Firewall and new sasser worm

[Michael Hipp]

Joel Hammer wrote:

> 1. Why would anybody allow port 445 to be exposed on
> the internet?

Because MS stupidly enables the "File and Print Sharing" and "Microsoft 
Network Client" services even on something identified as an external 
Internet connection and doesn't enable any kind of port 
blocking/firewalling. This is their "ease of use" and "feature bloat" 
above-all-else idea of software design.

(But as proof that even a self-righteous monopoly can be taught 
something, the latest SP of XP supposedly turns the firewall on by 
default now. But that's no help for millions of 95/98/ME/NT4/W2k/XP 
boxes that won't get such a pack.)

> 2. What does the Sasser worm look like in a firewall
> log? I can't find any hits in my log on ports 445 since
> April 26th. In fact,  I have recorded no tcp hits in the
> 1:1023 range on my firewall in the last twelve hours.
> 
>      Could Comcast be filtering these things out? Seems
>      doubtful, since I got a notice from Comcast telling
>      its MS users to get the newest patch from MS
>      yesterday. The Comcast advisory stated that Mac's
>      weren't affected. It didn't mention linux, and I
>      didn't reply to them that linux is OK because I don't
>      want them to notice me. Comcast doesn't support linux.

I would hope port 445, above all others, might be something a 
responsible ISP would block. If you have a dial-up account with another 
ISP, you could nmap your box to see if the request makes it to your 
interface.

Michael