[55299] in North American Network Operators' Group
Re: management interface accessability (was Re: Worm / UDP1434)
daemon@ATHENA.MIT.EDU (Johannes Ullrich)
Sun Jan 26 17:55:42 2003
Date: Sun, 26 Jan 2003 12:52:53 -0500
From: "Johannes Ullrich" <jullrich@euclidian.com>
To: "Steven M. Bellovin" <smb@research.att.com>
Cc: nanog@merit.edu
X-Qmail-Scanner-Mail-From: jullrich@euclidian.com via server.euclidian.com
In-Reply-To: <20030126174257.86D987B4D@berkshire.research.att.com>
Errors-To: owner-nanog-outgoing@merit.edu
> Therein lies the rub. I'm curious -- every medium or large company I'm
> aware of had Code Red on the inside of the firewalls. What happened
> this time? Did it get inside? If so, has anyone analyzed how?
I haven't seen any wide spread behind the firewall exposure so far.
I think unlike code red / nimda, there are a few factors that
help:
- most people with firewall block 1434. This is not true for port 80,
as the web server is usually intended for the public.
- the worm is memory resident. Road warriors that are infected at home
or while traveling are unlikely to introduce this worm into the company
LAN as they come to work on Monday.
- this worm only uses port 1434 UDP. Nimda made it past a lot of firewalls
and NAT devices by spreading via e-mail and web clients.
--
--------------------------------------------------------------------
jullrich@euclidian.com Collaborative Intrusion Detection
join http://www.dshield.org
