[CLUE-Tech] [Fwd: FW: [lug] new Linux worm]

Cyberclops Cyberclops at hawaii.rr.com
Fri Mar 23 17:37:33 MST 2001 

This is what I got at 211.219.153.124

"""""Test Page
This page is used to test the proper operation of the Apache Web server
after
  it has been installed.  If you can read this page, it means that the
Apache Web server installed at this site is working properly.

 
If you are the administrator of this website:
You may now add content to this directory, and replace this page.  Note
that
  until you do so, people visiting your website will see this page, and
not your
  content.
 
If you are a member of the general public:
The fact that you are seeing this page indicates that the website you
just
  visited is either experiencing problems, or is undergoing routine
maintenance.
 
If you would like to let the administrator of this website know that
you've
  seen this page instead of the page you expected, you should send them
e-mail.
  In general, mail sent to the name "webmaster" and directed to the
website's
  domain should reach the appropriate person.
 
For example, if you experienced problems while visiting
www.gnomovision.com,
  you should send e-mail to "webmaster at gnomovision.com".
 
The Apache
  documentation has been included with this distribution.
For documentation
  and information on Red Hat
  Linux, please visit the Red
  Hat, Inc. website. The manual for Red Hat Linux is available here.
 
You are free to use the image below on an Apache-powered Web
  server.  Thanks for using Apache!
 

You are free to use the image below on a Red Hat Linux-powered Web
  server. Thanks for using Red Hat Linux!"""""






Kevin Cullis wrote:
> 
> Grant Johnson wrote:
> >
> > At 07:01 PM 03/23/2001 +0000, you wrote:
> > >Whoa. Lion is a nasty one (just finished reading the SANS advisory.
> > >
> > >This would only effect Linux boxes running as DNS servers, Yes?  Hopefully
> > >the BIND daemon (if it is a daemon - more man pages reading to do) is also
> > >not default running on RH systems.
> > >
> > >-Jim
> > It is running by default on most distributions, BUT, the advisory about BIN
> > came out some time ago, and all of the major distros have released
> > patches.  If you are up to date on your security patches, you are OK.  If
> > you have gone through and shut off daemons you are not using, you are
> > OK.  Most people are vulnerable.  Especially the desktop users, who do not
> > take system administration seriously.
> 
> Grant,
> 
> I take it seriously, but I don't know which daemons to kill which affect
> me. What should I look for in my log files?  What are some simple grep
> stuff which can reduce what I look at?
> 
> I got "scanned" by someone and this is the /var/log/messages:
> 
> Mar 22 18:07:05 cullis portsentry[2603]: attackalert: SYN/Normal scan
> from host: 211.219.153.124/211.219.153.124 to TCP port: 53
> Mar 22 18:07:05 cullis portsentry[2603]: attackalert: External command
> run for host: 211.219.153.124 using command: "/some/path/here/script
> 211.219.153.124 53"
> Mar 22 18:07:05 cullis portsentry[2603]: attackalert: Host
> 211.219.153.124 has been blocked via wrappers with string: "ALL:
> 211.219.153.124"
> Mar 22 18:07:05 cullis portsentry[2603]: attackalert: Host
> 211.219.153.124 has been blocked via dropped route using command:
> "/sbin/route add -host 211.219.153.124 reject"
> 
> So, can anyone provide some newbie info?
> 
> Kevin
> 
> _______________________________________________
> CLUE-Tech mailing list
> CLUE-Tech at clue.denver.co.us
> http://clue.denver.co.us/mailman/listinfo/clue-tech

More information about the clue-tech mailing list