virus/worms killing a network...

Jeff Vian jvian10 at charter.net
Sat Jul 31 20:56:45 UTC 2004 

On Sat, 2004-07-31 at 13:48, Mike Klinke wrote:
> On Saturday 31 July 2004 13:08, Cristiano Soares wrote:
> > Hi All. Im desperate to get my network back working fine. Here is
> > my situation.
> >
> > I have a FC2 server that has two NICs. The first one is connect to
> > my ADSL router, and the other one is connected to a network that
> > receive IPs from that server through DHCPD service, and then the
> > FC2 do the firewall/masquerade. All the 30 machines can browse nice
> > until 2 or maybe more machines that has virus/worms get online. Ive
> > seeing that W32.MsBlast is the cause of most of these link down
> > problems, but now, it looks to be more than just w32.msblast. My
> > queston is: IS THAT POSSIBLE TO INSTALL A SOFTWARE OR SOMETHING
> > LIKE THAT IN THE FC2 SERVER TO PREVENT OR AT LEAST TO DETECT (by IP
> > number) THE MACHINES THAT HAS THE VIRUS, SO IT DOENST KILL MY
> > CONNECTION. Thanks in advance.
> >
> >
> >
> > Cristiano
> 
> 
> One possible solution to investigate is something like an Intrusion 
> Detection System which has the ability to react to an intrusion  
> ("snort"  has some capability along this line) which runs a script to 
> log in to a network switch and shutting off the offending machine(s) 
> port(s).
> 
> A better approach might be to periodically scan your network for 
> vulnerable machines and disconnect them from the rest of the network 
> before they're infected until they can be properly updated.  Several 
> free tools are available that detect vulnerable machines; nessus 
> (www.nessus.org) for example.  
> 
> Assuming that your FC2 box is also acting as a firewall I'm curious as 
> to how your network machines are getting infected. If you're not 
> running a firewall you may strongly want to consider one.
> 
> Regards, Mike Klinke
> 

Simple answer -- 
1)  Uneducated users who open everything they get in the mail or by
instant messaging.  
2)  No virus protection software loaded/not updated.

The firewall would not block mail, and clueless users are the most
dangerous thing on any network.

More information about the users mailing list