[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]
Re: [LIG] [nylug-talk] ALERT - A DANGEROUS NEW WORM IS SPREADING ON THEINTERNET (fwd)
Hi Manish,
1. You'll have to put the version and allow-query directives in the
options section of your named.conf.
options {
...
...
version "none of your business" ;
allow-query 216.6.92.64/26 ;
allow-query 12.10.198.160/28 ;
allow-query none ;
...
} ;
2. You'll have to add an allow-query none ; at the END of the
allow-query directives as done above.
I haven't checked these out, but this should be close enough to the
actual configuration.
Regards,
-- Raju
>>>>> "Manish" == Manish Verma <manishverma@xxxxxxxxxxx> writes:
Manish> Hi , Thanks for the valuable info .
Manish> I tried puting the
Manish> version "None of your business" ;
Manish> allow-query 216.6.92.64/26 ; allow-qery 12.10.198.160/28 ;
Manish> but i am still able to do the nslookup from the machines
Manish> out side my network and in /var/log/messages i am getting
Manish> the following error pl suggest .
Manish> Mar 26 12:22:37 moon named[4171]: /etc/named.conf:5:
Manish> syntax error near 'version'
Manish> thanks
Manish> Manish
Manish> Raju Mathur wrote:
>> Hi Tarique,
>>
>> Don't know about a HOWTO, but here're some basic steps you
>> could take to prevent/detect the worm:
>>
>> 1. If you don't need to, DO NOT run a nameserver. If you
>> absolutely have to, do the following:
>>
>> - Change the version response. In the options section of
>> named.conf, put:
>>
>> version "None of your business" ;
>>
>> - Only allow queries from your local IP's. In the options
>> section, put:
>>
>> allow-query 127.0.0.1 ;
>>
>> OR
>>
>> allow-query 192.168.0.0/24 ;
>>
>> [Or whatever your local IP addresses are]
>>
>> 2. Upgrade to the latest (9.x) BIND immediately. I cannot
>> overemphasise the importance of this step.
>>
>> 3. Make your important programs immutable. You will have to
>> reverse this before upgrading any packages, but it'll help in
>> the short term:
>>
>> chattr -R -V +i /bin /sbin /usr/bin /usr/sbin
>>
>> 4. Check if /etc/hosts.deny still exists. If it doesn't, you
>> may be infected.
>>
>> 5. Check the dates of all the binaries which the worm can
>> affect:
>>
>> /usr/sbin/nscd /usr/bin/find /sbin/ifconfig
>> /usr/sbin/in.telnetd /usr/sbin/in.fingerd /bin/login /bin/ls
>> /bin/netstat /bin/ps /usr/bin/pstree
>>
>> [I don't have mjy and topg, so I don't know which directories
>> they reside in.]
>>
>> 6. Use your package manager to verify checksums of all
>> binaries. This will take some time, but it's worth it. With
>> RPM, you can:
>>
>> rpm -Va > /tmp/RPM-Va-OUT
>>
>> Pay special attention to files in executable directories which
>> have the ``5'' (MD5 checksum failed) flag on: if you don't
>> recollect having changed these files, someone else has!
>>
>> 7. Check for unknown connections:
>>
>> netstat -aep
>>
>> It's a pain searching netstat output, but do give it a quick
>> glance to see if anything's amiss.
>>
>> 8. Check running processes. Odd process names which look like
>> system/kernel daemons but don't exist in /usr/src/linux or
>> /sbin or /usr/sbin are candidates for suspicion.
>>
>> 9. Store a tarball of /var/log/ on some safe system if you've
>> been infected. Post-mortem analysis is as important as
>> prevention.
>>
>> This is not a comprehensive list, but on Sunday morning it's
>> the best I can do at short notice -- I've only had 2 cups of
>> tea so far and I don't really start thinking till about the 5th
>> :) I'm sure Suresh would be coming up with a HOWTO on stopping
>> mail going to China.com.
>>
>> HTH,
>>
>> -- Raju
>>
>> >>>>> "Tarique" == tarique@sanisoft com <tarique@xxxxxxxxxxxx>
>> writes:
>>
Tarique> On Sat, 24 Mar 2001, Atul Chitnis wrote:
>> >> Close your DNS ports, and deny relaying of mail to
>> china.com.
Tarique> How about a short HOWTO for induhviduals
>>
Tarique> Tarique
>> -- Raju Mathur raju@xxxxxxxxxxxxx http://kandalaya.org/
--
Raju Mathur raju@xxxxxxxxxxxxx http://kandalaya.org/