Re: [sambar] Nimda interesting

[Jim Burns]

So is that script available? Jim On 14/Oct/2001 02:29:08, Danny Mallory wrote: > Someone correct me if I am mistaken but I don't believe zone alarm will > show an alert > for a request to a port that is not listening. I believe it traps just > prior to the connection > being made. To test this theory, try telneting to port 26 or 27 (one that > is not listening) > and see if zone alarm will warn you. I personally don't run any firewall > software. I simply > just close all the possible holes. However I did forget on an NT machine to > disable NBT > once but I never forget to audit login failures, and I saw probably 100 > failures in a week > while it was dialed up to the net.. After I disabled NBT(WINS), the > failures disappeared. > > I did write a perl script a while back that scans a subnet and checks for > for open > NBT machines and it was really scary seeing how many people there were out > there > that had their entire machine wide open. > > On your statement, I am not sure if I totally understand it... > If NBT is disabled on your home computer, no one can make a connection to you. > If Netbios is disabled on your schools Internet routers, then you cannot > make a connection, > regardless if the PC behind the router is listening for NBT. I would think > they would need > TCP helper enabled and NetBios to allow that. > > Danny > > > At 10/13/2001 10:31 PM, you wrote: > >Hmmm, cant even connect to my shared drives at school (no hardware > >firewall, and ZoneAlarm shows no alerts) over NBT from home. > > > > > >At 11:14 PM 10/12/2001 -0500, you wrote: > >>That is the symptom you will get if the server has nbt disabled on the > >>internet NIC. > >>This is a good thing in that as I mentioned, you can't even attempt to login. > >>Opening up access to drive letters and whatnot are just some things that > >>nimda > >>will do. But it will not enable NBT on a disabled machine. So This > >>machine was > >>more than likely infected by one of the IIS exploits but yet NBT is still > >>secure. > >> > > > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > >Chris Kafer http://www.grad-college.iastate.edu/ippm/ippmhomepage.html > >ICQ: 12594489 > >PGP key available http://thornlab2.bb.iastate.edu > > > > > >-------------------------------------------------------------------------------- > >For unsubscription of this list send an email to [EMAIL PROTECTED] with > >email > >data containing unsubscribe emailadd sambar > > > > > > > -------------------------------------------------------------------------------- > For unsubscription of this list send an email to [EMAIL PROTECTED] with email > data containing unsubscribe emailadd sambar > > -------------------------------------------------------------------------------- For unsubscription of this list send an email to [EMAIL PROTECTED] with email data containing unsubscribe emailadd sambar