[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]
Re: [LIG] [nylug-talk] ALERT - A DANGEROUS NEW WORM IS SPREADING ON THEINTERNET (fwd)
Hi ,
Thanks for the valuable info .
I tried puting the
version "None of your business" ;
allow-query 216.6.92.64/26 ;
allow-qery 12.10.198.160/28 ;
but i am still able to do the nslookup from the machines out side my
network and in /var/log/messages i am getting the following error pl
suggest .
Mar 26 12:22:37 moon named[4171]: /etc/named.conf:5: syntax error near
'version'
thanks
Manish
Raju Mathur wrote:
>
> Hi Tarique,
>
> Don't know about a HOWTO, but here're some basic steps you could take
> to prevent/detect the worm:
>
> 1. If you don't need to, DO NOT run a nameserver. If you absolutely
> have to, do the following:
>
> - Change the version response. In the options section of
> named.conf, put:
>
> version "None of your business" ;
>
> - Only allow queries from your local IP's. In the options
> section, put:
>
> allow-query 127.0.0.1 ;
>
> OR
>
> allow-query 192.168.0.0/24 ;
>
> [Or whatever your local IP addresses are]
>
> 2. Upgrade to the latest (9.x) BIND immediately. I cannot
> overemphasise the importance of this step.
>
> 3. Make your important programs immutable. You will have to reverse
> this before upgrading any packages, but it'll help in the short term:
>
> chattr -R -V +i /bin /sbin /usr/bin /usr/sbin
>
> 4. Check if /etc/hosts.deny still exists. If it doesn't, you may
> be infected.
>
> 5. Check the dates of all the binaries which the worm can affect:
>
> /usr/sbin/nscd
> /usr/bin/find
> /sbin/ifconfig
> /usr/sbin/in.telnetd
> /usr/sbin/in.fingerd
> /bin/login
> /bin/ls
> /bin/netstat
> /bin/ps
> /usr/bin/pstree
>
> [I don't have mjy and topg, so I don't know which directories they
> reside in.]
>
> 6. Use your package manager to verify checksums of all binaries.
> This will take some time, but it's worth it. With RPM, you can:
>
> rpm -Va > /tmp/RPM-Va-OUT
>
> Pay special attention to files in executable directories which have
> the ``5'' (MD5 checksum failed) flag on: if you don't recollect having
> changed these files, someone else has!
>
> 7. Check for unknown connections:
>
> netstat -aep
>
> It's a pain searching netstat output, but do give it a quick glance to
> see if anything's amiss.
>
> 8. Check running processes. Odd process names which look like
> system/kernel daemons but don't exist in /usr/src/linux or /sbin or
> /usr/sbin are candidates for suspicion.
>
> 9. Store a tarball of /var/log/ on some safe system if you've been
> infected. Post-mortem analysis is as important as prevention.
>
> This is not a comprehensive list, but on Sunday morning it's the best
> I can do at short notice -- I've only had 2 cups of tea so far and I
> don't really start thinking till about the 5th :) I'm sure Suresh
> would be coming up with a HOWTO on stopping mail going to China.com.
>
> HTH,
>
> -- Raju
>
> >>>>> "Tarique" == tarique@sanisoft com <tarique@xxxxxxxxxxxx> writes:
>
> Tarique> On Sat, 24 Mar 2001, Atul Chitnis wrote:
> >> Close your DNS ports, and deny relaying of mail to china.com.
> Tarique> How about a short HOWTO for induhviduals
>
> Tarique> Tarique
> --
> Raju Mathur raju@xxxxxxxxxxxxx http://kandalaya.org/
>
> ------------------------------------------------
> The mailing list archives are available at
> http://lists.linux-india.org/cgi-bin/wilma/linux-delhi
--
*************************************************************************
Manish Verma E-Mail:mverma@xxxxxxxxxxx
Surevin Internet Services
...the friendly ISP