North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: FW: Worms versus Bots
If you follow these steps outlined by SANS you should be able to successfully update and NOT get infected. This is short, easy, fully documented (with pictures :) http://www.sans.org/rr/papers/index.php?id=1298 [email protected] GCIA http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC pgpFingerPrint:9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC kill -13 111.2 > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Henry Linneweh > Sent: Tuesday, May 04, 2004 2:19 AM > To: Eric Krichbaum; [email protected] > Subject: Re: FW: Worms versus Bots > > > > It is amazingly simply to pull an ethernet cable out > of the back of your box to update a box from a CD.... > especially in a suspect environment where you have had many problems. > > I have had the displeasure of having had to go from > box to box and clean each individually and while many > problems were stopped by Netscreen at the door, we > still had to run enterprise protection per machine as > a second line of defense and separate domains in the > company for greater protection between the groups. > > -Henry > > > --- Eric Krichbaum <[email protected]> wrote: > > > > I see times more typically in the 5 - 10 second > > range to infection. As > > a test, I unprotected a machine this morning on a > > single T1 to get a > > sample. 8 seconds. If you can get in 20 minutes of > downloads you're > > luckier than most. > > > > Eric > > > > > > -----Original Message----- > > From: [email protected] > > [mailto:[email protected]] On Behalf Of william(at)elan.net > > Sent: Monday, May 03, 2004 11:49 PM > > To: Sean Donelan > > Cc: Rob Thomas; NANOG > > Subject: Re: Worms versus Bots > > > > > > On Mon, 3 May 2004, Sean Donelan wrote: > > > > > On Mon, 3 May 2004, Rob Thomas wrote: > > > > ] Just because a machine has a bot/worm/virus > > that didn't come with > > > > a ] rootkit, doesn't mean that someone else > > hasn't had their way > > with it. > > > > > > > > Agreed. > > > > > > Won't help. What's the first thing people do > > after re-installing the > > > operating system (still have all the original CDs > > and keys and product > > > > > activation codes and and and)? Connect to the > > Internet to download the > > > > > patches. Time to download patches 60+ minutes. > > > Time to infection 5 minutes. > > > > Its possible its a problem on dialup, but in our ISP > > office I setup new > > win2000 servers and first thing I do is download all > > the patches. I've > > yet to see the server get infected in the 20-30 > > minutes it takes to > > finish it > > (Note: I also disable IIS just in case until > > everything is patched..). > > > > Similarly when settting up computers for several of > > my relatives (all > > have dsl) I've yet to see any infection before all > > updates are > > installed. > > > > Additional to that many users have dsl router or > > similar device and many > > such beasts will provide NATed ip block and act like > > a firewall not > > allowing outside servers to actually connect to your > > home computer. > > On this point it would be really interested to see > > what percentage of > > users actually have these routers and if decreasing > > speed of infections > > by new virus (is there real numbers to show it > > decreased?) have anything > > to do with this rather then people being more > > carefull and using > > antivirus. > > > > Another option if you're really afraid of infection > > is to setup proxy > > that only allows access to microsoft ip block that > > contains windows > > update servers > > > > And of course, there is an even BETTER OPTION then > > all the above - STOP > > USING WINDOWS and switch to Linux or Free(Mac)BSD ! > > :) > > > > > Patches are Microsoft's > > > intellectual property and can not be distributed > > by anyone without > > > Microsoft's permission. > > I don't think this is quite true. Microsoft makes > > available all patches > > as indidual .exe files. There are quite many of > > these updates and its > > really a pain to actually get all of them and > > install updates manually. > > But I've never seen written anywhere that I can not > > download these .exe > > files and distribute it inside your company or to > > your friends as needed > > to fix the problems these patches are designed for. > > > > > The problem with Bots is they aren't always > > active. That makes them > > > difficult to find until they do something. > > As opposed to what, viruses? > > Not at all! Many viruses have period wjhen they are > > active and > > afterwards they go into "sleep" mode and will not > > active until some > > other date! > > > > Additionally bot that does not immediatly become > > active is good thing > > because of you do weekly or monthly audits (any many > > do it like that) > > you may well find it this way and deal with it at > > your own time, rather > > then all over a sudden being awaken 3am and having > > to clean up infected > > system. > > > > -- > > William Leibzon > > Elan Networks > > [email protected] > > > >
|