| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: PerrymonJ at bek.com (Perrymon, Josh L.) Subject: another new worm submission I agree. Anyone that would have those ports open has a *lot more to worry about that cleaning a few worm infections. That's not the case here. This infection was caused by a remote user not a Lan user. With several hundred laptops it's hard have 0 exposure. As with any growing security practice and today's decreased budgets areas of focus are determined on risk exposure. Anywho- I found the Trojan to be backdoor.nibu.g- although Symantec AV didn't pick it up until tonight. I think this is a good example that perimeter security is only part of the battle. Tomorrow's morning meeting will stress the importance of desktop firewalls again and a good patch management process. You can talk until your blue in the face to upper management but I find 90% to be reactive. Oh well- JP -----Original Message----- From: Ron DuFresne [mailto:dufresne@...ternet.com] Sent: Saturday, June 05, 2004 5:38 PM To: Jerry Heidtke Cc: Paul Schmehl; full-disclosure@...sys.com Subject: Re: [Full-Disclosure] another new worm submission [SNIP] > >> > >> How are these system getting compromised? Why don't you have this patch > >> deployed yet? Why are these systems reachable from the Internet over > >> port > >> 445? > >> > > For someone who knows nothing about his network, you sure are willing > > to make a lot of assumptions. You admit you don't know how the systems > > were compromised and you don't know what compromised them, yet you > > castigate him for leaving port 445 open and not patching and you > > assume this happened *remotely*? > >> [SNIP] > You're right, I made an assumption that the systems were being > compromised remotely rather than being deliberately and maliciously > hacked by insiders. Would this somehow be less of a problem? Having > systems with routable addresses reachable through port 445 is the most > likely avenue of compromise, if this is not the case then Josh would be > well advised to determine exactly what is going on with his network. > Agreed here, anyone sitting with exposed windows specific ports on the insecure Internet <e.g. 445, 135-139, udp as well as tcp, etc> is pretty much deserving of what hits them these days. Without tackling that side of the coin, it's going to be pretty hard for these folks to determine if the troubles they are facing is internal or not. Without control of the perimiter choke point, how can one even think to start to look at controls of the whole danged wire inside? Perhaps we need to adapt personal firewall day to a monthly thing for the next 5 years or more to help these clueless souls. [SNIP] Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists