Le mer 17/03/2004 à 10:37, nicolas boussekeyt a écrit : > Hi, I want filter my firewall for raleka worm. > Actually, i have used : > iptables -A FORWARD -p tcp -i $EXTIF --dport 135 -j DROP > iptables -A FORWARD -p tcp -i $EXTIF --dport 135 -j LOG [...] > But the worm is back. Do you mean that FORWARD policy is set to ACCEPT and only thoses ports are blocked ? If so, you have a _major_ misconfiguration, as you should block _everything_ first and then only accept what is OK for you. I am not aware of your need of course, but I don't think you need your LAN stations : . being accessible on TCP/135 from the Internet (needed for the worm to infect) . being accessible on TCP/32767 from the Internet (needed for the backdoor to be accessible) Furthermore, if the worm comes back, that means that your stations are still vulnerable. It may be time to patch... If the rules you gave are not overriden by another, as we do not have your complete ruleset to check its consistency, this means you still have an infected host inside your LAN that on one hand continue to infect other hosts and on the other hand may has its backdoor potentially reachable from the Internet as you do not block all upper 32767 ports. So, things to do : . shut the Internet down . clean and patch all your boxes (see Antony's post to both Symantec and MS advisory) . have a full rewrite of filtering ruleset -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread!
