I have used the script to auto create the packet filter for intrusion, and one address has been created more than once, with reg key looking info. Block attacker 221.3.131.6{CF3F0169-E459-41A3-A29E-DC902511EDF7} A different key each time, 13 of them. What are these? Jeff Sloan Network Administrator Cross Oil Refining & Marketing, Inc. 484 E. 6th St. Smackover, AR 71762 Phone 870-864-8688 Fax 870-864-8689 Cell 870-866-9941 -----Original Message----- From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] Sent: Friday, August 22, 2003 11:56 AM To: ISALists Subject: [isalist] RE: Important info on Sobig.F http://www.ISAserver.org Additional information: > > Computers infected with the Sobig.F worm are programmed > to automatically download an executable of unknown function from a > hard-coded list of servers at 19:00 UTC (3:00pm EDT) X-Force is > recommending wholesale outbound filtering of the following IP > addresses: > > 67.73.21.6 > 68.38.159.161 > 67.9.241.67 > 66.131.207.81 > 65.177.240.194 > 65.93.81.59 > 65.95.193.138 > 65.92.186.145 > 63.250.82.87 > 65.92.80.218 > 61.38.187.59 > 24.210.182.156 > 24.202.91.43 > 24.206.75.137 > 24.197.143.132 > 12.158.102.205 > 24.33.66.38 > 218.147.164.29 > 12.232.104.221 > 68.50.208.96 > > The request method uses UDP port 8998. X-Force also recommends that > this port be filtered outbound. > John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com > -----Original Message----- > From: John Tolmachoff [mailto:john@xxxxxxxxxxxxxxxxxxx] > Sent: Friday, August 22, 2003 9:46 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] Important info on Sobig.F > Importance: High > > http://www.ISAserver.org > > > Please read this: > > http://f-secure.com/news/items/news_2003082200.shtml > > John Tolmachoff MCSE CSSA > Engineer/Consultant > eServices For You > www.eservicesforyou.com > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com No.1 > Exchange Server Resource Site: http://www.msexchange.org Windows > Security Resource Site: http://www.windowsecurity.com/ Network > Security Library: http://www.secinf.net/ Windows 2000/NT Fax > Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > johnlist@xxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to > $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jsloan@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')