Unclean August 17, 2005 Share Unclean Member August 17, 2005 http://www.cnn.com/2005/TECH/internet/08/1...worm/index.html I got a call at midnight to come in and fix PC's. Right now, we've been concentrating just on comps for production, order entry, and laboratory equipment. But it's essentially shut down the company I work for -- the cost is to the tune of billions. No joke. Time to get some sleep. But for the rest of you -- anyone else have to deal with this issue? How's it been for you? Link to comment Share on other sites More sharing options...
dwEEziL August 17, 2005 Share dwEEziL Member August 17, 2005 Exploit came out Friday the 12th. I patched 6 servers earlier that day. Patched 9 more servers the next day by noon. My co-worker patched another 10 or so on Monday (most were IPSec'd so not easily exploitable). Tuesday (was out sick Monday) I looked over the servers for the exploits...All clean. Other departments here had their Domain Controllers compromised and have to reinstall both DCs. Link to comment Share on other sites More sharing options...
Bubblegum Bandit August 17, 2005 Share Bubblegum Bandit Member August 17, 2005 I've heard about this thing but what does it actually do? I have had problems with my computers dropping ips in my home network and a little yellow triangle with ! in the middle comes up on my little icon in the tray. Last night I just rebooted my router and comps and everything was fine until I went down and looked this morning. I was attributing it to the pos router I have needed to be replaced, could I be putting blame in the wrong place? Link to comment Share on other sites More sharing options...
appalachian_fox August 17, 2005 Share appalachian_fox Member August 17, 2005 Managed to keep the win2k systems secure enough that the worm didn't get in in the first place...but I have no evidence that the worm tried to grab my systems. All are patched now, so *phew*. Link to comment Share on other sites More sharing options...
Guest zerodamage August 18, 2005 Share Guest zerodamage Guests August 18, 2005 Easily preventable with a firewall. ensure these ports are closed down: 445 33333 1117 8888 6667 Link to comment Share on other sites More sharing options...
TheReverend(c) August 18, 2005 Share TheReverend(c) Member August 18, 2005 Didt get hit with it either thank goodness. What doofus has the time and energy to come up with this crapola? Link to comment Share on other sites More sharing options...
NOFX August 18, 2005 Share NOFX Member August 18, 2005 it seems like this would only happen if you dont have a router. suprisingly many people dont have a router or firewall Link to comment Share on other sites More sharing options...
Unclean August 18, 2005 Author Share Unclean Member August 18, 2005 NOFX -- perhaps at a personal level. But try telling that to our network group (comprised of about 400 employees, hundreds of routers, thousands of servers, etc). Link to comment Share on other sites More sharing options...
Primus August 18, 2005 Share Primus Member August 18, 2005 Thats good info ZD Thanks, I'm gonna keep that in mind. Didn't get hit here at home but then I'm not a big company network either. Looks like the systems at work are ok. Link to comment Share on other sites More sharing options...
NOFX August 18, 2005 Share NOFX Member August 18, 2005 NOFX -- perhaps at a personal level. But try telling that to our network group (comprised of about 400 employees, hundreds of routers, thousands of servers, etc). <{POST_SNAPBACK}> oh yes.. I completely understand when you have that type of complexity it will be just a taaaaaaad bit difficult. Just off the top of my head, I would assume some of the internal routers are wide open with the main security at the pipe going out. Someone brings their wireless laptop into the inside and BAM everyone and their grandmother has it Link to comment Share on other sites More sharing options...
dwEEziL August 18, 2005 Share dwEEziL Member August 18, 2005 Easily preventable with a firewall. ensure these ports are closed down: 445 33333 1117 8888 6667 <{POST_SNAPBACK}> Our forensics here show a few more ports as well. 3333 is used by zotob and the (?) signified that at the time (Tuesday), we were unsure which of the other 3-4 variants used the ports. If you believe you might be infected you check some of the following areas: Open a Dos box and type "netstat -an" and check for the following listening ports Listening ports opened: port 3333 TCP (zotob) port 4470 TCP (?) port 529 (?) port 1321 (?) port 6969 (?) Go to your %SystemRoot% folder (usually C:\Windows) and look for any new .exe files. The names used differ so you should google for any you are unsure of. Also, in the registry, check all the "Run" hives (Run, RunOnce, RunOnceEx) in HKLM\Software\Microsoft\Windows\CurrentVersion and HKCU\Software\Microsoft\Windows\CurrentVersion Here's an early forensic report from one of my co-workers here at VT: Braindump of the things we've seen so far as far as infected machines go: The exploit appears to start by going and getting some malicious files via FTP (the config file for this is usually *.ocx). It then takes these files (one probably named msa32winocx.dll) and starts it's own FTP Server (ServU). It will then use a variety of tools (nc, winfw, sc) to do it's dirty work which includes at least: Installing a service (name varies I think, seen "Win Log Service" for sure) that makes the server and workstation services depend on it; making it annoying to get stopped and allowing it to spawn numerous other malicous tools. If using XP/2003 it looks like it will use winfw to poke holes in the firewall for you using winfw. Installs Radmin Creates a new Administrator called "upback" and starts the Telnet service on a probably random port. Runs pwdump and stores a copy of the passwords in the hidden recycler folder (file name passd.txt) There's probably much more it does but that's the highpoints I noticed .. The last of which is probably the most important/scary. If anyone notices this (particularly on a DC) I'd be interested to hear from you and we can work out a good resolution. Hope this is useful ... Link to comment Share on other sites More sharing options...
General J August 18, 2005 Share General J Member August 18, 2005 I've heard about this thing but what does it actually do? <{POST_SNAPBACK}> Our systems managed to play host to the worm, and it caused chaos. The computer would stay up for about 2-3 minutes, sometimes shorter or longer, then close out services.exe (if I remember correctly) so that windows forced restart. Only took the IT guys about 4.5 hours to get everything back up and running normally. When I got home, I saw that the security bulletin on MS's TechNet had been posted Sunday. It really amazed me that so many places had not patched up Monday. Link to comment Share on other sites More sharing options...
Unclean August 18, 2005 Author Share Unclean Member August 18, 2005 oh yes.. I completely understand when you have that type of complexity it will be just a taaaaaaad bit difficult. Just off the top of my head, I would assume some of the internal routers are wide open with the main security at the pipe going out. Someone brings their wireless laptop into the inside and BAM everyone and their grandmother has it I'd love to strangle some of the people that bring in wireless devices from home and hook them up to the network. It's the security equivalent of a teller at a bank leaving the til drawer open all the time (even though the bank installed locks on the drawer). It completely defeats the purpose of having security... Link to comment Share on other sites More sharing options...
Xterminator August 18, 2005 Share Xterminator Member August 18, 2005 yeah didnt' get hit up here. None of the companies up here that i know of got hit. Somehow it stayed below the border. Hope u guys get everythign up and running back to normal asap! Link to comment Share on other sites More sharing options...
random_n00b August 19, 2005 Share random_n00b Member August 19, 2005 Wait... was that 3333 or 33333? because if it's the former, then I have to change my remote desktop port . It was such an easy number to remember... Link to comment Share on other sites More sharing options...
dwEEziL August 19, 2005 Share dwEEziL Member August 19, 2005 Our forensic findings say it was both 3333 and 33333. Link to comment Share on other sites More sharing options...
random_n00b August 19, 2005 Share random_n00b Member August 19, 2005 aww. I remember I originally wanted to use port 666, but I looked up if something else important used it, and found out that every trojan written since AOL was released used that port Oh well Link to comment Share on other sites More sharing options...
TheReverend(c) August 19, 2005 Share TheReverend(c) Member August 19, 2005 Unclean has a point. When I did on-call tech support for a banking system here in SD, my liason to the company was a secretary that had no backgroung in computers other than basic windows business software. Whenever I got a call for a virus or bug or maliciouse spyware, I was always hardpressed to explain to them the value of good antivirus and hardware/software firewalls. They were after all bankers. Link to comment Share on other sites More sharing options...
General J August 20, 2005 Share General J Member August 20, 2005 I watched as our IT guy did clean up today of the aftermath. He had a program called Stinger, which I assumed was just a removal tool. Took a few minutes to search out all the files added and changed. Once it was done, it had removed 143 items. Makes you wonder how many remain on the system, even after that. Link to comment Share on other sites More sharing options...
dwEEziL August 20, 2005 Share dwEEziL Member August 20, 2005 The thing with a worm like this is, that it infects and reports home to the hacker. You might be able to clean off all the worm, but you have no idea what else the hacker might have installed (rootkit, remote access, etc). Link to comment Share on other sites More sharing options...
TheReverend(c) August 20, 2005 Share TheReverend(c) Member August 20, 2005 Think Ill get a copy of Stinger and give it a go. Link to comment Share on other sites More sharing options...
Guest zerodamage August 21, 2005 Share Guest zerodamage Guests August 21, 2005 I am surprised Stinger actually got updated. Been several months since the last one. Link to comment Share on other sites More sharing options...
Guest tackleberry August 21, 2005 Share Guest tackleberry Guests August 21, 2005 Can't say that I was a victim. Windows 2k....sp5? 6? Thats classic status to me...i imagine tho a lot of businesses still use it. Just curious ... What does the worm actually do? Just reboot servers repeatedly? Also it seems as though a lot of IT people...wondering if i could ask for help on this...i relatively new to linux and don't really kno a thing about security...i use my computer primarily for biology stuff and related programming... cs tooo of course but the work on the reiserfs partitions are indeed in need of preservation...what type of precautions, antivirus, network configuration should i take? Ive got by computer routered to the cablemdm....running Xorg and CUPS...any suggestions? mooch appreciation.... Link to comment Share on other sites More sharing options...
Guest tackleberry August 21, 2005 Share Guest tackleberry Guests August 21, 2005 oh and one more thing...i fogot...but does anybody know why my systemtime INSISTS on displaying in GREeNWICH mean time? The great think about nix is that there are those problems that have thorned your side for the longest but in actuality could be fixed within the confines of a single sentence line when presented to the right person. So im shooting... Ive ln -sf /etc/localtime to the proper zone...date returns time in greenwich but labeled in my proper zone PDT..i reset date to actual local time but every time it goes back to that 5 hr difference on reboot....whyness? thanks in advance. Link to comment Share on other sites More sharing options...
Unclean August 22, 2005 Author Share Unclean Member August 22, 2005 Whenever I got a call for a virus or bug or maliciouse spyware, I was always hardpressed to explain to them the value of good antivirus and hardware/software firewalls. They were after all bankers. <{POST_SNAPBACK}> Analogies work wonders. For antivirus software, I'd always explain it this way: New viruses come out all the time. If you don't update your software, it's only good for a little while. If you don't update your software, it's kinda like buying a car but never filling it up with gas. Sure, it'll get you somewhere, just not very far. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now