zotob ftw!

[junkerman123]

the zotob virus is hooking up my work computer at the moment. pimp.

anyone else havin fun with this?

 

[Saint Nick]

not yet.... i'm on a government system though

 

[BrokenVisage]

is this the windows 2k thing?

 

[jdini76]

win XP here.

 

[junkerman123]

win2k is especially vulnerable, but XP gets it too. I'm on a 2k machine.

 

[mitmot]

yes. from what I hear, GE is getting pwned.

 

[junkerman123]

so is CNN I think

 

[Kenazo]

So I haven't heard too much about this yet... How do I keep it off the 2000 and XP machines here @ work? Just make sure they're up to date?

 

[purbeast0]

owned owned owned owned ...

that word has to be in every fvcking sentence i read on the internet or hear on xbox live.

 

[skace]

Crap, we were going to patch for this this weekend. Damnit.

 

[hypn0tik]

Yeah, our entire NAFTA network got owned. It was down for about 2 hours yesterday.

Edit: Actually, it was closer to 3 hours.

 

[junkerman123]

Originally posted by: Kenazo
So I haven't heard too much about this yet... How do I keep it off the 2000 and XP machines here @ work? Just make sure they're up to date?

install the new windows patch

Originally posted by: purbeast0
owned owned owned owned ...

that word has to be in every fvcking sentence i read on the internet or hear on xbox live.

shut up.

owned newb.

 

[purbeast0]

Originally posted by: junkerman123

Originally posted by: Kenazo
So I haven't heard too much about this yet... How do I keep it off the 2000 and XP machines here @ work? Just make sure they're up to date?

install the new windows patch

Originally posted by: purbeast0
owned owned owned owned ...

that word has to be in every fvcking sentence i read on the internet or hear on xbox live.

shut up.

owned newb.

apparently someone doesnt' know the definition of the word owned ...

 

[thestranger]

Originally posted by: jndietz
not yet.... i'm on a government system though

same, gov't internet gives me crazy bandwith

 

[Ilmater]

I got it at work last night.

Edit: owned

 

[Toasthead]

win xp....havent tried the win2k nox on my desk yet.

 

[Rogue]

HAHA! This is why us firewall and IDS guys don't sleep that much. This also proves my long held theory that most organizations out there are far from being secure from the evils of the internet. This thread should be posted to the "find a job here" thread because there should be a lot of people fired at these major organizations for this. The primary means of infection is through TCP port 445 which should rarely, if ever, be open out over the internet.

 

[Rogue]

Zotob/Plug and Play Worm Mitigation
-----------------------------------

Deny the following network ports at the firewall/border router:

INBOUND TCP 445 (Windows RPC, this may break several Windows based applications, sessions, etc.)

OUTBOUND UDP 69 (TFTP)
OUTBOUND TCP 1117 (IRC)
OUTBOUND TCP 1171 (IRC)
OUTBOUND TCP 4095 (IRC)
OUTBOUND TCP 5232 (IRC)
OUTBOUND TCP 6667 (IRC)
OUTBOUND TCP 8080 (IRC)
OUTBOUND TCP 8594 (IRC)
OUTBOUND TCP 18067 (IRC)
OUTBOUND TCP 30722 (IRC)
OUTBOUND TCP 33333 (IRC)

Deny the following IP addresses/URLs from connecting INBOUND or OUTBOUND:

ypgw.wallloan.com
spookestreet.afraid.org
spookystreet.udp-flood.com
sppokystreet.m00p.org
spookystreet.afraid.org
www.mailinator.com
tinyurl.com
72.20.27.115
72.20.41.139
nasa.darksin.net
nasahelp.darksin.net
xaeti.m00p.org
db23a.hack-syndicate.org
esxt.is-a-i love you.net
esxt.legi0n.net
www.rit.edu
wait.atillaekici.net
diabl0.turkcoders.net
l33t.freeshellz.org

At a minimum, make the following entries in your hosts file to prevent your machine from being pwned using IRC:

127.0.0.1 ypgw.wallloan.com
127.0.0.1 spookestreet.afraid.org
127.0.0.1 spookystreet.udp-flood.com
127.0.0.1 sppokystreet.m00p.org
127.0.0.1 spookystreet.afraid.org
127.0.0.1 www.mailinator.com
127.0.0.1 tinyurl.com
127.0.0.1 nasa.darksin.net
127.0.0.1 nasahelp.darksin.net
127.0.0.1 xaeti.m00p.org
127.0.0.1 db23a.hack-syndicate.org
127.0.0.1 esxt.is-a-i love you.net
127.0.0.1 esxt.legi0n.net
127.0.0.1 www.rit.edu
127.0.0.1 wait.atillaekici.net
127.0.0.1 diabl0.turkcoders.net

 

[Jzero]

Anyone here using SUS and NOT seeing 899588 listed as an available patch? Anyone can tell me WHY??

 

[meltdown75]

i don't know how our win2k machines aren't infected. sucks.