Re: The Hunt for RingZero (port 3128 scanning worm/trojan)

From: Andrew Gillham <gillhaa@dont-contact.us>
Date: Thu, 18 Nov 1999 14:45:40 -0500 (EST)

Andrew Daviel writes:
> The SANS institute has been accepting reports of scanning activity on port
> 3128. It seems this is caused by a fairly sophisticated network virus.
>
> On our lightly-loaded Squid (we don't enforce its use), recently about
> 30% of all access was denied (i.e. from offsite). No-one has asked
> to subscribe to our cache, so it looks like this activity might
> all be attributed to RingZero or other scanning activity.
>
> One possibility, I suppose, is to move from 3128 to another port...
>
> Andrew Daviel, TRIUMF, Canada
> Tel. +1 (604) 222-7376
> http://andrew.triumf.ca/andrew

IMHO it would be much wiser to block access to 3128 at your firewall
or blocking router. Unless you want to log the denies via squid, there
is no need to overload a cache with this type of traffic. Also, you
eliminate the potential exposure of launching the cache with incorrect
ACLs.

-Andrew

-- 
-----------------------------------------------------------------
Andrew Gillham                            | This space left blank
gillham@whirlpool.com                     | inadvertently.
I speak for myself, not for my employer.  | Contact the publisher.
Received on Thu Nov 18 1999 - 12:57:30 MST

This archive was generated by hypermail pre-2.1.9 : Wed Apr 09 2008 - 11:57:32 MDT