Automatic Packet filters

From: "Jeff Sloan" <jsloan@xxxxxxxxxxxx>
To: "ISALists" <isalist@xxxxxxxxxxxxx>
Date: Fri, 22 Aug 2003 13:22:56 -0500
I have used the script to auto create the packet filter for intrusion,
and one address has been created more than once, with reg key looking
info.
Block attacker 221.3.131.6{CF3F0169-E459-41A3-A29E-DC902511EDF7}
A different key each time, 13 of them.
What are these?

Jeff Sloan 
Network Administrator 
Cross Oil Refining & Marketing, Inc. 
484 E. 6th St. 
Smackover, AR 71762 

Phone 870-864-8688
Fax     870-864-8689 
Cell     870-866-9941 



-----Original Message-----
From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] 
Sent: Friday, August 22, 2003 11:56 AM
To: ISALists
Subject: [isalist] RE: Important info on Sobig.F


http://www.ISAserver.org


Additional information:

> 
> Computers infected with the Sobig.F worm are programmed
> to automatically download an executable of unknown function from a
> hard-coded list of servers at 19:00 UTC (3:00pm EDT) X-Force is 
> recommending wholesale outbound filtering of the following IP 
> addresses:
> 
> 67.73.21.6
> 68.38.159.161
> 67.9.241.67
> 66.131.207.81
> 65.177.240.194
> 65.93.81.59
> 65.95.193.138
> 65.92.186.145
> 63.250.82.87
> 65.92.80.218
> 61.38.187.59
> 24.210.182.156
> 24.202.91.43
> 24.206.75.137
> 24.197.143.132
> 12.158.102.205
> 24.33.66.38
> 218.147.164.29
> 12.232.104.221
> 68.50.208.96
> 
> The request method uses UDP port 8998. X-Force also recommends that 
> this port be filtered outbound.
>

John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com


> -----Original Message-----
> From: John Tolmachoff [mailto:john@xxxxxxxxxxxxxxxxxxx]
> Sent: Friday, August 22, 2003 9:46 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Important info on Sobig.F
> Importance: High
> 
> http://www.ISAserver.org
> 
> 
> Please read this:
> 
> http://f-secure.com/news/items/news_2003082200.shtml
> 
> John Tolmachoff MCSE CSSA
> Engineer/Consultant
> eServices For You
> www.eservicesforyou.com
> 
> 
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com No.1 
> Exchange Server Resource Site: http://www.msexchange.org Windows 
> Security Resource Site: http://www.windowsecurity.com/ Network 
> Security Library: http://www.secinf.net/ Windows 2000/NT Fax 
> Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:

> johnlist@xxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to 
> $subst('Email.Unsub')


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jsloan@xxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
Automatic Packet filters

Other related posts:
