[X-Unix] Logging connect attempts

William H. Magill magill at mcgillsociety.org
Fri Feb 13 11:03:44 PST 2004 

On 13 Feb, 2004, at 04:27, peter boardman wrote:
> William H. Magill <magill at mcgillsociety.org> said on 12/2/04, 4:15
> pm (-0500 GMT):
>> One last point -- your "borrowed" machine is pretty typical of
>> far too many "enterprise" based machines. It was probably not
>> "up to rev" with the latest Microsoft patches.
>
> I think what happened was that when the machine was upgraded to
> XP, the virus protection software was disabled (temporarily or
> permanently I don’t know).

Virus protection is only a small part of the problem and probably not 
applicable.

I'm talking about the fact that something like 90% of the Windows 
systems out there never get Microsoft Patches applied in a timely 
manner! Even Microsoft itself has complained about this problem. [This 
was what took down both Philadelphia and Maryland -- they believed 
their firewalls would protect them and therefore never needed to apply 
the updates!]

Also, if your initial description is correct -- that this was a worm 
and and not an email virus -- then the virus protection software would 
have accomplished nothing. It would have been looking at all of the 
wrong things. [A lot of so-called "worms" are really based upon email 
activity, but REAL Worms are not. And REAL Worms do exist.]

REAL Worm exploits are made by direct connection to a particular port 
on the Windows machine and executing/exploiting some "known hole." Only 
by patching that hole, closing those ports, or (sometimes) with some 
kind of firewall protection, is that direct connection avoided.

Note that this is true also of virtually all Unix attacks. If your FTP 
daemon is bad and you allow FTP traffic on your system and through your 
firewall... duh ...

The "media" have done a wonderful job of blurring the distinctions 
between worms, email virus and the like.

A worm is just code that executes on a host, independent of the host, 
and (usually) propagates itself. How it gets there and how it 
propagates itself are usually part of its own code, but not 
necessarily. A virus on the other hand is dependent upon some agent, 
usually email, for propagation.

T.T.F.N.
William H. Magill
# Beige G3 - Rev A motherboard - 768 Meg
# Flat-panel iMac (2.1) 800MHz - Super Drive - 768 Meg
# PWS433a [Alpha 21164 Rev 7.2 (EV56)- 64 Meg]- Tru64 5.1a
# XP1000 - [Alpha EV6]
magill at mcgillsociety.org
magill at acm.org
magill at mac.com

More information about the X-Unix mailing list