[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]
Re: [LIG] [nylug-talk] ALERT - A DANGEROUS NEW WORM IS SPREADING ON THEINTERNET (fwd)
Don't know about a HOWTO, but here're some basic steps you could take
to prevent/detect the worm:
1. If you don't need to, DO NOT run a nameserver. If you absolutely
have to, do the following:
- Change the version response. In the options section of
version "None of your business" ;
- Only allow queries from your local IP's. In the options
allow-query 127.0.0.1 ;
allow-query 192.168.0.0/24 ;
[Or whatever your local IP addresses are]
2. Upgrade to the latest (9.x) BIND immediately. I cannot
overemphasise the importance of this step.
3. Make your important programs immutable. You will have to reverse
this before upgrading any packages, but it'll help in the short term:
chattr -R -V +i /bin /sbin /usr/bin /usr/sbin
4. Check if /etc/hosts.deny still exists. If it doesn't, you may
5. Check the dates of all the binaries which the worm can affect:
[I don't have mjy and topg, so I don't know which directories they
6. Use your package manager to verify checksums of all binaries.
This will take some time, but it's worth it. With RPM, you can:
rpm -Va > /tmp/RPM-Va-OUT
Pay special attention to files in executable directories which have
the ``5'' (MD5 checksum failed) flag on: if you don't recollect having
changed these files, someone else has!
7. Check for unknown connections:
It's a pain searching netstat output, but do give it a quick glance to
see if anything's amiss.
8. Check running processes. Odd process names which look like
system/kernel daemons but don't exist in /usr/src/linux or /sbin or
/usr/sbin are candidates for suspicion.
9. Store a tarball of /var/log/ on some safe system if you've been
infected. Post-mortem analysis is as important as prevention.
This is not a comprehensive list, but on Sunday morning it's the best
I can do at short notice -- I've only had 2 cups of tea so far and I
don't really start thinking till about the 5th :) I'm sure Suresh
would be coming up with a HOWTO on stopping mail going to China.com.
>>>>> "Tarique" == tarique@sanisoft com <tarique@xxxxxxxxxxxx> writes:
Tarique> On Sat, 24 Mar 2001, Atul Chitnis wrote:
>> Close your DNS ports, and deny relaying of mail to china.com.
Tarique> How about a short HOWTO for induhviduals
Raju Mathur raju@xxxxxxxxxxxxx http://kandalaya.org/