| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> RE: Code Red
http://tds.diamondcs.com.au/html/intro.htm <http://tds.diamondcs.com.au/html/intro.htm>
Regards,
Patrice Boivin
Systems Analyst (Oracle Certified DBA)
-----Original Message-----
From: Kevin Kostyszyn [SMTP:kevin_at_dulcian.com]
Sent: Tuesday, August 07, 2001 4:36 PM
To: Multiple recipients of list ORACLE-L
Subject: RE: Code Red
Patrice,
I have a friend downstairs who said I should use Fprot to
get rid of this
rogue web page, I am going to download it now. I am interested in
this
TDS-3 program, can I get that at downloads.com or is it somewhere
else?
KK
-----Original Message-----
Patrice J
Sent: Tuesday, August 07, 2001 3:06 PM
To: Multiple recipients of list ORACLE-L
Update your virus checking software. Patch your software and your
OS as far
as you can. Re. NT use PatchWork as well (
http://grc.com/pw/patchwork.htm
<http://grc.com/pw/patchwork.htm> ), it catches things the
Microsoft
Windows Update seems to overlook.
You may want to get a trojan detector like tds-3 to catch trojans
like
CodeRed II. There are many trojan detectors posted on the 'net.
Beware of
free ones. Stay clear of anything on servers in countries that do
not
recognize copyright laws, or who might be actively financing
hackers!
Sounds obvious but sometimes people don't think about this when they
are
following links on the Web. Look at where a link leads (bottom
status bar
if using IE) before you click.
You also need something that is current. Anything that hasn't been
updated
in the last year is probably useless.
It seems to me that now we need:
A virus / worm checker
A trojan horse detector
A firewall.
Only one component missing, and you could be in trouble.
The trouble with code red was that it went through port 80, which is
left
open by firewalls because that is the port used for HTTP pages
(WWW).
Closing that would mean no one could access Web pages. So firewalls
won't
help you re. things like that. You can now go through any ports
that are
left open, and there is software out there to detect ports that were
left
open.
Life is getting complicated!
For trojan detection I like TDS-3 because with some plug-ins, you
can send a
message right back to the people who are probing your system using a
trojan.
TDS-3 also scans all the processes running in memory, and it comes
with
interesting process descriptions for some of those obscure NT
services.
This is from first glance, I am running the shareware version at
home. I
have a month to make up my mind and pay up...
For home, ZoneAlarm (firewall) is free. I like it because it tells
you when
programs are trying to access your machine via ports going in, or
out. So
if a program on your machine wants to access the 'net, you can see
which
program is trying to do that and you can decide whether to let it do
that or
not. Sometimes it's hard to decide, though, e.g. distributed COM -
should I
let that thing send info out of my computer to the 'net? It's a
built-in
component of Windows, but I don't know. (btw the author says he
programs
only in assembly language)
Re. virus checking F-Prot has a shareware version, that's free as
long as
you don't mind re-installing it now and again. I am probably going
to buy
it eventually. I don't know how to compare the effectiveness of
these,
though. Some are more popular out there but to my mind it doesn't
mean that
they are ideal, esp. when marketing and mass advertising through the
media
is involved. I haven't seen any honest reviews of virus checking
software,
I don't know where to look.
I set up ZoneAlarm and TDS-3 on my machine at home and was surprised
to see
what is going on. With ZoneAlarm you can get the owner for a
particular IP
range, so you can see who is trying to ping or intrude on your
machine. A
colleague here says he is on cable modem, and that is even worse
than DSL in
terms of hacking activity, he showed me a log where he was a target
every
ten minutes on average for a prolonged period of time. He uses
BlackIce
Defender. Korean and university servers are the most common that I
see in
use as launchpads. It doesn't mean that's where the probes and that
attacks
are coming from though. T1, Cable and DSL users are most at risk,
but
dial-up clients are vulnerable as well as long as they remain
connected. I
sent e-mails to some ISPs to complain, but they don't appear to care
what
people are doing with their net connections, it seems they just want
to sell
memberships. In many cases they want you to prove that damage was
done,
someone trying to invade your machine is not illegal. The irony is
that if
someone ever succeeded, I probably wouldn't have the information I
would
need to lodge a formal complaint. I gave up trying to get ISPs to
clamp
down, better to prevent these attempts from succeeding than to try
to stop
the behaviour.
It's easy to become paranoid...
Regards,
Patrice Boivin
Systems Analyst (Oracle Certified DBA)
Systems Admin & Operations | Admin. et Exploit. des systèmes
Technology Services | Services technologiques
Informatics Branch | Direction de l'informatique
Maritimes Region, DFO | Région des Maritimes, MPO
E-Mail: boivinp_at_mar.dfo-mpo.gc.ca <mailto:boivinp_at_mar.dfo-mpo.gc.ca>
-----Original Message-----
From: Kevin Kostyszyn [SMTP:kevin_at_dulcian.com]
Sent: Tuesday, August 07, 2001 2:27 PM
To: Multiple recipients of list ORACLE-L
Subject: RE: Code Red
Yeah, that's what I read. I had applied the patch and I
don't have
Code red
or Code Red II, however it appears that I have something
else. It
doesn't
seem to have worked but it looks like someone tried to
deface our
website.
It's just a message that says "f--k the us government and
f--k
poisonbox",
not sure what to do with it yet.
KK
-----Original Message-----
Brian
Sent: Tuesday, August 07, 2001 12:56 PM
To: Multiple recipients of list ORACLE-L
The worm is just memory resident, so a reboot should get rid
of it,
BUT
without the patch, you'll get it right back.
The problem for the new version is it deposits a trojan
backdoor on
your
server.
Mcafee dat 4152 is supposed to find the trojan, I'm sure
other virus
scanners are releasing versions also. Check with your
anti-virus
site.
> -----Original Message-----
> From: Kevin Kostyszyn [mailto:kevin_at_dulcian.com]
> Sent: Tuesday, August 07, 2001 11:56 AM
> To: Multiple recipients of list ORACLE-L
> Subject: Code Red
>
>
> So does anyone know how to get rid of the virus if you got
it?
>
> Sincerely,
> Kevin Kostyszyn
> DBA
> Dulcian, Inc
> www.dulcian.com
> kevin_at_dulcian.com
>
> --
> Please see the official ORACLE-L FAQ:
http://www.orafaq.com
> --
> Author: Kevin Kostyszyn
> INET: kevin_at_dulcian.com
>
> Fat City Network Services -- (858) 538-5051 FAX: (858)
538-5051
> San Diego, California -- Public Internet access /
Mailing
Lists
>
--------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail
message
> to: ListGuru_at_fatcity.com (note EXACT spelling of
'ListGuru') and
in
> the message BODY, include a line containing: UNSUB
ORACLE-L
> (or the name of mailing list you want to be removed from).
You
may
> also send the HELP command for other information (like
subscribing).
>
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Anderson, Brian
INET: andersob_at_mail.dartnet.peachnet.edu
Fat City Network Services -- (858) 538-5051 FAX: (858)
538-5051
San Diego, California -- Public Internet access /
Mailing
Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail
message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru')
and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).
You may
also send the HELP command for other information (like
subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Kevin Kostyszyn
INET: kevin_at_dulcian.com
Fat City Network Services -- (858) 538-5051 FAX: (858)
538-5051
San Diego, California -- Public Internet access /
Mailing
Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail
message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru')
and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).
You may
also send the HELP command for other information (like
subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Boivin, Patrice J
INET: BoivinP_at_mar.dfo-mpo.gc.ca
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing
Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Kevin Kostyszyn
INET: kevin_at_dulcian.com
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing
Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
-- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Boivin, Patrice J INET: BoivinP_at_mar.dfo-mpo.gc.ca Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).Received on Tue Aug 07 2001 - 13:47:03 CDT
 |
 |