Congratulations Steve! From: Af [mailto:af-boun...@afmug.com] On Behalf Of Steve Jones Sent: Tuesday, May 09, 2017 10:56 AM To: af@afmug.com Subject: Re: [AFMUG] OT: firewall maintenance
Hers the initial diagnostic output On May 9, 2017 9:52 AM, "Steve Jones" <thatoneguyst...@gmail.com<mailto:thatoneguyst...@gmail.com>> wrote: There is only one infected device. The malicious code that is replicating is directly attached to the command and control node. I know a lot of people would simply CleanSweep, but we just don't feel that is an appropriate step. There may be an IOT baby monitor that gets swept up in all this before its over in December. On Tue, May 9, 2017 at 7:34 AM, David Milholen <dmilho...@wletc.com<mailto:dmilho...@wletc.com>> wrote: As any virus running on a network it has a pattern weather it be dormant on the network at times or not. Identify the pattern and where it is trying to phone home to and isolate it from phoning home. Then Clean sweep the machines you have control of. The worst part of any of this is that IOT devices IE(ip cameras,dvrs, tempature monitors and others) are the real threat as they have weak basic code that is open to the network. Isolation will be your best bet. This will prevent DDOS attacks on one front but doesnt stop new viruses from entering. On 5/8/2017 10:34 PM, Steve Jones wrote: an addendum to this, there are two primay variants to the payload. One tends to be much more aggressive, a much more roughly defined code, not all that pretty, but ultimately very versatile and robust. The other is normally more elegant in design, but it tends to be visciously malicious, this is the one to be most concerned of. Its underlying code has started wars and destroyed nations On Mon, May 8, 2017 at 9:49 PM, Steve Jones <thatoneguyst...@gmail.com<mailto:thatoneguyst...@gmail.com>> wrote: So this weekend I discovered a Trojan virus on my network. Sometime around January we had opted to remove an old firewall that had met its product life cycles end. We were still in the process of deciding whether to continue with temporary firewalls or look toward more robust input/output chain policies for a hardened, more permanent solution. In the mean time, of course, we continued to do the upload/download thing. We had some suspicion that there was something going on, we noted alot of broadcast storms, particularly in the mornings. The network had become particularly sluggish and there seemed to be alot of application bloat, initially i just attributed this to poor code maintenance resulting in a memory leak. We did a basic Netstat this weekend and discovered a traffic anomaly. So we went to a professional and had them run a packet sniffer. We had verification of foreign code, likely for as long as 6-8 weeks. It will be layer 3 in this case but its too early to tell whether this codes payload will be TCP or UDP, we will be monitoring as the code replicates. This is a pretty common virus, as a matter of fact we have all had it at one point, probably so long ago we dont even remember. We anticipate The fully formed packet chain to leave NAT mode and be fully routed out to the WAN in December. -- [cid:image001.jpg@01D2C8B4.F2D32CC0] ________________________________ Total Control Panel Login<https://asp.reflexion.net/login?domain=litewire.net> To: ja...@litewire.net<https://asp.reflexion.net/address-properties?aID=242260993&domain=litewire.net> From: 0100015bedeca578-d8a40b36-5214-4b1e-9c22-22b236dbaede-000...@amazonses.com<mailto:0100015bedeca578-d8a40b36-5214-4b1e-9c22-22b236dbaede-000...@amazonses.com> Remove<https://asp.reflexion.net/FooterAction?ver=3&un-wl-sender-domain=1&hID=21121571475&domain=litewire.net> amazonses.com from my allow list You received this message because the domain amazonses.com is on your allow list.
