[ale] Apparently used in spam or virus distribution

Frank Zamenski fzamenski at voyager.net
Sun Aug 24 23:45:47 EDT 2003



> Called W32.Sobig.F at mm.  Don't know anything about it, but they 
forwarded 
> this at work:
> 
> W32.Sobig.F at mm E-Mail Routine Details: -
> ...

Tsk. This is getting crazy. I understand it is knocking out businesses 
all over?

So, I get a call at home from the boss this morning, something to the 
effect 'our LAN got hit by a virus', pls check your servers', so I 
VPN'd in and checked the Solaris Sun One webservers. Servers are fine, 
theres sys resources a plenty, file systems are not filling up, no I/O 
issues etc. Theres nothing noteable in the webserver logs other than 
the usual<?> IIS hit crap attempts; well, maybe a subjective increase 
in activity. 

Now, I know there's some port probing action associated with this 
W32.Sobig, and that it was triggered and is perpetuated by careless 
people opening infected email attachments with OE, and that there is a 
payload associated with this afterward, but just what the hell is 
really going on here, and what should I be looking for on the Solaris 
side that will aid my Windbloze admin and network engineer brethren 
in 'containing' this thing? Are my Solaris machines, while not 
obviously affected by this junk, INDIRECTLY contributing to the problem 
by also sending out massive ICMP packet sprays on our LAN, in effect 
becoming DoS contributers? 

What should I be looking for in netstat? Should I turn ICMP off? So 
far, Sun has not sent us any directives nor has our Sun field engineer 
called us in any panic, and as a CERT subscriber, I don't recall 
getting anything about *nix systems being part of the problem.

Should I chill? I think not.

Thanks.
-fgz


_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale





More information about the Ale mailing list