Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations MikeeOK on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

filter opa worm

Status
Not open for further replies.
sladd

sladd

IS-IT--Management
Mar 7, 2001
44
US
I have a frame-relay network routed with Cisco 1700's and 2600's. We have been compromised by the OPA worm. According to the Mcaffee write up, this worm attempts to contact a website and download new versions of itself. I am working on eradication, but in the meantime this thing is flooding my frame-relay resulting in unbelieveable latency. Below is further information including an IP capture of the traffic leaving my web server. Is there anyway I can configure my routers to deny these requests while still allowing legitimate traffic? It appears the target port is 137 however I'm not familiar with IP and don't know if this is a commonly used port.

This is a windows based network. WINS is used for host resolution. IP schema is 192.168.*.* class. Internet is accessed via proxy with NO DNS running on internal network.
Currently no access lists configured on routers.

AgentName, Event Date Time, Destination IP, IP Protocol, Target Port, Issue Description, Source Port, Event Count
ridgway, 3 FEB 2003 08:46:30, 217.41.x.x, 17, 137, W32.Opaserv Worm?, 3611, 1
kenh, 3 FEB 2003 06:01:56, 68.144.x.x, 17, 137, W32.Opaserv Worm?, 3563, 1
Redbird, 3 FEB 2003 14:58:28, 24.88.x.x, 17, 137, W32.Opaserv Worm?, 3563, 1
StockPro, 3 FEB 2003 08:59:24, 68.145.x.x, 17, 137, W32.Opaserv Worm?, 3563, 1
Kostamogen, 3 FEB 2003 08:48:22, 68.145.x.x, 17, 137, W32.Opaserv Worm?, 3563, 1
TheBrit, 3 FEB 2003 06:55:19, 63.201.x.x, 17, 137, W32.Opaserv Worm?, 2972, 1
diehardnascar, 3 FEB 2003 00:04:39, 66.156.x.x, 6, 137, W32.Opaserv Worm?, 3502, 1
diehardnascar, 3 FEB 2003 00:04:39, 66.156.x.x, 6, 137, W32.Opaserv Worm?, 3502, 1
diehardnascar, 3 FEB 2003 00:04:39, 66.156.x.x, 6, 137, W32.Opaserv Worm?, 3502, 1
P.K.Y.Assoc., 3 FEB 2003 19:23:42, 64.65.x.x, 17, 137, W32.Opaserv Worm?, 4273, 1


 
Sort by date Sort by votes
port 137 is typically used for netbios traffic which shouldn't be leaving your network anyhow. It's never a good idea to run without a firewall, an access list at the least.

Right now block the 137 port like so
access-list 101 deny tcp any any eq 137 log
access-list 101 permit tcp any any

Apply the access-list on the serial interface
access-group 101 out

Work on what ports you need and make a permanent list like:
access-list 101 permit tcp any any eq http
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq dns
access-list 101 permit tcp any any eq ssl

port reference

Also see the NSA (yes that NSA)router security guide at:

-Jeff

----------------------------------------
Wasabi Pop Tarts! Write Kellogs today!
 
Upvote 0 Downvote
Is it confirmed that this worm is directed to tcp port 137?

Any one has already sniffed these packets?


cheers,
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Robbie0923
  • Locked
  • Question
Routing port 80 & 443 to web filter
Replies
3
Views
111
Robbie0923
Robbie0923
davidkr
  • Locked
  • Question
Filtered Ports in NMAP results
Replies
0
Views
178
davidkr
davidkr
Multivitamin86
  • Locked
  • Question
Filtering out External Links in OSPF
Replies
3
Views
224
unclerico
unclerico
BlitzenTrapper
  • Locked
  • Question
SDM not showing Filter Index 1
Replies
2
Views
104
BlitzenTrapper
BlitzenTrapper
hamdinner
  • Locked
  • Question
AS path filtering for show ip bgp
Replies
2
Views
229
hamdinner
hamdinner

Part and Inventory Search

Sponsor

Back
Top