[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

Re: [linux-delhi] [nylug-talk] ALERT - A DANGEROUS NEW WORM IS SPREADING ON THEINTERNET (fwd)



Hi Tarique,

Don't know about a HOWTO, but here're some basic steps you could take
to prevent/detect the worm:

1.  If you don't need to, DO NOT run a nameserver.  If you absolutely
have to, do the following:

     - Change the version response.  In the options section of
       named.conf, put:

       version "None of your business" ;

     - Only allow queries from your local IP's.  In the options
       section, put:

       allow-query 127.0.0.1 ;

       OR

       allow-query 192.168.0.0/24 ;

       [Or whatever your local IP addresses are]

2.  Upgrade to the latest (9.x) BIND immediately.  I cannot
overemphasise the importance of this step.

3.  Make your important programs immutable.  You will have to reverse
this before upgrading any packages, but it'll help in the short term:

     chattr -R -V +i /bin /sbin /usr/bin /usr/sbin

4.  Check if /etc/hosts.deny still exists.  If it doesn't, you may
be infected.

5.  Check the dates of all the binaries which the worm can affect:

    /usr/sbin/nscd
    /usr/bin/find
    /sbin/ifconfig
    /usr/sbin/in.telnetd
    /usr/sbin/in.fingerd
    /bin/login
    /bin/ls
    /bin/netstat
    /bin/ps
    /usr/bin/pstree

[I don't have mjy and topg, so I don't know which directories they
reside in.]

6.  Use your package manager to verify checksums of all binaries.
This will take some time, but it's worth it.  With RPM, you can:

     rpm -Va > /tmp/RPM-Va-OUT

Pay special attention to files in executable directories which have
the ``5'' (MD5 checksum failed) flag on: if you don't recollect having
changed these files, someone else has!

7.  Check for unknown connections:

    netstat -aep

It's a pain searching netstat output, but do give it a quick glance to
see if anything's amiss.

8.  Check running processes.  Odd process names which look like
system/kernel daemons but don't exist in /usr/src/linux or /sbin or
/usr/sbin are candidates for suspicion.

9.  Store a tarball of /var/log/ on some safe system if you've been
infected.  Post-mortem analysis is as important as prevention.

This is not a comprehensive list, but on Sunday morning it's the best
I can do at short notice -- I've only had 2 cups of tea so far and I
don't really start thinking till about the 5th :) I'm sure Suresh
would be coming up with a HOWTO on stopping mail going to China.com.

HTH,

-- Raju

>>>>> "Tarique" == tarique@sanisoft com <tarique@xxxxxxxxxxxx> writes:

    Tarique> On Sat, 24 Mar 2001, Atul Chitnis wrote:
    >> Close your DNS ports, and deny relaying of mail to china.com.
    Tarique> How about a short HOWTO for induhviduals

    Tarique> Tarique
-- 
Raju Mathur          raju@xxxxxxxxxxxxx           http://kandalaya.org/