Monday, September 8, 2003

Things I learned today while fighting the MSBlaster worm...

(1) what looks like normal problems with Charter cable modem
service being flaky can actually be caused by MSBLASTER.

(1.5) It is hard to diagnose anything over Charter these days
because they have disabled all ICMP (i.e. ping/traceroute)
messages in a vain attempt to fight viruses. Earthlink
happily does not block ICMP so you can dial out to Mindspring
to ping Charter boxes.

(2) I found that one of my Win2K systems was infected by seeing
"msblast.exe" in the Task Manager display.

(3) searching Yahoo I found a good page about the blaster worm
which told me how to fix it and had a link to the patch
to prevent getting it in the future.

(4) while I normally am immune to these problems because of
my firewall, it didnt take long for the worm to find and
infect me while I was dialed into Mindspring/Earthlink
which puts my computer directly on the Internet (only the
cable modem goes thru the router/firewall [Netgear RP614]).

(4.5) I see that when I dial directly to the net via Earthlink,
I am constantly SMURF attacked which doesn't happen when
behind the firewall when connecting via the cable modem.

(4.6) Even though the Netgear router lets you set up a static
IP address but still set it to "ask for DNS server addresses",
it doesnt work (at least with Charter) which makes sense
since DHCP which gives you a dynamic IP address, also gives
you the DNS addresses and if you dont ask for one, you wont
get the other either.

(5) searching my Linux box's various logs to see what all that
network activity was about, I saw in the Apache logs (which
I never look at) that there were lots of failed requests
via the web for "default.ida" which is the symptom of other boxes
with the Code Red virus trying to attack me. Good little
discussion of it here.

(6) Just because you see the Norton AntiVirus running its auto-
update feature every day or so to update its virus definitions,
that doesn't mean it is scanning for viruses too. That is
scheduled separately (and it hadn't scanned my system since
the last time I did it manually about 8 months ago.)

No comments: