lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: pj7 at hushmail.com (Paul J.) Subject: Blaster: will it spread without tftp? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Yes we are now investigating how we can speed up patch deployment ;-) This should be tempered with a tad of investigation into patch BACKOUT. One day a virus/worm/bot will come, people will rush to patch, and the patch actually feed the virus/worm/bot like shit feeds a stink. I am impressed with the moderate lack of such ability in many of the "patch" download/install scenarios. 7 - -----Original Message----- From: Russell Fulton [mailto:r.fulton@...kland.ac.nz] Sent: Wednesday, August 13, 2003 12:17 AM To: nick@...us-l.demon.co.uk Cc: full-disclosure@...ts.netsys.com Subject: Re: [Full-Disclosure] Blaster: will it spread without tftp? On Wed, 2003-08-13 at 14:13, Nick FitzGerald wrote: > "Maarten" <subscriptions@...tsuijker.com> wrote: > > > I was wondering about the following scenario: > <<snip>> > > - since these other vulnerable systems are using a proxy server to connect > > to the internet and a firewall prevents all other connections, tftp servers > > on the Internet can not be accessed > > Good up to here, but then... > > > - since tftp servers can not be accessed, msblaster.exe can not be > > downloaded > > No. > > When the worm connects from its current victim to a new, vulnerable > host it tells the new victim to TFTP the worm's .EXE from the current > victim machine where the worm briefly sets up a TFTP thread to serve > its .EXE. I can confirm this. We block tftp at the gateway (as well as all the MS ports 135-139, 445 etc.). An infected laptop was brought on to the internal network and half an hour later we had 500 infected systems and a very soggy network. Note, that those 500 was out of a total of 7500, we had managed to get the rest patched, another week and we would have only had a handful. Yes we are now investigating how we can speed up patch deployment ;-) - -- Russell Fulton, Network Security Officer, The University of Auckland, New Zealand. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.3 wkYEARECAAYFAj85xaIACgkQqAUwSFL2X4LIqQCfe+QOPQKmTQNr5vJFt8cAW8f+ZmMA n0IrE1OY8hmNtWGhJP8sddLHyvkM =Xmzx -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
Powered by blists - more mailing lists