Ports 137-139 inbound should be firmly locked down. As should be port 1433. Check out the Symantec Web site and look for "bugbear" for an analysis and removal instructions. This one is spreading faster than CodeRed/Nimda ever did, and that one was fast, and yet still persistent.
================================ This address is filtered through the open relay database at http://www.ordb.org and is virus scanned by ANTIVIR http://www.dwhite.ws mailto:doug@;dwhite.ws ================================ ----- Original Message ----- From: "Dave Watts" <[EMAIL PROTECTED]> To: "CF-Server" <[EMAIL PROTECTED]> Sent: Friday, November 15, 2002 7:44 AM Subject: RE: Compromized server? | > Anything I should specifically look for to see if it is | > compromised? I do have blackice defender - server version | > installed, and it blocks a LOT of attempts.. | | If you have a host-based firewall installed, why are you allowing inbound | NetBIOS traffic? | | I'd look at OS logs (especially logins if you have auditing enabled - I hope | you do!), user accounts and groups, I'd look for any processes running that | you don't recognize, and I'd look at inbound and outbound traffic with | "netstat -A" at the command line, for starters. To be honest, I'm no expert | at server forensics, though. | | Dave Watts, CTO, Fig Leaf Software | http://www.figleaf.com/ | voice: (202) 797-5496 | fax: (202) 797-5444 | | ______________________________________________________________________ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. ------------------------------------------------------------------------------ To unsubscribe, send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body or visit the list page at www.houseoffusion.com
