I would guess that you could do something like put an entry in your DNS server that points windowsupdate to 127.0.0.1. That should make the DOS hit you and not them. Other than that I guess start rebuilding ASAP and use it as a time to get your users data on servers and have one image that everyone uses. That way the next time a worm hit and you don't patch it, you can just blast everyone with the same image and point them to their data. :) The source is all over the place. www.trustmatta.com/downloads/msblast.exe I think is one. get a Unix box with VMware and a firewall (to prevent it from affecting the rest of us) and download it, take a look at it, let it infect the windows image and see what happens. You can also always just look at some place like this: https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pdf where people much smarter than us have already done a good bit of the work for us. JayW >>> <Oliver.Gruskovnjakat_private> 08/13/03 04:03AM >>> Hey guys, Ok our company is owned by the msblaster worm, now we would like to keep the ddos attack under control. Our Idea is, that we can make that one of our proxies will identify himself as windowsupdate.com. Now my question is, is the Worm looking for windowsupdate.com per Lookup or has it a fix ip in the Source ? Does someone know anything ? Haves some the sorce :) PS: What are you doing against it ? regards Gruskovnjak Oliver ---------------------------------------------------------------------------- ------ Bundesamt für Informatik und Telekommunikation BIT Bereitstellung Netzdienste / BZBN Monbijoustrasse 74 3003 Bern ---------------------------------------------------------------------------- ------ Tel. +41 (0) 31 323 89 84 Fax +41 (0) 31 325 90 30 ---------------------------------------------------------------------------- ------ SMTP: oliver.gruskovnjakat_private WEB: www.bit.admin.ch ---------------------------------------------------------------------------- ------ --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Aug 13 2003 - 17:27:13 PDT