[PLUG] Good grief, Charlie Brown (massive worm assault)

Sandy Herring sandy at herring.org
Sun May 25 20:57:01 UTC 2003 

On Sun, 25 May 2003, Steven A. Adams wrote: 
> On Sun, 2003-05-25 at 15:29, Sandy Herring wrote:
> > Any other webmasters logging traffic like this? Any idea what flavor of worm
> > is at work? This guy consisently got redir'd since his browser reports
> > neither referer nor agent...
> > 
> 
> It's probably a nessus scan ( www.nessus.org ). Everything in the logs
> that you included looks like it's focused at Windoze and nessus is built
> to scan for these vulnerabilities and much more. If your machine isn't
> an IIS box I wouldn't worry - unless this sort of stuff continues.
> 
> Steve

Steve,

Thanks for the nessus pointer. I wasn't aware of this tool (looks
interesting). However, the scan didn't come from the LAN side of my
firewall, it came from Taiwan - which leads me to believe that either:

(1) the originating host was infected with a worm, or
(2) if it was nessus at work, they had misconfigured it, since (quoting the
nessus FAQ)...

1.5.5. What kind of a hole must I punch in my firewall to let nessus do it's
  job?

  To be honest: If you put any kind of firewall on the nessus server or
  between the nessus server and the host you are trying to test you will get
  a distorted result. You will not be able to rely on the results from your
  scan.

  Putting a firewall on the nessus server to secure the nessus server is an
  incorrect approach. (Or at least an incomplete approach.) Harden the
  server instead.

  If you have a firewall between the host you are about to test and the
  nessus server then you will get a result that is not similar to that of
  testing the host directly. This may be the desired result. If you want to
  be 100% sure you have hardened you host you should not rely on a firewall
  in front of it.

cheers,
Sandy
-- 
Sandy Herring, RHCE                        o              sandy at herring.org
Peck of Pickled Pisces               __  o               http://herring.org/
UNIX or Web authoring questions?  |\/ o\  o  http://herring.org/finger.html
->http://herring.org/techie.html  |/\__/     http://herring.org/pub-key.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.pdxlinux.org/pipermail/plug/attachments/20030525/1b30f8b4/attachment.asc>

More information about the PLUG mailing list