RE: Nachi

• From: "Amy Babinchak" <Amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 19 Nov 2003 17:38:48 -0500

Sounds like another case of blame the product rather than the person
that failed to keep the anti-virus software up to date. 

 

I speak from experience here. I had to cure a Nachi infected network
because the admin of that company thought that servers didn't need
anti-virus software as long as all the workstations had it installed.
(I'm sure you can see this coming.) All it took was one outside sales
guy notebook that didn't update its virus definitions to infect all of
the servers and annoy the rest of the workstations. It was money for me.
But there too, the admin was stumped as to why the firewall alarm kept
going off. Gee.

 

Amy 

 

-----Original Message-----
From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] 
Sent: Wednesday, November 19, 2003 4:33 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Nachi

 

http://www.ISAserver.org

It is ICMP. Just because you are blocking it outbound does not stop the
infected computer from trying to go out. Ever here of DOS? This is what
it is doing.

 

 

 

John Tolmachoff

Engineer/Consultant/Owner

eServices For You

 

-----Original Message-----
From: Phill Hardstaff [mailto:phillh@xxxxxxx] 
Sent: Wednesday, November 19, 2003 1:16 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Nachi

 

http://www.ISAserver.org

Can anyone tell me why the Nachi worm brings my ISA firewall to it's
knees, I have ICMP disabled outgoing but as soon as I get a machine
behind the firewall with Nachi on it the firewall service goes to 100%,
the server looks like it's dead but it's not, disconnect the internal
NIC and it comes back to life straight way, even if I disable my DNS
server (behind the firewall) it still stays at 100%, so it's not ICMP
and it's not DNS, so what is it and more importantly how come ISA chokes
on it so easily ?

I could understand ISA choking on 100 Nachi boxes on a 100Mb internal
link but yesterday I had 2 infected machines behind the firewall
connected over a 128Kb link taking the firewall service to 100% ?? I
have even turned off logging and anything else that might use up CPU,
still the same happens. I am seriously considering changing firewalls.

Cheers 

Phill 

Phill Hardstaff 
MCSA, CCNA, A+, Network+, Inet+, Server+, CIW Assoc. 
Senior Support Engineer 
Secretariat of the Pacific Community 
B.P. D5 
Noumea Cedex - 98848 
New Caledonia 

Phone +687-260141 
Mobile +687 838091 
Fax +687-263818 
Email phillh@xxxxxxx 
SPC Web Page http://www.spc.int/ 
Personal Web Page http://www.hardstaff.com/ 
Personal Email Phill@xxxxxxxxxxxxx 
Personal Fax +1 (603) 299-5640 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.542 / Virus Database: 336 - Release Date: 18/11/2003
  

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
johnlist@xxxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub') 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub') 

Other related posts:

• » Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi
• » RE: Nachi

1. Home
2. isalist
3. Archive
4. 11-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---