Thanks Chris....
barefalls at juno.com
barefalls at juno.com
Wed Jan 31 10:38:29 EST 2001
....Please allow me to clarify. My fire wall is Zone Lab Pro, NetScan is
a toolbox for many on-line querys. S7S(sub seven server) is a back door
with IRC capabilities; it can be written into the WIN.INI file to run at
boot. It notifies the perpetrator via e-mail or ICQ when the host is
on-line. In essence this is the ROOT of my problem. I have the latest AV
definitions and a full backup disk set. The "worm" never had a chance to
execute in my computer. I have located the source and notified the unwary
e-mailer(a NetScan goody MX lookup).. I appreciate your timely response
and still hope for further assistance.....
On Tue, 30 Jan 2001 14:56:20 -0500 "Chris Brown" <chris.brown at ctg.com>
writes:
> First let's clear up some definitions, as it will help with how to
> handle your
> situation (these are my own definitions):
>
> Worm - undiscriminating self replicating program that does not
> require the
> action of individuals to facilitate their replication
>
> Virus - a program that replicates itself based on the use of or
> actions done
> on a computer by it's intended operator, but without their
> knowledge.
>
> Trojan - A program that purports to do one thing that is generally
> useful
> (which it may actually do) who's actual purpose is to do something
> else,
> unknown to the operator, that is usually harmful
>
> Attack - a conscious effort by an individual or group to degrade the
>
> availability, confidentiality, or integrity of a _targeted_,
> preselected set of
> system(s)
>
> [Note: some people consider worms special viruses, others consider
> worms
> and viruses the same thing. I consider those practices confusing.]
>
>
> First, you are most likely not being subjected to an attack. By
> your self
> assessment, you are a victim of a worm (which is probably actually a
> virus,
> and not a worm). Good antivirus software will help, but by itself
> is an
> incomplete answer. Antivirus signatures need to be updated
> regularly
> (weekly/bi-weekly) to provide any real assurance. Firewalls help,
> but
> only if it is good software and configured properly. Firewalls are
> like
> locks; they do no good if you install them and leave your front door
> open.
> They also do no good if you indiscriminately open the door to let
> strangers in.
>
> [Disclaimer: The firewall/lock analogy is actually a poor one for
> anyone at
> anything other than a beginner level.]
>
> Here's what to avoid:
>
> 1. Don't use ICQ, AIM, IRC, or any of the other chat systems. Most
> are
> inherently flawed from a security standpoint and/or not coded with
> security
> in mind. It is also an easy way to track down your IP address.
>
> 2. Don't use Napster, is gives away your IP address and your
> connection
> speed among other things.
>
> 3. Turn off MS Windows printer and file sharing. Period.
>
> 4. Don't use Microsoft email clients unless you are prepared to
> check for
> security patches regularly. Don't use an email client that can
> render HTML
> (or turn off that capability).
>
> 5. Don't open email attachments unless you can absolutely trust the
>
> sender. Never, ever open .exe, .vbs, .js, .dll, .bat, or .cmd
> files. Period.
>
> 6. Don't run server software (eg, a web server or ftp server)
>
> 7. If you don't know how to configure your firewall, chances are
> it's making
> you feel good and that's about it. I'm not familiar with NetScan
> 4.12. It may
> come decently configured out of the box. Then again it may not. If
> you
> don't know enough to check that it does the right thing, pretend it
> is not
> offering any protection at all, don't be lulled into a sense of
> security.
>
> 8. Don't use the compromised system to ask for help on getting your
> system
> back. You just told the attackers (if there in fact any) that you
> know they are
> there. This is bad. Very bad. They now have to cover their
> tracks. They
> may trash your system to do it.
>
>
> Now that you have some tips on what not to do in the future, here's
> how
> to clean up:
>
> 1. Get the latest signature file for your antivirus software and
> install it. The
> variation among products for virus scanning is minimal. Keeping the
>
> signature file up to date is the important part.
>
> 2. Disconnect from the net.
>
> 3. Run a full virus scan of your PC
>
> 4. Uninstall the chat programs, napster, and anything else that can
> operate
> in a peer-to-peer mode.
>
> 5. And the hard part: Determine if you need to reinstall your
> system from
> scratch. This probably isn't a necessary step, but it also isn't
> something
> anyone can tell you based on the information you provided so far.
>
> I've never heard of S7S, so I can't help you there.
>
>
> Best of Luck!
>
> Chris
>
>
>
>
> --
> Christopher Brown, CISSP
> Corporate Security Advisor
> Information Services
> Computer Task Group (CTG)
> chris.brown at ctg.com
>
>
>
> >>> barefalls at juno.com 01/30/01 12:36PM >>>
> I am new to the computing scene but have absorbed an incredible
> amount of
> data in the last 6 months. Prior to that my last exposure to a
> computer
> was an Apple in High School 20 yrs ago. I graduated in 1980 and
> fought
> with card feeders at UB and lost interest. I joined this Linux group
> in
> an effort to meet enthusiastic, knowledgeble individuals to share
> ideas,
> problems and solutions; which brings me to the crux of the cookie. I
> have
> recently noticed strange goings on within my system and began
> investigating 4 weeks ago. This is obviously an online situation. In
> short, I am under attack and need help!!!! This has gotten so bad to
> the
> point where I recently had to thwart the Hybris.gen worm. My
> firewall
> appears to be intact and functioning but the worm came in the mail
> and
> Norton didn't flag it. I am now using NetScan 4.12 in and effort to
> determine the intrusion sources. My ICQ was compromised and
> therefore
> uninstalled but there's much, much, MUCH more. Does anyone know of
> S7S?
> Can anyone offer me some assistance? From the little boy with his
> FINGER
> in the dyke, Gregory D. Hough
>
More information about the nflug
mailing list