[55283] in North American Network Operators' Group
Re: management interface accessability (was Re: Worm / UDP1434)
daemon@ATHENA.MIT.EDU (Stephen J. Wilcox)
Sun Jan 26 13:51:40 2003
Date: Sun, 26 Jan 2003 18:50:36 +0000 (GMT)
From: "Stephen J. Wilcox" <steve@telecomplete.co.uk>
To: Chris Lloyd <strawberry@toth.org.uk>
Cc: NANOG <nanog@merit.edu>
In-Reply-To: <20030126183649.C25671@jasper.dryfish.org>
Errors-To: owner-nanog-outgoing@merit.edu
On Sun, 26 Jan 2003, Chris Lloyd wrote:
>
> On Sun, Jan 26, 2003 at 12:08:07PM -0600, Rob Thomas wrote:
> > Just a point here: Many road warriors are work-at-home folks who have
> > their computers on 24x7. They may be infected, and will fire up their
> > VPN tunnels Monday morning. This may introduce the worm into the chewy
> > center of many corporate networks. Hopefully folks have put the proper
> > filters in place on their VPN access points.
>
> Personally, I think it's unlikely the situation will get worse on Monday
> because of people starting work. The first reason is that you can only get
> infected if you're running SQL server (or MSDE) at home and someone sends you
> one of the special packets. The second reason is that you, if you're infected,
> send the packets to random IP addresses, and not only do you have to randomly
> choose an address on the corporate LAN, but it has to be a machine running
> SQL server. To my mind the probability of all these things being the case
> is microscopic!
My observation was that the target IPs are not random and that local IPs were
hit more often (same /16 more than /8 more than all /0) .. a la Codered.
STeve
