https://community.hpe.com/t5/operating-system-linux/mblast/m-p/3057275#M6339 Hi,<BR /><BR />MSBLAST worm uses windows RPC port. viz. TCP 135.<BR /><BR />#iptables -I INPUT -i eth+ -p tcp --dport 135 -j DROP<BR /><BR />regards,<BR /><BR />U.SivaKumar<BR /><BR /> Wed, 27 Aug 2003 06:37:30 GMT U.SivaKumar_2 2003-08-27T06:37:30Z https://community.hpe.com/t5/operating-system-linux/mblast/m-p/3057272#M6336 Hi!<BR /><BR />Just want to know if iptables can blick the exploit being done by MBLAST and how can it be done?<BR /><BR />Regards,<BR /><BR />LAT<BR /><BR /> Tue, 26 Aug 2003 23:45:05 GMT https://community.hpe.com/t5/operating-system-linux/mblast/m-p/3057272#M6336 Leovino A. Trinidad, Jr 2003-08-26T23:45:05Z https://community.hpe.com/t5/operating-system-linux/mblast/m-p/3057273#M6337 If you find out what port its using, you can simply shut the port explicitly in iptables.<BR /><BR />I'm uploading a sample iptables file that has lots of good examples.<BR /><BR />SEP Wed, 27 Aug 2003 00:54:20 GMT https://community.hpe.com/t5/operating-system-linux/mblast/m-p/3057273#M6337 Steven E. Protter 2003-08-27T00:54:20Z https://community.hpe.com/t5/operating-system-linux/mblast/m-p/3057274#M6338 And you know it uses ports 135, 139, 445 and 4444. Using Steven's example iptable should let you know how to block these ports.<BR /><BR />Beware that ports 135 and 139 are also used by windows. Be careful on blocking if you use RRAS behind your firewall (which you shouldn't...)<BR /><BR />J Wed, 27 Aug 2003 05:36:32 GMT https://community.hpe.com/t5/operating-system-linux/mblast/m-p/3057274#M6338 Jerome Henry 2003-08-27T05:36:32Z https://community.hpe.com/t5/operating-system-linux/mblast/m-p/3057275#M6339 Hi,<BR /><BR />MSBLAST worm uses windows RPC port. viz. TCP 135.<BR /><BR />#iptables -I INPUT -i eth+ -p tcp --dport 135 -j DROP<BR /><BR />regards,<BR /><BR />U.SivaKumar<BR /><BR /> Wed, 27 Aug 2003 06:37:30 GMT https://community.hpe.com/t5/operating-system-linux/mblast/m-p/3057275#M6339 U.SivaKumar_2 2003-08-27T06:37:30Z https://community.hpe.com/t5/operating-system-linux/mblast/m-p/3057276#M6340 Hi!<BR /><BR />Thank you for all your responses! It's good but will it really drop or ignore all msblast packets? I'm just making it sure it will work.<BR /><BR />To give you the background of my problem, our system are infected by msblast (which the stations are being cured)and the virus keeps on bombarding the line going to our default route which is our Firewall/Proxy server. The problem is, it's not with the Linux machine but with the 3com 4400 switch where the fw/proxy is connected. It cannot take huge packets (produce by msblast) that causes it to hang. I already made a rule in iptable wherein it will drop port 135,139,445 request and, still no positive result. I have not yet included port 4444.<BR /><BR />Is iptables the solution? Or will I do a work-around in our network system.<BR /><BR />Again, thank you.<BR /><BR />Regards,<BR /><BR /><BR />LAT Wed, 27 Aug 2003 21:31:55 GMT https://community.hpe.com/t5/operating-system-linux/mblast/m-p/3057276#M6340 Leovino A. Trinidad, Jr 2003-08-27T21:31:55Z https://community.hpe.com/t5/operating-system-linux/mblast/m-p/3057277#M6341 What the iptables rule will do is stops the corresponding packets, unabling them to enter the linux box and so to be propagated to the other NIC and subnet...<BR />But it won't remove the virus... If you have infected systems, you should decontaminate them, then use your linux box as door keeper to the internet gate...<BR /><BR />J Thu, 28 Aug 2003 12:17:02 GMT https://community.hpe.com/t5/operating-system-linux/mblast/m-p/3057277#M6341 Jerome Henry 2003-08-28T12:17:02Z