virus/worms killing a network...

Alexander Dalloz alexander.dalloz at uni-bielefeld.de
Sat Jul 31 18:25:51 UTC 2004 

Am Sa, den 31.07.2004 schrieb Cristiano Soares um 20:08:

> I have a FC2 server that has two NICs. The first one is connect to my ADSL router, and the other
> one is connected to a network that receive IPs from that server through DHCPD service, and then
> the FC2 do the firewall/masquerade. All the 30 machines can browse nice until 2 or maybe more
> machines that has virus/worms get online. Ive seeing that W32.MsBlast is the cause of most of
> these link down problems, but now, it looks to be more than just w32.msblast. My queston is: IS
> THAT POSSIBLE TO INSTALL A SOFTWARE OR SOMETHING LIKE THAT IN THE FC2
> SERVER TO PREVENT OR AT LEAST TO DETECT (by IP number) THE MACHINES THAT
> HAS THE VIRUS, SO IT DOENST KILL MY CONNECTION. Thanks in advance.

> Cristiano

Install an anti-virus tool on each of the Windows[tm] machines to
desinfect them and protect them for the future. Install all available
updates from the MS update site.

If you want to find out the bad hosts from you Linux host you certainly
will have to check which ports these worms use and then run a portscan
against all of the hosts, using nmap. You can too switch on each
Windows[tm] machine one by one and observe the traffic on the NAT
machine to see whether the single running Win machine tries to
"telephone" with other machines. It would be very helpful too to know
the ports the worm uses.

In general configure your NAT server properly with a good firewalling
setup! This will not protect against all kind of worms because many
install through Windows[tm] misdesign, security bugs or simply by mail.
Let none of the Windows[tm] hosts run with administrator privileges!

Alexander

P.S. Please don't post html formatted mail to the list, just plain text
mail. Don't shout out. We all understand your question without the need
to cry (capital letter sentences).


-- 
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.6-1.435.2.3.ad.umlsmp 
Serendipity 20:17:18 up 1:42, 8 users, 0.02, 0.08, 0.15 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20040731/db092527/attachment-0002.bin

More information about the users mailing list