Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
443
Views
0
Helpful
3
Replies

ACL for Sasser Worm

j.beckner
Level 1
Level 1

‎05-21-2004 08:39 PM - edited ‎03-02-2019 03:52 PM

I was working on a client's network today. Its a college campus with 4507 at the core and mutlitple buildings with about a dozen VLAN Some of the student labs got hit with the Sasser worm. Microsoft uses TCP port 445 so we can't deny 445/TCP in the ACL for the VLAN interfaces. I did deny 5554/TCP and 9996/TCP in and out on all VLAN ACL to prevent the spread of the worm. Does anyone know if these ports are also used by Microsoft?

Labels:
0 Helpful
3 Replies 3

Georg Pauwen
VIP
VIP

‎05-21-2004 11:36 PM

Hello,

according to IANA, these ports are:

sgi-esphttp 5554/tcp SGI ESP HTTP

palace-5 9996/tcp Palace-5

Not sure what they are, but it does not sound like Microsoft...

Regards,

Georg

0 Helpful

j.beckner
Level 1
Level 1
In response to Georg Pauwen

‎05-22-2004 10:07 AM

Thanks Georg, we are getting some matches on these ports but I will assume it won't interfere with the Microsoft network until we hear different. I did some more searching and came up with:

"SGI says in their Security Advisory 20040501-01-I

It has been reported thru various channel that the Sasser Worm uses the

same port 5554/tcp as SGI Embedded Support Partner (ESP) web server, which is enabled by default on current SGI IRIX and SGI Altix systems"

ftp://patches.sgi.com/support/free/security/advisories/20040501-01-I.asc

"9996 is IANA-registered for the Palace chat environment application "

So denying 5554 and 9996 should be a safe way to isolate Sasser from spreading from VLAN to VLAN.

0 Helpful
Customers Also Viewed These Support Documents