Re: Virus Alert - W32.Blaster.Worm

From: Kurt Kruegel (kurt@cybernex.net)
Date: Wed Aug 13 2003 - 12:45:34 GMT-3

• Next message: Brown, Patrick (NSOC-OCF}: "RE: Virus Alert - W32.Blaster.Worm"
• Previous message: Tony Schaffran: "RE: Trunking Problem ?"
• Maybe in reply to: Snow, Tim: "Virus Alert - W32.Blaster.Worm"
• Next in thread: Brown, Patrick (NSOC-OCF}: "RE: Virus Alert - W32.Blaster.Worm"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

i used the access-list to try to block it and cpu freaked out
and we had to power cycle
anyone see a problem with this ?

access-list 115 deny tcp any eq 4444 any log
access-list 115 deny tcp any eq 135 any log
access-list 115 deny udp any eq 69 any log
access-list 115 deny icmp any any redirect
access-list 115 deny ip 0.0.0.0 0.255.255.255 any
access-list 115 deny ip 255.0.0.0 0.255.255.255 any
access-list 115 deny ip 1.0.0.0 0.255.255.255 any
access-list 115 deny ip 2.0.0.0 0.255.255.255 any
access-list 115 deny ip 127.0.0.0 0.255.255.255 any
access-list 115 deny ip 169.254.0.0 0.0.255.255 any
access-list 115 deny ip 192.0.2.0 0.0.0.255 any
access-list 115 deny ip 10.0.0.0 0.255.255.255 any
access-list 115 deny ip 172.16.0.0 0.15.255.255 any
access-list 115 deny ip 192.168.0.0 0.0.255.255 any
own nets deleted
access-list 115 permit ip any any

----- Original Message -----
From: "MADMAN" <dave@interprise.com>
To: "Jung, Jin" <jin.jung@lmco.com>
Cc: "'George Gittins'" <g.gittins@edinburg.esc1.net>;
<ccielab@groupstudy.com>
Sent: Wednesday, August 13, 2003 11:11 AM
Subject: Re: Virus Alert - W32.Blaster.Worm

> Jung, Jin wrote:
> > Hi Brian,
> > Did you block tcp and udp port 135 ?
> > Does it brake windows netbios?
> >
> > I only blocked 4444 and 69, should I block 135 too?
>
> Yes.
>
> http://www.cert.org/advisories/CA-2003-20.html
>
> Dave
>
> >
> > Thanks...
> >
> > -----Original Message-----
> > From: George Gittins [mailto:g.gittins@edinburg.esc1.net]
> > Sent: Wednesday, August 13, 2003 9:43 AM
> > To: ccielab@groupstudy.com
> > Subject: FW: Virus Alert - W32.Blaster.Worm
> >
> >
> > Why port 135? Can you should a access -list
> >
> > George Gittins
> > Network Maintenance Supervisor
> > ECISD
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Brown, Patrick (NSOC-OCF}
> > Sent: Tuesday, August 12, 2003 7:58 PM
> > To: 'Snow, Tim '; ''ccielab@groupstudy.com' '
> > Subject: RE: Virus Alert - W32.Blaster.Worm
> >
> > Getting about 20,000 hits a second on ACL referencing port 135. Plus
Arp
> > process is going through the roof until acl is applied.
> >
> > Patrick B
> >
> >
> >
> > -----Original Message-----
> > From: Snow, Tim
> > To: 'ccielab@groupstudy.com'
> > Sent: 8/11/2003 10:14 PM
> > Subject: Virus Alert - W32.Blaster.Worm
> >
> > Anyone else going through the W32.Blaster.Worm?
> >
> > http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm
> > .htm
> > l
> >
> > Big pain in the ....
> >
> > Tim
> >
> >
> > Timothy Snow
> > CCIE #12042
> > EDS - Network Operations
> > MS 3B
> > 1075 W. Entrance Drive
> > Auburn Hills, MI 48326
> >
> > * phone: +01-248-754-7900
> > * mailto:timothy.snow@eds.com
> > pager: 888-351-4584
> > www.eds.com
> >
> >
> > _______________________________________________________________________
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > _______________________________________________________________________
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > _______________________________________________________________________
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > _______________________________________________________________________
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>
>
> --
> David Madland
> CCIE# 2016
> Sr. Network Engineer
> Qwest Communications
> 612-664-3367
>
> "Government can do something for the people only in proportion as it
> can do something to the people." -- Thomas Jefferson
>
>
> _______________________________________________________________________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Brown, Patrick (NSOC-OCF}: "RE: Virus Alert - W32.Blaster.Worm"
• Previous message: Tony Schaffran: "RE: Trunking Problem ?"
• Maybe in reply to: Snow, Tim: "Virus Alert - W32.Blaster.Worm"
• Next in thread: Brown, Patrick (NSOC-OCF}: "RE: Virus Alert - W32.Blaster.Worm"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:53:58 GMT-3