Sortta OT: How do I see "Win32.Worm.Allaple.Gen" traffic in my Linux firewall?
walter tocalini
curonet at gmail.com
Thu May 20 09:21:46 MST 2010
question
where yhou have your firewall/gateway is a linux box?
if it is, install NTOP
help to install
http://www.howtoforge.com/network_monitoring_with_ntop
on the port list in use, click on TCP 135/139/445/593, and the computer with
most activity will be the bad one,
add into the firewall a line and denial those port, if your are using
iptables, or whatever you're using just close those port in and out.
ntop is a small program, but effective, it wont cure the problem but you
will know where to go.
nagios is another good tool, with more capabilities,
now from those 150 puters, how many are windows.do you have antivirus for
all of them.
walter
On Thu, May 20, 2010 at 1:28 AM, Technomage <technomage.hawke at gmail.com>wrote:
> On 5/19/10 5:44 PM, kitepilot at kitepilot.com wrote:
>
>> Hello World:
>> Long story short:
>> I got an "official" notification that a computer behind my Linux firewall
>> has the "Win32.Worm.Allaple.Gen" virus.
>> I have some 150 puters NAT(ed) behind that firewall and no access
>> whatsoever to any of them.
>> Question is:
>> What can I do at the Firewall level to identify the virus' traffic so I
>> can harvest the puter's IP address...
>> Thanks!
>> ET
>>
> from
> http://www.threatexpert.com/report.aspx?md5=732f8e67310a1de1c945948bda2512eb
> ***********
> Summary of the findings:
> What's been found:
> A network-aware worm that uses known exploit(s) in order to replicate
> across vulnerable networks.
> MS04-012: DCOM RPC Overflow exploit - replication across TCP
> 135/139/445/593 (common for Blaster, Welchia, Spybot, Randex, other IRC
> Bots).
> Contains characteristics of an identified security risk.
> ***********
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20100520/8ca7342b/attachment.htm>
More information about the PLUG-discuss
mailing list