[CLUE-Tech] [Fwd: FW: [lug] new Linux worm]
Kevin Cullis
kevincu at orci.com
Fri Mar 23 13:36:43 MST 2001
Grant Johnson wrote:
>
> At 07:01 PM 03/23/2001 +0000, you wrote:
> >Whoa. Lion is a nasty one (just finished reading the SANS advisory.
> >
> >This would only effect Linux boxes running as DNS servers, Yes? Hopefully
> >the BIND daemon (if it is a daemon - more man pages reading to do) is also
> >not default running on RH systems.
> >
> >-Jim
> It is running by default on most distributions, BUT, the advisory about BIN
> came out some time ago, and all of the major distros have released
> patches. If you are up to date on your security patches, you are OK. If
> you have gone through and shut off daemons you are not using, you are
> OK. Most people are vulnerable. Especially the desktop users, who do not
> take system administration seriously.
Grant,
I take it seriously, but I don't know which daemons to kill which affect
me. What should I look for in my log files? What are some simple grep
stuff which can reduce what I look at?
I got "scanned" by someone and this is the /var/log/messages:
Mar 22 18:07:05 cullis portsentry[2603]: attackalert: SYN/Normal scan
from host: 211.219.153.124/211.219.153.124 to TCP port: 53
Mar 22 18:07:05 cullis portsentry[2603]: attackalert: External command
run for host: 211.219.153.124 using command: "/some/path/here/script
211.219.153.124 53"
Mar 22 18:07:05 cullis portsentry[2603]: attackalert: Host
211.219.153.124 has been blocked via wrappers with string: "ALL:
211.219.153.124"
Mar 22 18:07:05 cullis portsentry[2603]: attackalert: Host
211.219.153.124 has been blocked via dropped route using command:
"/sbin/route add -host 211.219.153.124 reject"
So, can anyone provide some newbie info?
Kevin
More information about the clue-tech
mailing list