[Techtalk] How to block Blaster Worm from iptables ?

Rasjid Wilcox rasjidw at openminddev.net
Sun Aug 24 17:58:21 EST 2003


On Sunday 24 August 2003 02:22, Brenda Bell wrote:
>
> A solid firewall should only open the ports that are absolutely required.

Just to second this and to share a recent experience.

A year or so ago I set up our work's firewall.  All incoming connections were 
denyed except mail and VPN, but I allowed all outgoing connections since it 
seemed to easiest thing to do.   However, I did make one exception 
(thankfully), which is that mail could only be sent out from our internal 
mail-server.  Our mail-server has virus scanning, and since all our machines 
where configured to send out via our local mail-server, I figured that no-one 
would complain if I blocked outgoing connections on port 25.  I also figured 
that if a virus did get in and try to send itself out directly, it would show 
up in the firewall logs.

A few weeks ago I was checking the firewall logs and noticed that something 
was trying to connect out on port 25 to a hotmail server.  Moreover, it was 
attempting to do so every 30 seconds.  I did not like the look of this at 
all.  Went down the the machine in question.  Ran a full virus scan.  
Nothing.  Firewall still showing suspect activity.  Installed ZoneAlarm, but 
ZoneAlarm could not be run.  Now I knew there was something strange going on.  
Pulled hair out for an hour or two.  Eventually found a utility that maps 
ports to active processes (can't remember its name at the moment, but it was 
the only one I could find that did this for Windows 98) and found the 
offending file.  pidlex.exe.  Turns out it was a trojan called 
Backdoor.Niovadoor.  It disables various antivirus and firewall programs, and 
attempts to send back passwords etc to ... someone.  Not happy!  But once 
found, it was fairly easy to clean up.

The only reason this trojan was spotted was because I had decided to block 
outgoing connections to port 25 (except from our mail server - which runs 
Linux anyway and so it not going to be affected by Windows viruses).

I now block all outgoing connections that are not required for business 
reasons.  I allow http, https, ftp, pop, dns and a few other I can't think of 
right now, but everything else outgoing is blocked and logged. Amazingly 
enough, not a single user (of around 35) has complained.  So I guess no-one 
was using ICQ etc after all!

Our network is not 100% secure.  None is.  But now if something does get in, I 
am much more likely to notice if it attempts to make any unusual outgoing 
connection.  And it will be much harder for it to spread itself.

So to anyone out there who thinks that blocking outgoing connections with your 
firewall is a bit 'over the top' (as I used to) I would suggest otherwise.

And if playing around with iptables etc is not really your thing, then get a 
good 'pre-packaged' system like IPCop, Smoothwall, Astaro etc.

Thanks for listening.  :-)

Rasjid.

-- 

Rasjid Wilcox
Canberra, Australia  UTC + 10
http://www.openminddev.net


More information about the Techtalk mailing list