|
Home > Archive > General Discussion > October 2003 > Blaster/Nachi: Firewall is not enough!!...
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Blaster/Nachi: Firewall is not enough!!...
|
|
| jarbob69 2003-10-19, 12:14 am |
| This is just a reminder, since most of you know this already. So did I. But people higher on the totem pole than I weren't as concerned.
We made it through the infamous week that Blaster hit quite well. None of our nearly 1000 Windows-based workstations nor the 40-50 NT/2K/2K3 servers were affected. I had long before implemented a strict virus signature update policy on all the servers so that NetShield would grab updates twice daily, and all unneccary services have been turned off. The firewall admin has always been very strict on denying all traffic from the outside except web and smtp. I made sure the RRAS server and Terminal Server had the RPC hotfix installed soon after the problem became known, to prevent any possiblility of a worm penetrating from the outside. The rest of the servers I had scheduled for hotfix installations. And it kept being pushed further back. They are production systems, I was told, why could I not understand that people don't like to have down time on a production system? Besides, we're blocking 135-139 at the firewall, and all the servers are running AV software, that is more than enough, right?
Well one morning last week, suddenly two very important servers seem to drop from the network. We run into the server area, and one by one, each screen is flooded by console messages regarding SVCHOST.EXE and DLLHOST.EXE being infected with Nachi and being subsequently deleted. NetShield winds up crashing on most of the servers and the worm spreads through our corporate office to most of the 2K servers and some of the workstations. We disconnect the entire server room and begin the clean up. It didn't take that long to get the servers patched and cleaned. Finally, I got the downtime I needed to install the patches 
Then, "coincidentally", a Nortel WAN router drops from the face of the earth. This router hosts a link that must stay up for us to do business.
No way this could be worm related, or so I was told. I was too checking out workstations to have time to argue, but I knew better. It turned out that infected hosts were ping flooding the serial interface on the router causing a buffer overflow. To prevent further DoS, the WAN guys had to implement ICMP filtering on all the routers in the company. Three days of lost time for me. Also, since the Backup Exec server was powered off in the middle of a job, it lost its mind and BE had to be completely reinstalled. More lost time for our department...
All of this was because some outside consultant was allowed to plug in his laptop to our production network and no one thought to check out his machine first. You can have the outside locked down like Alcatraz, but that won't stop someone from physically bringing a worm into your building!!! I am suddenly looking wiser to my supervisors, so this experience hasn't been totally bad
So, if you are lagging behind on installing those hotfixes, get off your dead @$$es and get it done before something similar happens to you!!! | |
| DSComputers 2003-10-19, 12:56 am |
| Funny how with security your "just paranoid" until something bad happens  | |
| darthfeces 2003-10-19, 12:59 am |
| yeah it's sucks
i aggree my perimiter is really locked down
and we've got welchia crawling through our network.
there are actually so many devices scanning
that i turned on a box that hadn't been on in a while and it got wacked before i could patch. it took less than 5 minutes !
we've also been forced to implement a guest network so people can have the ease of plugging in. it's implemented as a dmz, so it's protected from the inside. our dialup is also set up this way.
we still got welchia. people don't ever patch there friggin computers. laptops that get brought home get wacked at home, then they bring it to work.
also vpn hosts are considered an extension of your security perimiter. even if you have antivirus it's more reactive , then like a pc firewall. don't patch for dcom and you'll get wacked.
here are some links that helped.
http://eeye.com/html/Research/Tools/RPCDCOM.html
http://www.cisco.com/en/US/netsol/n...0801b2391.shtml
http://securityresponse.symantec.co...lchia.worm.html | |
| jarbob69 2003-10-19, 12:18 pm |
| The quickest way I was able to find the hosts that were infected was to use a packet sniffer and filter for ICMP traffic. Nachi/Welchia sends pings to potential victims before it strikes. | |
| thebonzodog 2003-10-20, 8:34 am |
| Out of curiosity what happened to the outside consultant? | |
| enforcer 2003-10-21, 7:35 am |
| quote:
Originally posted by thebonzodog
Out of curiosity what happened to the outside consultant?
He went round and infected everybody else's networks  | |
| MistyRing 2003-10-21, 7:45 am |
| plugging your laptop into someone elses network without permission is a big no-no. he must have been a cowboy operator! | |
| darthfeces 2003-10-21, 10:06 am |
| no,
i'ts a common thing for a vendor to come in
for a meeting and ....
"hi can i have a network connection to check my email"?
we had to create a guest vlan just for these losers !!! | |
| MistyRing 2003-10-21, 11:08 am |
| quote:
"hi can i have a network connection to check my email"?
yes that's called asking for permission. | |
| Tarzanboy 2003-10-21, 11:35 am |
| quote:
Originally posted by darthfeces
no,
i'ts a common thing for a vendor to come in
for a meeting and ....
"hi i plugged into the network connection about half an hour ago to P2P some pr0n. hope you don't mind"
we had to create a guest vlan just for these losers !!!
I hear ya man.
Cheers,
TB | |
| jarbob69 2003-10-21, 6:18 pm |
| quote:
Originally posted by thebonzodog
Out of curiosity what happened to the outside consultant?
He was a finanical consultant, so I imagine he went on to the next customer. |
|
|
|
|