[rescue] Fair Warning RPC Worm
Curtis H. Wilbar Jr.
rescue at hawkmountain.net
Tue Aug 12 13:06:11 CDT 2003
Depending on your network architecture... if there is a place on the
ethernet where you can insert a firewall.. you can use OpenBSD as
a firewall/filtering bridge. Completely transparent to traceroute, etc.
Doesn't interrupt your network either... no reconfiguring, no routes to
I use one with three ethernet ports... two for the bridge, and a third
that connects to the inside switch that get's ip'd which is used as the
interface to ssh into, etc for management.
It is quite a sweet setup, very stable, and works terrific. I even used
a 200MB IDE flash drive to avoide moving parts.... in theory the flash
drive will eventually fail (it does have a /var that is written to for
logs.... the theory was eventually to NFS mount that... but then if the
NFS server went away I don't know what the firewall would do... so I
never did go that route).
>Subject: RE: [rescue] Fair Warning RPC Worm
>From: Daniel de Young <daniel at velvetsea.com>
>To: The Rescue List <rescue at sunhelp.org>
>Date: 12 Aug 2003 10:27:26 -0700
>On Tue, 2003-08-12 at 09:02, Michael A. Turner wrote:
>> > On Monday 11 August 2003 23:32, Michael A. Turner wrote:
>> > > To let everyone know. There is now an RPC worm
>> > running against
>> > > windows. We are seeing it here already. It crashes Windows
>> > 2000 svchost and
>> > > Cause two different errors on Windows XP. Take a peek at
>> > slashdot for
>> > > running comentary on it and links to better articles.
>> > > Just trying to save you guiys some time from phone
>> > calls tonight.
>> > > Looks like a bad one. Started about 4 hours ago. So
>> > anything doing with RPC
>> > > services you now have an answer to what is going on.
>> > This will be the death of your network :-/
>> > --
>> > Frank Van Damme http://www.openstandaarden.be
>> Lcukly I was able to convience people around here that patch was
>> important. I put it on all the servers the day after it came out. After the
>> reaming we took from code red, Nimda, and the SQL slammer worm even my boss
>> found it a good idea to install that patch.
>> Today I am chasing the users who disregarded the E-mail that told
>> them to install the patch. Sigh, no way to enforce it and now they are
>> whining we should have done more to protect them. Damned if you do, Damned
>> if you don't.
>Uhm... I can't understand what is so hard about putting a firewall into
>that place. One day's work and then you are in a whole different
>posture. Unbelievable. At least for your users!
>Cripes man!!! This is no way to live!
>rescue list - http://www.sunhelp.org/mailman/listinfo/rescue
Hawk Mountain Networks
rescue at hawkmountain.net
My e-mail is protected against viruses and spam by MailGuardian
Top notch protection at unbelievable prices
More information about the rescue