[56484] in North American Network Operators' Group
Re: Port 445 issues (was: Port 80 Issues)
daemon@ATHENA.MIT.EDU (Johannes Ullrich)
Sun Mar 9 17:42:21 2003
Date: Sun, 9 Mar 2003 17:41:07 -0500
From: "Johannes Ullrich" <jullrich@euclidian.com>
To: "Jonathan Claybaugh" <jonathan@prioritynetworks.net>
Cc: nanog@merit.edu
X-Qmail-Scanner-Mail-From: jullrich@euclidian.com via server.euclidian.com
In-Reply-To: <200303091711.52137.jonathan@prioritynetworks.net>
Errors-To: owner-nanog-outgoing@merit.edu
> Are other people having problems with this right now?
> There doesn't seem to be very much traffic or information about this on any of
> the security lists (it is Sunday...).
> The last posted URL points to an impending storm...
>
> Other operators opinions about blocking port 445 before this thing starts
> spreading faster than it already is?
IMHO, this is similar in impact to Opaserv. As an ISP, I would probably block
445 just to avoid having lots of people call Monday morning complaining about
slow connections after they got infected. This worm is unlikely to cause
major 'global' network slowdowns, so filtering further upstream probably makes
not too much sense.
The main 'facts' so far:
- this virus does attempt to exploit weak passwords, not just open / no password
shares
- there are some reports that this worm has a VNC or IRC backdoor component,
which opens the infected machines to future exploits.
- port 445 has gotten a lot of attention from the malware community recently.
So there are likely further exploits in the works.
> > http://isc.incidents.org/port_details.html?port=445
>
>
--
--------------------------------------------------------------------
jullrich@euclidian.com Collaborative Intrusion Detection
join http://www.dshield.org
