Re: Blocking W32.Sasser.B.Worm runs ports

etrops · ‎05-03-2004

Hello, as you may or may not know the latest virus running around is causing troubles. Symantec advised to block TCP ports 5554, 9996 & 445. Can somebody let me know how I could do this? In coming access should be blocked but how I can I stop outgoing access?

Thank you in advance

John Palmason

Amin-Al · ‎05-03-2004

Best practices:

Create an acl and apply it on your firewall’s inside interface. Here are sample how to do this specially for the SASSER worm:

Access-list inside deny tcp any any eq 445

Access-list inside deny tcp any any eq 5554

Access-list inside deny tcp any any eq 9996

Access-list inside permit ip any any (of course this would depend on your company’s security policy in terms of what’s allowed and not)

Access-group inside in interface inside (or the name of your inside interface)

Now it’s also good practices (for windows network) to block the following:

- access-list inside deny tcp any any eq 135

- access-list inside deny tcp any any eq 137

- access-list inside deny udp any any eq 137

- access-list inside deny tcp any any eq 139

- access-list inside deny udp any any eq 139

- access-list inside deny udp any any eq 161 (if running snmp;-)

- there are other services you could block, search for them and it depends again on your security policy

Hope this helps.

Amin

khotaling · ‎05-04-2004

Amin,

Could you give a brief description of what those other ports are for windows networks, and what the potential risk is?

etrops · ‎05-04-2004

Thank you, would it make sense to place and ACL outgoing blocking these ports from leaving the network? I know that I don't have any incoming ACL that will allow for this, but I am concerned about VPN user at home maybe introducing this to our network and I would hate to let this virus out of our network (if we got infected).

John P

Report Inappropriate Content · ‎05-05-2004

Hi Amin,

Is it possible to apply access-lists on to Catalyst switches, I believe this would limit the virus spread throughout the network even if an infected machine was able to connect.

ehirsel · ‎05-05-2004

I believe that the 12.1 enhanced image code for Cat 2950 switches can let you do IP access-lists.

I think that the newer code that runs on cat 4000 series switches will also do the same. I know for certain that the cat 6000/6500 series can let you do vlan acls (vacls).

For the 2900/3500xl models, you cannot do any type of acls yet with any code.

With all of the models I listed above you can setup vlan private edge ports - this is done via the protected port feature and works even if the ports are on the same vlan. Look into the cat docs for more details. The only drawback with that with regards to 2900/3500xl's is that it won't work across trunk ports - that is you cannot have a port one 3500xl prevented from communicating with a port on another 3500xl via trunk link.

CSCO10748535 · ‎05-05-2004

A good idea is to add port 9995 , because it's used a new variants of Sasser.

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=125012

Access-list inside deny tcp any any eq 9995

maxo

ali.com · ‎05-10-2004

W32.Sasser.E.Worm is a minor variant of W32.Sasser.Worm, as per Symantec. It uses TCP ports 1022 and 1023.

http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.e.worm.html