Update your virus checking software. Patch your software and your OS as far
as you can. Re. NT use PatchWork as well ( http://grc.com/pw/patchwork.htm
<http://grc.com/pw/patchwork.htm> ), it catches things the Microsoft
Windows Update seems to overlook.
You may want to get a trojan detector like tds-3 to catch trojans like
CodeRed II. There are many trojan detectors posted on the 'net. Beware of
free ones. Stay clear of anything on servers in countries that do not
recognize copyright laws, or who might be actively financing hackers!
Sounds obvious but sometimes people don't think about this when they are
following links on the Web. Look at where a link leads (bottom status bar
if using IE) before you click.
You also need something that is current. Anything that hasn't been updated
in the last year is probably useless.
It seems to me that now we need:
A virus / worm checker
A trojan horse detector
A firewall.
Only one component missing, and you could be in trouble.
The trouble with code red was that it went through port 80, which is left
open by firewalls because that is the port used for HTTP pages (WWW).
Closing that would mean no one could access Web pages. So firewalls won't
help you re. things like that. You can now go through any ports that are
left open, and there is software out there to detect ports that were left
open.
Life is getting complicated!
For trojan detection I like TDS-3 because with some plug-ins, you can send a
message right back to the people who are probing your system using a trojan.
TDS-3 also scans all the processes running in memory, and it comes with
interesting process descriptions for some of those obscure NT services.
This is from first glance, I am running the shareware version at home. I
have a month to make up my mind and pay up...
For home, ZoneAlarm (firewall) is free. I like it because it tells you when
programs are trying to access your machine via ports going in, or out. So
if a program on your machine wants to access the 'net, you can see which
program is trying to do that and you can decide whether to let it do that or
not. Sometimes it's hard to decide, though, e.g. distributed COM - should I
let that thing send info out of my computer to the 'net? It's a built-in
component of Windows, but I don't know. (btw the author says he programs
only in assembly language)
Re. virus checking F-Prot has a shareware version, that's free as long as
you don't mind re-installing it now and again. I am probably going to buy
it eventually. I don't know how to compare the effectiveness of these,
though. Some are more popular out there but to my mind it doesn't mean that
they are ideal, esp. when marketing and mass advertising through the media
is involved. I haven't seen any honest reviews of virus checking software,
I don't know where to look.
I set up ZoneAlarm and TDS-3 on my machine at home and was surprised to see
what is going on. With ZoneAlarm you can get the owner for a particular IP
range, so you can see who is trying to ping or intrude on your machine. A
colleague here says he is on cable modem, and that is even worse than DSL in
terms of hacking activity, he showed me a log where he was a target every
ten minutes on average for a prolonged period of time. He uses BlackIce
Defender. Korean and university servers are the most common that I see in
use as launchpads. It doesn't mean that's where the probes and that attacks
are coming from though. T1, Cable and DSL users are most at risk, but
dial-up clients are vulnerable as well as long as they remain connected. I
sent e-mails to some ISPs to complain, but they don't appear to care what
people are doing with their net connections, it seems they just want to sell
memberships. In many cases they want you to prove that damage was done,
someone trying to invade your machine is not illegal. The irony is that if
someone ever succeeded, I probably wouldn't have the information I would
need to lodge a formal complaint. I gave up trying to get ISPs to clamp
down, better to prevent these attempts from succeeding than to try to stop
the behaviour.
It's easy to become paranoid...
Regards,
Patrice Boivin
Systems Analyst (Oracle Certified DBA)
Systems Admin & Operations | Admin. et Exploit. des syst�mes
Technology Services | Services technologiques
Informatics Branch | Direction de l'informatique
Maritimes Region, DFO | R�gion des Maritimes, MPO
E-Mail: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
-----Original Message-----
From: Kevin Kostyszyn [SMTP:[EMAIL PROTECTED]]
Sent: Tuesday, August 07, 2001 2:27 PM
To: Multiple recipients of list ORACLE-L
Subject: RE: Code Red
Yeah, that's what I read. I had applied the patch and I don't have
Code red
or Code Red II, however it appears that I have something else. It
doesn't
seem to have worked but it looks like someone tried to deface our
website.
It's just a message that says "f--k the us government and f--k
poisonbox",
not sure what to do with it yet.
KK
-----Original Message-----
Brian
Sent: Tuesday, August 07, 2001 12:56 PM
To: Multiple recipients of list ORACLE-L
The worm is just memory resident, so a reboot should get rid of it,
BUT
without the patch, you'll get it right back.
The problem for the new version is it deposits a trojan backdoor on
your
server.
Mcafee dat 4152 is supposed to find the trojan, I'm sure other virus
scanners are releasing versions also. Check with your anti-virus
site.
> -----Original Message-----
> From: Kevin Kostyszyn [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, August 07, 2001 11:56 AM
> To: Multiple recipients of list ORACLE-L
> Subject: Code Red
>
>
> So does anyone know how to get rid of the virus if you got it?
>
> Sincerely,
> Kevin Kostyszyn
> DBA
> Dulcian, Inc
> www.dulcian.com
> [EMAIL PROTECTED]
>
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> --
> Author: Kevin Kostyszyn
> INET: [EMAIL PROTECTED]
>
> Fat City Network Services -- (858) 538-5051 FAX: (858)
538-5051
> San Diego, California -- Public Internet access / Mailing
Lists
>
--------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and
in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You
may
> also send the HELP command for other information (like
subscribing).
>
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Anderson, Brian
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing
Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Kevin Kostyszyn
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing
Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Boivin, Patrice J
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
