[rescue] Fair Warning RPC Worm

Curtis H. Wilbar Jr. rescue at hawkmountain.net
Tue Aug 12 13:06:11 CDT 2003

Depending on your network architecture... if there is a place on the
ethernet where you can insert a firewall.. you can use OpenBSD as
a firewall/filtering bridge.  Completely transparent to traceroute, etc.
Doesn't interrupt your network either... no reconfiguring, no routes to
add, etc.

I use one with three ethernet ports... two for the bridge, and a third
that connects to the inside switch that get's ip'd which is used as the
interface to ssh into, etc for management.

It is quite a sweet setup, very stable, and works terrific.  I even used
a 200MB IDE flash drive to avoide moving parts....  in theory the flash
drive will eventually fail (it does have a /var that is written to for
logs.... the theory was eventually to NFS mount that... but then if the
NFS server went away I don't know what the firewall would do... so I
never did go that route).

-- Curt

>Subject: RE: [rescue] Fair Warning RPC Worm
>From: Daniel de Young <daniel at velvetsea.com>
>To: The Rescue List <rescue at sunhelp.org>
>Date: 12 Aug 2003 10:27:26 -0700
>Content-Transfer-Encoding: 7bit
>On Tue, 2003-08-12 at 09:02, Michael A. Turner wrote:
>> > On Monday 11 August 2003 23:32, Michael A. Turner wrote:
>> > >         To let everyone know. There is now an RPC worm 
>> > running against
>> > > windows. We are seeing it here already. It crashes Windows 
>> > 2000 svchost and
>> > > Cause two different errors on Windows XP. Take a peek at 
>> > slashdot for
>> > > running comentary on it and links to better articles.
>> > >         Just trying to save you guiys some time from phone 
>> > calls tonight.
>> > > Looks like a bad one. Started about 4 hours ago. So 
>> > anything doing with RPC
>> > > services you now have an answer to what is going on.
>> > 
>> > This will be the death of your network :-/
>> > 
>> > 
>> > --
>> > Frank Van Damme    http://www.openstandaarden.be
>> 	Lcukly I was able to convience people around here that patch was
>> important. I put it on all the servers the day after it came out. After the
>> reaming we took from code red, Nimda, and the SQL slammer worm even my boss
>> found it a good idea to install that patch.
>> 	Today I am chasing the users who disregarded the E-mail that told
>> them to install the patch. Sigh, no way to enforce it and now they are
>> whining we should have done more to protect them. Damned if you do, Damned
>> if you don't.
>Uhm... I can't understand what is so hard about putting a firewall into
>that place.  One day's work and then you are in a whole different
>posture.  Unbelievable.  At least for your users!
>Cripes man!!!  This is no way to live!
>rescue list - http://www.sunhelp.org/mailman/listinfo/rescue

Curtis Wilbar
Hawk Mountain Networks
rescue at hawkmountain.net

My e-mail is protected against viruses and spam by MailGuardian
          Top notch protection at unbelievable prices

More information about the rescue mailing list