[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]
Re: [LIG] [nylug-talk] ALERT - A DANGEROUS NEW WORM IS SPREADING ON THEINTERNET (fwd)
Thanks for the valuable info .
I tried puting the
version "None of your business" ;
allow-query 184.108.40.206/26 ;
allow-qery 220.127.116.11/28 ;
but i am still able to do the nslookup from the machines out side my
network and in /var/log/messages i am getting the following error pl
Mar 26 12:22:37 moon named: /etc/named.conf:5: syntax error near
Raju Mathur wrote:
> Hi Tarique,
> Don't know about a HOWTO, but here're some basic steps you could take
> to prevent/detect the worm:
> 1. If you don't need to, DO NOT run a nameserver. If you absolutely
> have to, do the following:
> - Change the version response. In the options section of
> named.conf, put:
> version "None of your business" ;
> - Only allow queries from your local IP's. In the options
> section, put:
> allow-query 127.0.0.1 ;
> allow-query 192.168.0.0/24 ;
> [Or whatever your local IP addresses are]
> 2. Upgrade to the latest (9.x) BIND immediately. I cannot
> overemphasise the importance of this step.
> 3. Make your important programs immutable. You will have to reverse
> this before upgrading any packages, but it'll help in the short term:
> chattr -R -V +i /bin /sbin /usr/bin /usr/sbin
> 4. Check if /etc/hosts.deny still exists. If it doesn't, you may
> be infected.
> 5. Check the dates of all the binaries which the worm can affect:
> [I don't have mjy and topg, so I don't know which directories they
> reside in.]
> 6. Use your package manager to verify checksums of all binaries.
> This will take some time, but it's worth it. With RPM, you can:
> rpm -Va > /tmp/RPM-Va-OUT
> Pay special attention to files in executable directories which have
> the ``5'' (MD5 checksum failed) flag on: if you don't recollect having
> changed these files, someone else has!
> 7. Check for unknown connections:
> netstat -aep
> It's a pain searching netstat output, but do give it a quick glance to
> see if anything's amiss.
> 8. Check running processes. Odd process names which look like
> system/kernel daemons but don't exist in /usr/src/linux or /sbin or
> /usr/sbin are candidates for suspicion.
> 9. Store a tarball of /var/log/ on some safe system if you've been
> infected. Post-mortem analysis is as important as prevention.
> This is not a comprehensive list, but on Sunday morning it's the best
> I can do at short notice -- I've only had 2 cups of tea so far and I
> don't really start thinking till about the 5th :) I'm sure Suresh
> would be coming up with a HOWTO on stopping mail going to China.com.
> -- Raju
> >>>>> "Tarique" == tarique@sanisoft com <tarique@xxxxxxxxxxxx> writes:
> Tarique> On Sat, 24 Mar 2001, Atul Chitnis wrote:
> >> Close your DNS ports, and deny relaying of mail to china.com.
> Tarique> How about a short HOWTO for induhviduals
> Tarique> Tarique
> Raju Mathur raju@xxxxxxxxxxxxx http://kandalaya.org/
> The mailing list archives are available at
Manish Verma E-Mail:mverma@xxxxxxxxxxx
Surevin Internet Services
...the friendly ISP