management interface accessability (was Re: Worm / UDP1434)

• Previous message (by thread): management interface accessability (was Re: Worm / UDP1434)
• Next message (by thread): management interface accessability (was Re: Worm / UDP1434)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Therein lies the rub.  I'm curious -- every medium or large company I'm 
> aware of had Code Red on the inside of the firewalls.  What happened 
> this time?  Did it get inside?  If so, has anyone analyzed how?

I haven't seen any wide spread behind the firewall exposure so far.

I think unlike code red / nimda, there are a few factors that 
help:

- most people with firewall block 1434. This is not true for port 80,
as the web server is usually intended for the public.

- the worm is memory resident. Road warriors that are infected at home
or while traveling are unlikely to introduce this worm into the company
LAN as they come to work on Monday.
 
- this worm only uses port 1434 UDP. Nimda made it past a lot of firewalls
and NAT devices by spreading via e-mail and web clients.


-- 
--------------------------------------------------------------------
jullrich at euclidian.com             Collaborative Intrusion Detection
                                         join http://www.dshield.org

• Previous message (by thread): management interface accessability (was Re: Worm / UDP1434)
• Next message (by thread): management interface accessability (was Re: Worm / UDP1434)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]