I manage a network of 40 machines all running Win2K pro. All mail is
delivered through a mailserver which strips all the usual suspects out (
pif, scr, vba, exe etc ) .All machines are protected with Norton and yet we
got caught with the Blaster virus and the Welch virus. As yet , not the
Sobig virus!
However , my question is how did the virus get in to the network and is
there a way to track down the culprit who perhaps downloaded and opened a
non-screened attachment from somewhere?? Users can download mail from
Hotmail , Yahoo etc but I believe that this is "safe"? Which machine brought
it in is my big curiosity.
Any ideas appreciated.

Nothing even in the event log of each machine??


"W.S. Blevins" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Sat, 23 Aug 2003 08:04:13 +0700, "-keevill-" <(E-Mail Removed)>
> wrote:
>
> >Users can download mail from
> >Hotmail , Yahoo etc but I believe that this is "safe"? Which machine
brought
> >it in is my big curiosity.
>
>
> Unless you monitor the activity of your users, you probably can't
> tell. But to answer your question, it is what is referred to as
> "stupid people".

"W.S. Blevins" <(E-Mail Removed)> schreef in bericht
news:(E-Mail Removed)...
> On Sat, 23 Aug 2003 08:04:13 +0700, "-keevill-" <(E-Mail Removed)>
> wrote:
>
> >Users can download mail from
> >Hotmail , Yahoo etc but I believe that this is "safe"? Which machine
brought
> >it in is my big curiosity.

My guess:
Unpatched machines and a wacky Firewall ????

Probably the machine of an Administrator who should have known better.
Or just had too much things to do that he totally forgot to protect his own
system.
The workload of an administrator grows heavier every month.

Working alone as an administrator?

You absolutly need a counterpart to discuss new security-issues IRL.

Try to make contact with the administrator your company does business with.
Together you can form a team simply in exchanging ideas and concerns.

Isn't it a nice idea to have someone somewhere else to talk to, to make
company-systems somewhat safer?
So you're not alone?

Nice group this is, but in most of the cases the harm has already been done,
You're too late when you come to this group... I'm sorry, nearly only
problems here.

Not a good starting point in tackling security issues.

You have to be ahead of that nowadays.

This is only a sort of ER

Is there a doctor in the room?
--
Greetz,
The Borg
(Replies are always appreciated...)
(E-Mail Removed)
(remove ".geenspam" in order to reply properly)
http://computer.clubs.nl/antivirus
Never fly in the same cockpit with someone braver than you.

"-keevill-" <(E-Mail Removed)> wrote in message
news:bi6ej0$5ekcf$(E-Mail Removed)...
> I manage a network of 40 machines all running Win2K pro. All mail is
> delivered through a mailserver which strips all the usual suspects out (
> pif, scr, vba, exe etc ) .All machines are protected with Norton and yet
we
> got caught with the Blaster virus and the Welch virus. As yet , not the
> Sobig virus!
> However , my question is how did the virus get in to the network and is
> there a way to track down the culprit who perhaps downloaded and opened a
> non-screened attachment from somewhere?? Users can download mail from
> Hotmail , Yahoo etc but I believe that this is "safe"? Which machine
brought
> it in is my big curiosity.
> Any ideas appreciated.
>
>

Hmmm what is it that is said about blaster? you don't catch it,
rather it catches you! iow, it doesn't arrive in email but rather an
infected machine sends out packets to machines using random IP address and
when it finds a unpatched machine it uses the hole/bug and the resulting
buffer overflow infects your machine. But then I could be wrong; because
personally I only give such reports of infection a casual reading and tend
to forget quickly; because I have to date *never* (unknowingly, but have
infected my self on my pig/test machine to test what happens and that way
best figure out how to protect myself) been infected by an email virus, or
been the victim of a hole/bug; because for one thing I practice safe hex,
and never open attachments from a unknown source and even from a known
source I scan it and then if it looks safe I email the one that sent it to
me to ask if they did indeed send it to me to make sure the attachment
wasn't sent by there machine because they were infected.
But If I were to guess I would say you didn't get infected by email;
but rather by a buffer over flow and someone's system picked your IP and
used the buffer overflow. The other way you may have been infected is
someone brought into the office an infected disk because they took some work
home and then brought the work (and the virus) back on the virus.


--
/}
@###{ ]::::::::::ino-Soft Software::::::::::::>
\}
Live WebCam http://www.dino-soft.org/cam

Tx for input here.
Would a firewall have assisted / prevented this here? I am ashamed to admit
I have not set up a firewall because we are disconnected every 6 hours by
the ISP and a new IP address is assigned AND we use NAT to share the
connection ( oh yes ... and I am lazy !! ) . I will install one now but
would it have helped in this case?


"Sugien" <(E-Mail Removed)> wrote in message
news:vtA1b.14571$(E-Mail Removed)...
>
> "-keevill-" <(E-Mail Removed)> wrote in message
> news:bi6ej0$5ekcf$(E-Mail Removed)...
> > I manage a network of 40 machines all running Win2K pro. All mail is
> > delivered through a mailserver which strips all the usual suspects out (
> > pif, scr, vba, exe etc ) .All machines are protected with Norton and yet
> we
> > got caught with the Blaster virus and the Welch virus. As yet , not the
> > Sobig virus!
> > However , my question is how did the virus get in to the network and is
> > there a way to track down the culprit who perhaps downloaded and opened
a
> > non-screened attachment from somewhere?? Users can download mail from
> > Hotmail , Yahoo etc but I believe that this is "safe"? Which machine
> brought
> > it in is my big curiosity.
> > Any ideas appreciated.
> >
> >
>
> Hmmm what is it that is said about blaster? you don't catch it,
> rather it catches you! iow, it doesn't arrive in email but rather an
> infected machine sends out packets to machines using random IP address and
> when it finds a unpatched machine it uses the hole/bug and the resulting
> buffer overflow infects your machine. But then I could be wrong; because
> personally I only give such reports of infection a casual reading and tend
> to forget quickly; because I have to date *never* (unknowingly, but have
> infected my self on my pig/test machine to test what happens and that way
> best figure out how to protect myself) been infected by an email virus, or
> been the victim of a hole/bug; because for one thing I practice safe hex,
> and never open attachments from a unknown source and even from a known
> source I scan it and then if it looks safe I email the one that sent it to
> me to ask if they did indeed send it to me to make sure the attachment
> wasn't sent by there machine because they were infected.
> But If I were to guess I would say you didn't get infected by email;
> but rather by a buffer over flow and someone's system picked your IP and
> used the buffer overflow. The other way you may have been infected is
> someone brought into the office an infected disk because they took some
work
> home and then brought the work (and the virus) back on the virus.
>
>
> --
> /}
> @###{ ]::::::::::ino-Soft Software::::::::::::>
> \}
> Live WebCam http://www.dino-soft.org/cam
>
>

-keevill- wrote:
> I manage a network of 40 machines all running Win2K pro. All mail is
> delivered through a mailserver which strips all the usual suspects out (
> pif, scr, vba, exe etc ) .All machines are protected with Norton and yet we
> got caught with the Blaster virus and the Welch virus. As yet , not the
> Sobig virus!
> However , my question is how did the virus get in to the network and is
> there a way to track down the culprit who perhaps downloaded and opened a
> non-screened attachment from somewhere?? Users can download mail from
> Hotmail , Yahoo etc but I believe that this is "safe"? Which machine brought
> it in is my big curiosity.
> Any ideas appreciated.
>
>


Silly MSCE, 'safe' is for the ignorant.

For Blaster, you obviously have an open port in your firewall,
And you probably still do.

Solution:
Find the open port, and close it.

For SOBIG-F, someone in the organization, or your emailer,
opened a virus infected e-mail.


Solution if Person:
Please proceed to your nearest gun shop, and purchase the
anti-idiot user device with 30 rounds of ammunition, and
eliminate user ... < smirk >

Solution if emailer:
Switch to Linux, install sylpheed, qmail, and spamassasin.

Your fellow workers, and your company, will thank you.

have a nice day

On Sat, 23 Aug 2003 09:52:47 +0700, -keevill- ((E-Mail Removed)) said:
>Tx for input here.
>Would a firewall have assisted / prevented this here? I am ashamed to admit
>I have not set up a firewall because we are disconnected every 6 hours by
>the ISP and a new IP address is assigned AND we use NAT to share the
>connection ( oh yes ... and I am lazy !! ) . I will install one now but
>would it have helped in this case?

In this case... Yes, a firewall ought to have helped. As would keeping
your operating systems up-to-date with the latest critical security fixes
(the vulnarability that blaster and welchi [sp.] used was fixed with a patch
available at windows update a month before blaster appeared.) *8-(

Sorry to hear you had so much trouble.

Ta-ra,
Julie

BTW If dynamic IPs cause such a hassle to you config, why not use an ISP who
can provide you with a static IP; we've been using such ISPs in UK since
'93.

--
Julie Brandon http://www.computergeeks.co.uk/
_______________________________________________________________________________

"-keevill-" <(E-Mail Removed)> wrote in message
news:bi6kts$5onhd$(E-Mail Removed)...
> Tx for input here.
> Would a firewall have assisted / prevented this here? I am ashamed to
admit
> I have not set up a firewall because we are disconnected every 6 hours by
> the ISP and a new IP address is assigned AND we use NAT to share the
> connection ( oh yes ... and I am lazy !! ) . I will install one now but
> would it have helped in this case?
>
>
> "Sugien" <(E-Mail Removed)> wrote in message
> news:vtA1b.14571$(E-Mail Removed)...
> >
> > "-keevill-" <(E-Mail Removed)> wrote in message
> > news:bi6ej0$5ekcf$(E-Mail Removed)...
> > > I manage a network of 40 machines all running Win2K pro. All mail is
> > > delivered through a mailserver which strips all the usual suspects out
(
> > > pif, scr, vba, exe etc ) .All machines are protected with Norton and
yet
> > we
> > > got caught with the Blaster virus and the Welch virus. As yet , not
the
> > > Sobig virus!
> > > However , my question is how did the virus get in to the network and
is
> > > there a way to track down the culprit who perhaps downloaded and
opened
> a
> > > non-screened attachment from somewhere?? Users can download mail from
> > > Hotmail , Yahoo etc but I believe that this is "safe"? Which machine
> > brought
> > > it in is my big curiosity.
> > > Any ideas appreciated.
> > >
> > >
> >
> > Hmmm what is it that is said about blaster? you don't catch it,
> > rather it catches you! iow, it doesn't arrive in email but rather an
> > infected machine sends out packets to machines using random IP address
and
> > when it finds a unpatched machine it uses the hole/bug and the resulting
> > buffer overflow infects your machine. But then I could be wrong;
because
> > personally I only give such reports of infection a casual reading and
tend
> > to forget quickly; because I have to date *never* (unknowingly, but have
> > infected my self on my pig/test machine to test what happens and that
way
> > best figure out how to protect myself) been infected by an email virus,
or
> > been the victim of a hole/bug; because for one thing I practice safe
hex,
> > and never open attachments from a unknown source and even from a known
> > source I scan it and then if it looks safe I email the one that sent it
to
> > me to ask if they did indeed send it to me to make sure the attachment
> > wasn't sent by there machine because they were infected.
> > But If I were to guess I would say you didn't get infected by
email;
> > but rather by a buffer over flow and someone's system picked your IP and
> > used the buffer overflow. The other way you may have been infected is
> > someone brought into the office an infected disk because they took some
> work
> > home and then brought the work (and the virus) back on the virus.
> >
> >
I use a router which has a router and also NAT and I have a dynamic IP and I
have never had any problems; but to answer your question yes a firewall most
likely would have stopped blaster entering your system or at least warned
you.


--
/}
@###{ ]::::::::::ino-Soft Software::::::::::::>
\}
Live WebCam http://www.dino-soft.org/cam

"-keevill-" <(E-Mail Removed)> wrote in message news:bi6ej0$5ekcf$(E-Mail Removed)...

Those worms do not come from e-mail. They come by way
of an exploit of a buffer overrun vulnerability in the DCOM
RPC service.

MS03-026

On Sat, 23 Aug 2003, -keevill- wrote:
>I manage a network of 40 machines all running Win2K pro. All mail is
>delivered through a mailserver which strips all the usual suspects out (
>pif, scr, vba, exe etc ) .All machines are protected with Norton and yet
>we got caught with the Blaster virus and the Welch virus. As yet , not the
>Sobig virus!
> However , my question is how did the virus get in to the network and is
> there a way to track down the culprit who perhaps downloaded and opened a
> non-screened attachment from somewhere?? Users can download mail from
> Hotmail , Yahoo etc but I believe that this is "safe"? Which machine
> brought it in is my big curiosity.
>Any ideas appreciated.
>

you receive monies for this what you say
`manage a network of 40 machines'

scary