[207] in Security FYI
[Security-fyi] Re: New worm activity
daemon@ATHENA.MIT.EDU (Bob Mahoney)
Wed Aug 20 16:12:30 2003
Mime-Version: 1.0
Message-Id: <p05200f0dbb67f57d6e1d@[66.93.190.33]>
In-Reply-To: <p05200f09bb67dfff6470@[66.93.190.33]>
Date: Tue, 19 Aug 2003 12:05:52 -0400
To: security-fyi@mit.edu, itpartners@mit.edu, ilg-net-contacts@mit.edu,
rcc@mit.edu, ditr@mit.edu
From: Bob Mahoney <bobmah@MIT.EDU>
Content-Type: text/plain; charset="us-ascii"
cc: Security Team <security-internal@mit.edu>
Errors-To: security-fyi-bounces@mit.edu
All-
Please forgive the terse nature of this message, but I want to get this information out to the departmental support folks and those that may find themselves assisting in the recovery of compromised machines today. This information may not be well-structured for more casual users, and we will be working to make more friendly presentations available later today.
Known issues:
* There's a viable window of opportunity for re-compromise in between when we re-enable a drop, and when the user discovers it is re-enabled (either by reading e-mail or trying it occasionally) and proceeds to look for patches.
Because of this, we ask that those doing clean-up DISCONNECT systems before sending us mail saying they have completed the reformat/reinstall, to allow for some protective configuration changes.
* Compromise during patching is more likely for Windows 2000 than Windows XP. For Windows 2000, the user has to download a service pack and then obtain the MS03-026 patch. For Windows XP, the user should always obtain the MS03-026 patch before obtaining SP1, since installing SP1 takes a very long time and re-compromise is extremely likely.
* The user should not attempt to get patches via Windows Update. Using Windows Update increases the amount of time before the machine will have the MS03-026 patch installed.
* Even if the user connects his network cable and then immediately tries to download from Microsoft, the machine will still sometimes be re-compromised. Therefore, we recommend that users set up packet filtering immediately, and only download the patch from Microsoft when that change has been made. The procedure is:
Windows XP -- see http://support.microsoft.com/?id=283673
Windows 2000 -- select adapter
Internet Protocol (TCP/IP) Properties
Advanced
Options
TCP/IP Filtering
Properties
Enable TCP/IP Filtering (All adapters) should be checked.
In the TCP ports column, "Permit only" should be checked,
and no ports should be added.
The other two columns (UDP, IP) can be left alone. In
particular, if you choose "Permit only" for UDP, DNS
will sometimes not work and the machine won't be able
to resolve www.microsoft.com
Afterward (for either operating system), the computer will be able to download, but will not accept incoming connections on any TCP port, and thus it will not be re-compromised by any currently popular worm.
Users who successfully complete this process should reverse the packet filtering after completing the patch process, so that needed services will be available.
-Bob
_______________________________________________
Security-fyi mailing list
Security-fyi@mit.edu
http://mailman.mit.edu/mailman/listinfo/security-fyi
