Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: dealing with w32/bagle

  • From: Brent_OKeeffe
  • Date: Wed Mar 03 16:15:37 2004


We created bogus DNS entries for the following entries, known to be targeted by the worm:
www.sportscheck.de
www.songtext.net
www.songtext.de
www.maiklibis.de
www.gfotxt.net
postertog.de
permail.uni-muenster.de

The entries directed traffic to an interface on a router that can handle the traffic.  Currently, we have a logging ACL that drops port 80 to the bogus IP.  We might connect a sniffer with that IP address at some point with triggers loaded to notify when systems attempt to access the address.  So far this has helped.

Any other suggestions are welcome.

Brent


Dan Hollis <goemon@anime.net>
Sent by: owner-nanog@merit.edu

03/03/2004 03:24 PM

       
        To:        "'nanog@merit.edu'" <nanog@merit.edu>
        cc:        
        Subject:        dealing with w32/bagle




I am curious how network operators are dealing with the latest w32/bagle
variants which seem particularly evil.

Also, does anyone have tools for regexp and purging these mails from unix
mailbox (not maildir) mailspool files? Eg purging these mails after the
fact if they were delivered to user's mailboxes before your virus scanner
got a database update.

-Dan






Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.