Re: OT: It can be a new virus?

[Steven Edgar <yahoogroups@xxxxxxx>]

Probably the easiest option. If you've got a number of systems though I'd
install a firewall between your router and the internet (assuming that
isn't
a firewall device you are just calling a router). Personally I use IPCop
(www.ipcop.org) which just runs on an old PC, and is free. Sounds like you
run a personal firewall on some (all?) of your systems, but a dedicated
system is usually safer.


Steven


On Friday 27 June 2003 11:19, Dan wrote:
> Hi Steven,
>
> I just filter the TCP port 139 and now everythjing is quit on my
subnet.
> Checking the router, I have seen that the attacks target all the
computers
> from my subnet..
>
> Best regards,
> Dan
>
> ----- Original Message -----
> From: "Steven Edgar" <yahoogroups@xxxxxxx>
> To: <ukha_d@xxxxxxx>
> Sent: Thursday, June 26, 2003 9:00 PM
> Subject: Re: [ukha_d] OT: It can be a new virus?
>
> > On Thursday 26 June 2003 18:25, Dan wrote:
> > > Hi Steven,
> > >
> > > I have NETBIOS port scan from all over the world, not from
my
>
> neighbours.
>
> > > And it is vissible that they are a lot lot more than usual
port scans.
> > > Sometimes they are more than 10 per minute, from totally
different IP
> > > addresses
> > >
> > > They are reported by ISS BlackIce.
> >
> > Well there is nothing hitting my firewall on the netbios ports
(137, 138,
> > 139), but I have a fairly high level of noise on my IDS logs.
> >
> > Ah, just found
> >
> > http://isc.incidents.org/analysis.html?id=170
> >
> > Looks like there are a couple of worms on the loose causing
netbios
> > scans.
>
> If
>
> > you are seeing hits on port 137 first, then 139 if the attacker
is
> > getting any response to the 137 hit (probably not if your IDS is
>
> detecting/blocking
>
> > it), then this might be the answer.
> >
> > Alternatively it could be the suspected new worm on the loose has
a new
>
> trick.
>
> > They identified what was thought to be an early rather bug-ridden
copy
>
> last
>
> > week, but the traffic floating through the net backbones appears
to
>
> indicate
>
> > there are others out there. One of the tricks is to hide the real
IP
>
> address
>
> > of the infected machine by firing out loads of packets with
falsified
>
> source
>
> > addresses. One of them will be the real one, but there is no way
to know
> > which. If you're curious you could try traceroutes and pings to
some of
>
> the
>
> > source IP's just to see how many actually have real systems
behind them.
>
> It
>
> > does sound like the IP range you are in is being targetted, but
its
>
> unlikely
>
> > to be you specifically.
> >
> >
> >
> > Steven
> >
> >
> > ** UKHA2004 BE THERE! ** - start planning now.
> >
> > http://www.automatedhome.co.uk
> > Post message: ukha_d@xxxxxxx
> > Subscribe:  ukha_d-subscribe@xxxxxxx
> > Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
> > List owner:  ukha_d-owner@xxxxxxx
> >
> > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
>
> ** UKHA2004 BE THERE! ** - start planning now.
>
> http://www.automatedhome.co.uk
> Post message: ukha_d@xxxxxxx
> Subscribe:  ukha_d-subscribe@xxxxxxx
> Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
> List owner:  ukha_d-owner@xxxxxxx
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/