Tuesday, January 25, 2005

Sasser Strikes again!

So Sasser came out what? 1 year ago? 2 years ago? Well, I had a painful run in with it today, I thought I'd share my frustration in hopes that this blog post will save folks some time.

9:45am this morning most connectivity for one of the servers I manage just stopped. What they heck do I mean by most connectivity? Good question. Well, the internal clients couldn't ping the server, get mail, browse the web, nothing. The external clients could use RPC over HTTP and OWA, but for some reason, mail wasn't flowing into port 25 and the server was completely unmanagable on 3389.

I decided to check all the hardware first. This actually tossed me off track. A switch I was under the impression was used, was not lighting up at all. So after 2-3 hours trying to replace it, we determined it wasn't in use! I guess it does pay to know your topology.

Next we checked the ISA 2004 settings, everything looks perfectly setup. The long and the short of it, an excellent troubleshooter happened to notice that there was about 600 packets a second coming from one IP address on the client on port 445. Immediately he recognized it as the Sasser worm. I unplugged the client from the network, restarted the Firewall services and mail and connectivity was restored!

I couldn't believe it, nailed by Sassar again! What the heck was the machine doing on the network in the first place? Someone had installed Virtual Server and Windows XP Service Pack 1 bound to the actual network card!!! GRRRR! So because the image of the client wasn't patched, the server got nailed.

Just a little something to watch out for out in the wild. I'm sure it won't happen to you, because you're all running Windows XP Service Pack 2 on all your networks.

Which actually is a final note. The virus tried it's best to spread, but was stopped at it's knees. At least something worked today. :)