HPE Community
Operating System - Linux
1829106 Members
2746 Online
109986 Solutions
New Discussion

MBLAST

 
SOLVED
Go to solution
Leovino A. Trinidad, Jr
Frequent Advisor

‎08-26-2003 04:45 PM

‎08-26-2003 04:45 PM

MBLAST

Hi!

Just want to know if iptables can blick the exploit being done by MBLAST and how can it be done?

Regards,

LAT

0 Kudos
Reply
5 REPLIES 5
Steven E. Protter
Exalted Contributor

‎08-26-2003 05:54 PM

‎08-26-2003 05:54 PM

Solution

Re: MBLAST

If you find out what port its using, you can simply shut the port explicitly in iptables.

I'm uploading a sample iptables file that has lots of good examples.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Jerome Henry
Honored Contributor

‎08-26-2003 10:36 PM

‎08-26-2003 10:36 PM

Re: MBLAST

And you know it uses ports 135, 139, 445 and 4444. Using Steven's example iptable should let you know how to block these ports.

Beware that ports 135 and 139 are also used by windows. Be careful on blocking if you use RRAS behind your firewall (which you shouldn't...)

J
You can lean only on what resists you...
Reply
U.SivaKumar_2
Honored Contributor

‎08-26-2003 11:37 PM

‎08-26-2003 11:37 PM

Re: MBLAST

Hi,

MSBLAST worm uses windows RPC port. viz. TCP 135.

#iptables -I INPUT -i eth+ -p tcp --dport 135 -j DROP

regards,

U.SivaKumar

Innovations are made when conventions are broken
Reply
Leovino A. Trinidad, Jr
Frequent Advisor

‎08-27-2003 02:31 PM

‎08-27-2003 02:31 PM

Re: MBLAST

Hi!

Thank you for all your responses! It's good but will it really drop or ignore all msblast packets? I'm just making it sure it will work.

To give you the background of my problem, our system are infected by msblast (which the stations are being cured)and the virus keeps on bombarding the line going to our default route which is our Firewall/Proxy server. The problem is, it's not with the Linux machine but with the 3com 4400 switch where the fw/proxy is connected. It cannot take huge packets (produce by msblast) that causes it to hang. I already made a rule in iptable wherein it will drop port 135,139,445 request and, still no positive result. I have not yet included port 4444.

Is iptables the solution? Or will I do a work-around in our network system.

Again, thank you.

Regards,


LAT
0 Kudos
Reply
Jerome Henry
Honored Contributor

‎08-28-2003 05:17 AM

‎08-28-2003 05:17 AM

Re: MBLAST

What the iptables rule will do is stops the corresponding packets, unabling them to enter the linux box and so to be propagated to the other NIC and subnet...
But it won't remove the virus... If you have infected systems, you should decontaminate them, then use your linux box as door keeper to the internet gate...

J
You can lean only on what resists you...
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.