So this morning I was working away and sudently my VPN went BYE BYE. After ever things came back up I found that is was more then us. Some of our clients had this issue also. It looks to have effected everythign above POTS service.
I have just gotten this information that was sent to a client of ours tha tis having a problem. This Message is from AT&T by the way not SBC.
SBC had an OC3 failure in Pontiac today at about noon. This failure has caused many disruptions in service for over 1300 SBC customers in Michigan.
How this failure has been affecting us, is that the failure is affecting
SS7 (signalling service 7) issue with AT&T toll connect service to our area. The AT&T NOC and SBC Technicians are working to fix the problem.
This is a notice from Cisco about how the Cisco Security Agent "Protects" against the sasser worm. That is for the people who have not patched thier machines.
It has come to my attention that there is some confusion regarding what our CSA for Voice Applications protects against regarding the recent Sasser worm.
Here is what we know so far:
- our policies do prevent sasser from copying itself.
- our policies do prevent sasser from executing.
- our policies do not prevent sasser from crashing LSASS.EXE with a buffer overrun, therefore creating a denial of service attack risk since this crash causes the machine to reboot.
The CSA for Voice Applications policies do include the default bufffer overrun rule from the CSA product, but apparently this was not effective in this case. We are still working with VsecBU on this and will keep you posted once we know more.
In the meantime, even though our custumers that have CSA properly running on their voice application servers will not get infected with Sasser, they need to patch their systems to prevent them from rebooting once/if the worm makes it into the network those servers are directly connected to (firewalls are effective at stoping sasser). We don't know exactly at what rate they are bound to see the DOS attack occur, but we do know it can happen.
Included below you will find instructions on patching customer's servers as per the the announcement posted on customer-ccm-announce@cisco.com on Monday titled:
"Fixes for Sasser Virus (active exploit of MS04-011) for Cisco CallManager and Unity":
Callmanager, CER, PA, etc (non-Unity):
MS04-011 is in 2000.2.5sr7 and sr8 or 2000.2.6 posted on Cisco.com:
http://www.cisco.com/cgi-bin/tablebuild.pl/cmva-3des
For CallManager, please install the win-OS update and do not apply the patch from Microsoft.
Unity:
Since this is not a service pack, you can install the MS04-011 patch directly to a Unity server.
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
Microsoft's Official Page:
http://www.microsoft.com/security/incident/sasser.asp
This page also includes a link to run a program to remove the virus AFTER the patch has been installed.
More information on the virus:
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=125008
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.A
There are at least 3 variants A, AB, and B.
Please let me know if you have further concerns regarding the effect of sasser on our voice application servers.