> There's been some dicussion at the link below. One > person says he's been aware of this for a number of > weeks, and that weak passwords may playing a part. > > http://arstechnica.infopop.net/OpenTopic/page?a=tpc&s=50009562&f=12009443&m=6340983235 If it is a simply an attack against machines with weak and/or nonexistant passwords on administrative accounts, frankly I'm not suprised in the least. We all know of large networks who were very lenient regarding the access to the standard web ports. The likes of CodeRed, Nimda, and their spawn have changed things quite a bit. It took incidents of such a magnitude to get things cleaned up. I certainly can't speak for all providers, but for every provider that I know of that does block in/outbound netbios traffic, I can name 2 that don't. I understand that blocking said traffic can have a negative impact on productivity and whathaveyou, but I also have a pretty good understanding of what risk *not* blocking this traffic poses. I know I'm probably just restating the obvious... It will be interesting to see what the real cause of these incidents boils down to. If it is indeed an attack against weak passwords, this is obviously nothing new and the same attack could trivially be mounted against weak administrative passwords on UNIX boxen via ssh, telnet, or your program of choice. On the other hand, if the cause is some yet-to-be-disclosed bug, the problem could go any number of directions. My $.03. Cheers and good luck, -jon ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Sep 09 2002 - 08:22:42 PDT