Re: Sortta OT: How do I see "Win32.Worm.Allaple.Gen" traffic…

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: walter tocalini
Date:  
To: Main PLUG discussion list
Subject: Re: Sortta OT: How do I see "Win32.Worm.Allaple.Gen" traffic in my Linux firewall?
question
where yhou have your firewall/gateway is a linux box?

if it is, install NTOP
help to install
http://www.howtoforge.com/network_monitoring_with_ntop

on the port list in use, click on TCP 135/139/445/593, and the computer with
most activity will be the bad one,

add into the firewall a line and denial those port, if your are using
iptables, or whatever you're using just close those port in and out.

ntop is a small program, but effective, it wont cure the problem but you
will know where to go.

nagios is another good tool, with more capabilities,
now from those 150 puters, how many are windows.do you have antivirus for
all of them.
walter


On Thu, May 20, 2010 at 1:28 AM, Technomage <>wrote:

> On 5/19/10 5:44 PM, wrote:
>
>> Hello World:
>> Long story short:
>> I got an "official" notification that a computer behind my Linux firewall
>> has the "Win32.Worm.Allaple.Gen" virus.
>> I have some 150 puters NAT(ed) behind that firewall and no access
>> whatsoever to any of them.
>> Question is:
>> What can I do at the Firewall level to identify the virus' traffic so I
>> can harvest the puter's IP address...
>> Thanks!
>> ET
>>
> from
> http://www.threatexpert.com/report.aspx?md5=732f8e67310a1de1c945948bda2512eb
> ***********
> Summary of the findings:
> What's been found:
> A network-aware worm that uses known exploit(s) in order to replicate
> across vulnerable networks.
> MS04-012: DCOM RPC Overflow exploit - replication across TCP
> 135/139/445/593 (common for Blaster, Welchia, Spybot, Randex, other IRC
> Bots).
> Contains characteristics of an identified security risk.
> ***********
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss