I personally delivered 5 of my 8 kids at home.
From: Steve Jones
Sent: Wednesday, May 10, 2017 9:09 PM
To: af@afmug.com
Subject: Re: [AFMUG] OT: firewall maintenance
Im pretty sure its the mail man again, shes a pretty shady letter carrier :-)
Ive grown up in an ems family, two paramedics, two emt B and i was an emt I,
two were also firefighters.
Twice now the douchenozzle OB refused to let my paramedic sister deliver for
CE, note we are (were at the time)literally the most advanced ems system in the
US. And this hospital was the primary training facility. We figure we will tell
the OB doc we have this, we only need her for her bloodwork and ultrasound, if
they wont give my sis the legally required joy, we will get a dulla or however
you spell it and pop the kid in the living room, mother nature trumps modern
science in this regard.
There have to be a few of you who popped yer youngins outside a hospital.
Especially the guys who are joe smith fans. 3 times out i think we are the ones
in charge.
On May 9, 2017 3:59 PM, "Lewis Bergman" <lewis.berg...@gmail.com> wrote:
I hope you know the source of the infection...if not...awkward... Conrats!
On Tue, May 9, 2017 at 1:41 PM Darren Shea <darr...@ecpi.com> wrote:
Even after seeing the stick, it didn’t quite register until I re-read
everything you’d typed in this thread - clever! Congratulations!
From: Af [mailto:af-boun...@afmug.com] On Behalf Of Steve Jones
Sent: Tuesday, May 09, 2017 10:56 AM
To: af@afmug.com
Subject: Re: [AFMUG] OT: firewall maintenance
Hers the initial diagnostic output
On May 9, 2017 9:52 AM, "Steve Jones" <thatoneguyst...@gmail.com> wrote:
There is only one infected device. The malicious code that is replicating
is directly attached to the command and control node. I know a lot of people
would simply CleanSweep, but we just don't feel that is an appropriate step.
There may be an IOT baby monitor that gets swept up in all this before its over
in December.
On Tue, May 9, 2017 at 7:34 AM, David Milholen <dmilho...@wletc.com> wrote:
As any virus running on a network it has a pattern weather it be dormant on
the network at times or not.
Identify the pattern and where it is trying to phone home to and isolate it
from phoning home. Then Clean sweep the machines you have control of.
The worst part of any of this is that IOT devices IE(ip cameras,dvrs,
tempature monitors and others) are the real threat as they have weak basic code
that is open to the network.
Isolation will be your best bet. This will prevent DDOS attacks on one
front but doesnt stop new viruses from entering.
On 5/8/2017 10:34 PM, Steve Jones wrote:
an addendum to this, there are two primay variants to the payload. One
tends to be much more aggressive, a much more roughly defined code, not all
that pretty, but ultimately very versatile and robust. The other is normally
more elegant in design, but it tends to be visciously malicious, this is the
one to be most concerned of. Its underlying code has started wars and destroyed
nations
On Mon, May 8, 2017 at 9:49 PM, Steve Jones <thatoneguyst...@gmail.com>
wrote:
So this weekend I discovered a Trojan virus on my network. Sometime
around January we had opted to remove an old firewall that had met its product
life cycles end. We were still in the process of deciding whether to continue
with temporary firewalls or look toward more robust input/output chain policies
for a hardened, more permanent solution. In the mean time, of course, we
continued to do the upload/download thing. We had some suspicion that there was
something going on, we noted alot of broadcast storms, particularly in the
mornings. The network had become particularly sluggish and there seemed to be
alot of application bloat, initially i just attributed this to poor code
maintenance resulting in a memory leak.
We did a basic Netstat this weekend and discovered a traffic anomaly.
So we went to a professional and had them run a packet sniffer. We had
verification of foreign code, likely for as long as 6-8 weeks.
It will be layer 3 in this case but its too early to tell whether this
codes payload will be TCP or UDP, we will be monitoring as the code replicates.
This is a pretty common virus, as a matter of fact we have all had it at one
point, probably so long ago we dont even remember. We anticipate The fully
formed packet chain to leave NAT mode and be fully routed out to the WAN in
December.
--
