| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> RE: Code Red
Patrice,
I have a friend downstairs who said I should use Fprot to get rid of this rogue web page, I am going to download it now. I am interested in this TDS-3 program, can I get that at downloads.com or is it somewhere else? KK
-----Original Message-----
Patrice J
Sent: Tuesday, August 07, 2001 3:06 PM
To: Multiple recipients of list ORACLE-L
Update your virus checking software. Patch your software and your OS as far as you can. Re. NT use PatchWork as well ( http://grc.com/pw/patchwork.htm <http://grc.com/pw/patchwork.htm> ), it catches things the Microsoft Windows Update seems to overlook.
You may want to get a trojan detector like tds-3 to catch trojans like CodeRed II. There are many trojan detectors posted on the 'net. Beware of free ones. Stay clear of anything on servers in countries that do not recognize copyright laws, or who might be actively financing hackers! Sounds obvious but sometimes people don't think about this when they are following links on the Web. Look at where a link leads (bottom status bar if using IE) before you click.
You also need something that is current. Anything that hasn't been updated in the last year is probably useless.
It seems to me that now we need:
A virus / worm checker
A trojan horse detector
A firewall.
Only one component missing, and you could be in trouble.
The trouble with code red was that it went through port 80, which is left open by firewalls because that is the port used for HTTP pages (WWW). Closing that would mean no one could access Web pages. So firewalls won't help you re. things like that. You can now go through any ports that are left open, and there is software out there to detect ports that were left open.
Life is getting complicated!
For trojan detection I like TDS-3 because with some plug-ins, you can send a message right back to the people who are probing your system using a trojan. TDS-3 also scans all the processes running in memory, and it comes with interesting process descriptions for some of those obscure NT services. This is from first glance, I am running the shareware version at home. I have a month to make up my mind and pay up...
For home, ZoneAlarm (firewall) is free. I like it because it tells you when programs are trying to access your machine via ports going in, or out. So if a program on your machine wants to access the 'net, you can see which program is trying to do that and you can decide whether to let it do that or not. Sometimes it's hard to decide, though, e.g. distributed COM - should I let that thing send info out of my computer to the 'net? It's a built-in component of Windows, but I don't know. (btw the author says he programs only in assembly language)
Re. virus checking F-Prot has a shareware version, that's free as long as you don't mind re-installing it now and again. I am probably going to buy it eventually. I don't know how to compare the effectiveness of these, though. Some are more popular out there but to my mind it doesn't mean that they are ideal, esp. when marketing and mass advertising through the media is involved. I haven't seen any honest reviews of virus checking software, I don't know where to look.
I set up ZoneAlarm and TDS-3 on my machine at home and was surprised to see what is going on. With ZoneAlarm you can get the owner for a particular IP range, so you can see who is trying to ping or intrude on your machine. A colleague here says he is on cable modem, and that is even worse than DSL in terms of hacking activity, he showed me a log where he was a target every ten minutes on average for a prolonged period of time. He uses BlackIce Defender. Korean and university servers are the most common that I see in use as launchpads. It doesn't mean that's where the probes and that attacks are coming from though. T1, Cable and DSL users are most at risk, but dial-up clients are vulnerable as well as long as they remain connected. I sent e-mails to some ISPs to complain, but they don't appear to care what people are doing with their net connections, it seems they just want to sell memberships. In many cases they want you to prove that damage was done, someone trying to invade your machine is not illegal. The irony is that if someone ever succeeded, I probably wouldn't have the information I would need to lodge a formal complaint. I gave up trying to get ISPs to clamp down, better to prevent these attempts from succeeding than to try to stop the behaviour.
It's easy to become paranoid...
Regards,
Patrice Boivin
Systems Analyst (Oracle Certified DBA)
Systems Admin & Operations | Admin. et Exploit. des systèmes Technology Services | Services technologiques Informatics Branch | Direction de l'informatique Maritimes Region, DFO | Région des Maritimes, MPO
E-Mail: boivinp_at_mar.dfo-mpo.gc.ca <mailto:boivinp_at_mar.dfo-mpo.gc.ca>
-----Original Message-----
From: Kevin Kostyszyn [SMTP:kevin_at_dulcian.com]
Sent: Tuesday, August 07, 2001 2:27 PM
To: Multiple recipients of list ORACLE-L
Subject: RE: Code Red
Yeah, that's what I read. I had applied the patch and I don't have
Code red
or Code Red II, however it appears that I have something else. It
doesn't
seem to have worked but it looks like someone tried to deface our
website.
It's just a message that says "f--k the us government and f--k
poisonbox",
not sure what to do with it yet.
KK
-----Original Message-----
Brian
Sent: Tuesday, August 07, 2001 12:56 PM
To: Multiple recipients of list ORACLE-L
The worm is just memory resident, so a reboot should get rid of it,
BUT
without the patch, you'll get it right back.
The problem for the new version is it deposits a trojan backdoor on
your
server.
Mcafee dat 4152 is supposed to find the trojan, I'm sure other virus
scanners are releasing versions also. Check with your anti-virus
site.
> -----Original Message-----
> From: Kevin Kostyszyn [mailto:kevin_at_dulcian.com]
> Sent: Tuesday, August 07, 2001 11:56 AM
> To: Multiple recipients of list ORACLE-L
> Subject: Code Red
>
>
> So does anyone know how to get rid of the virus if you got it?
>
> Sincerely,
> Kevin Kostyszyn
> DBA
> Dulcian, Inc
> www.dulcian.com
> kevin_at_dulcian.com
>
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> --
> Author: Kevin Kostyszyn
> INET: kevin_at_dulcian.com
>
> Fat City Network Services -- (858) 538-5051 FAX: (858)
538-5051
> San Diego, California -- Public Internet access / Mailing
Lists
>
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and
in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You
may
> also send the HELP command for other information (like
subscribing).
>
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Anderson, Brian
INET: andersob_at_mail.dartnet.peachnet.edu
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing
Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Kevin Kostyszyn
INET: kevin_at_dulcian.com
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing
Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
-- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Boivin, Patrice J INET: BoivinP_at_mar.dfo-mpo.gc.ca Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Kevin Kostyszyn INET: kevin_at_dulcian.com Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).Received on Tue Aug 07 2001 - 13:25:15 CDT
 |
 |