 445 to all but
a couple customers who insist on using windows sharing
without a VPN {Yikes}.
The most common worms use TCP ports 139 or 445 to locate
Windows machines, then proceed to abuse them. Another
side effect of SMTP engine worms is DNS load. Infected
machine make tons of DNS MX queries while attempting to
spew it's payload. Using awk, sort and uniq it is possible
to discover the worms by analysing the DNS logs.
On Sun, 2005-02-01 at 07:21 +0000, Robert Slade wrote:
> Hiya,
>
> Someone using IP address 66.59.107.18 (emmdsl.static.pa.net) is sending
> out the Worm.Mydoom.M: As I only use this address for the fedora list
> there is a good change they are also a member.
>
> Rob
>
--
Guy Fraser
Network Administrator
The Internet Centre
1-888-450-6787
(780)450-6787
More information about the fedora-list
mailing list