Hello ALL !

[Cyber Source]

A good backup wouldn't hurt either, with the cost of large hard drives
today, it's easy to have a hard drive simply to mirror too for backup
reasons

-----Original Message-----
From: owner-nflug at nflug.org [mailto:owner-nflug at nflug.org]On Behalf Of Chris
Brown
Sent: Tuesday, January 30, 2001 2:56 PM
To: nflug at nflug.org
Subject: Re: Hello ALL !

First let's clear up some definitions, as it will help with how to handle
your
situation (these are my own definitions):

Worm - undiscriminating self replicating program that does not require the
action of individuals to facilitate their replication

Virus - a program that replicates itself based on the use of or actions done
on a computer by it's intended operator, but without their knowledge.

Trojan - A program that purports to do one thing that is generally useful
(which it may actually do) who's actual purpose is to do something else,
unknown to the operator, that is usually harmful

Attack - a conscious effort by an individual or group to degrade the
availability, confidentiality, or integrity of a _targeted_, preselected set
of
system(s)

[Note: some people consider worms special viruses, others consider worms
and viruses the same thing.  I consider those practices confusing.]


First, you are most likely not being subjected to an attack.  By your self
assessment, you are a victim of a worm (which is probably actually a virus,
and not a worm).  Good antivirus software will help, but by itself is an
incomplete answer.  Antivirus signatures need to be updated regularly
(weekly/bi-weekly) to provide any real assurance.  Firewalls help, but
only if it is good software and configured properly. Firewalls are like
locks; they do no good if you install them and leave your front door open.
They also do no good if you indiscriminately open the door to let strangers
in.

[Disclaimer: The firewall/lock analogy is actually a poor one for anyone at
anything other than a beginner level.]

Here's what to avoid:

1.  Don't use ICQ, AIM, IRC, or any of the other chat systems.  Most are
inherently flawed from a security standpoint and/or not coded with security
in mind.  It is also an easy way to track down your IP address.

2.  Don't use Napster, is gives away your IP address and your connection
speed among other things.

3.  Turn off MS Windows printer and file sharing.  Period.

4.  Don't use Microsoft email clients unless you are prepared to check for
security patches regularly.  Don't use an email client that can render HTML
(or turn off that capability).

5.  Don't open email attachments unless you can absolutely trust the
sender.  Never, ever open .exe, .vbs, .js, .dll, .bat, or .cmd files.
Period.

6.  Don't run server software (eg, a web server or ftp server)

7. If you don't know how to configure your firewall, chances are it's making
you feel good and that's about it.  I'm not familiar with NetScan 4.12.  It
may
come decently configured out of the box.  Then again it may not.  If you
don't know enough to check that it does the right thing, pretend it is not
offering any protection at all, don't be lulled into a sense of security.

8.  Don't use the compromised system to ask for help on getting your system
back.  You just told the attackers (if there in fact any) that you know they
are
there.  This is bad.  Very bad.  They now have to cover their tracks.  They
may trash your system to do it.


Now that you have some tips on what not to do in the future, here's how
to clean up:

1. Get the latest signature file for your antivirus software and install it.
The
variation among products for virus scanning is minimal.  Keeping the
signature file up to date is the important part.

2. Disconnect from the net.

3. Run a full virus scan of your PC

4. Uninstall the chat programs, napster, and anything else that can operate
in a peer-to-peer mode.

5. And the hard part:  Determine if you need to reinstall your system from
scratch.  This probably isn't a necessary step, but it also isn't something
anyone can tell you based on the information you provided so far.

I've never heard of S7S, so I can't help you there.


Best of Luck!

Chris




--
Christopher Brown, CISSP
Corporate Security Advisor
Information Services
Computer Task Group (CTG)
chris.brown at ctg.com



>>> barefalls at juno.com 01/30/01 12:36PM >>>
I am new to the computing scene but have absorbed an incredible amount of
data in the last 6 months. Prior to that my last exposure to a computer
was an Apple in High School 20 yrs ago. I graduated in 1980 and fought
with card feeders at UB and lost interest. I joined this Linux group in
an effort to meet enthusiastic, knowledgeble individuals to share ideas,
problems and solutions; which brings me to the crux of the cookie. I have
recently noticed strange goings on within my system and began
investigating 4 weeks ago. This is obviously an online situation. In
short, I am under attack and need help!!!! This has gotten so bad to the
point where I recently had to thwart the Hybris.gen worm. My firewall
appears to be intact and functioning but the worm came in the mail and
Norton didn't flag it. I am now using NetScan 4.12 in and effort to
determine the intrusion sources. My ICQ was compromised and therefore
uninstalled but there's much, much, MUCH more. Does anyone know of S7S?
Can anyone offer me some assistance? From the little boy with his FINGER
in the dyke, Gregory D. Hough