[ale] Apparently used in spam or virus distribution

[Jonathan Rickman]

On Sunday 24 August 2003 23:45, Frank Zamenski wrote:

> payload associated with this afterward, but just what the hell is
> really going on here, and what should I be looking for on the Solaris
> side that will aid my Windbloze admin and network engineer brethren
> in 'containing' this thing? Are my Solaris machines, while not
> obviously affected by this junk, INDIRECTLY contributing to the problem
> by also sending out massive ICMP packet sprays on our LAN, in effect
> becoming DoS contributers?

The Nachi/Welchia worm (the so called good worm) tends to create a nasty 
ICMP storm as it probes for vulnerable hosts. If you are on a large network 
segment with no VLANs defined, as few as 2 hosts could create significant 
congestion. The info for this particular nasty can be found here 
http://sarc.com/avcenter/venc/data/w32.welchia.worm.html 

The significance of an outbreak of this is that the system was vulnerable to 
the RPC/DCOM remote exploit, which IMO was the worst remote vulnerability 
in the history of network computing. Seeing the proof of concept exploit in 
action is a jaw dropping experience to say the least. Any hosts exposed to 
the Internet that are affected by this should have a thorough forensic exam 
and/or a fresh install from known good media.

As for your Sun boxes, so long as there is no central authentication scheme 
in place by which a compromised Windows box could gain access to them and 
you do not use clear text authentication, you should be fine.


-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net


_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale