Fwd: ALERT - A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET

Craig White craigwhite@azapple.com
Fri, 23 Mar 2001 20:42:09 -0700


> -----Original Message-----
> From: plug-discuss-admin@lists.plug.phoenix.az.us
> [mailto:plug-discuss-admin@lists.plug.phoenix.az.us]On Behalf Of Rick
> Rosinski
> Sent: Friday, March 23, 2001 12:15 PM
> To: plug-discuss@lists.plug.phoenix.az.us
> Subject: Re: Fwd: ALERT - A DANGEROUS NEW WORM IS SPREADING ON THE
> INTERNET
>
>
> Would this effect a Slackware 7.x system?  I noticed that I don't
> have any
> "bind" in my paths.
>
---
Try typing (as root) "ps aux|less" and scroll up and down to see if "named"
is running. This will tell for sure.

I can't imagine any reason for named/bind to be installed on any workstation
configuration as it is strictly a network server daemon. If you are running
a linux as a masquerade/firewall/router box - you may have installed bind -
if you did, you surely should know whether it is installed or not.

Only 2 scenarios here, 1 is that you plan to provide domain name services to
the public internet in which case, you better get up to speed on bind, up to
date and spend a lot of time learning how to chroot because it is probably
more a question of when it gets hacked than if it gets hacked.

Scenario 2 is that you are providing DNS services to a local lan - in which
case you MUST block the DNS packets from coming thru your firewall...

on the 2.2-xxx kernel

/sbin/ipchains -A input -j REJECT (or DENY) - i (public ethernet
interface) -p tcp -s 0.0.0.0 -d (public ipaddress) domain

and also

/sbin/ipchains -A input -j REJECT (or DENY) - i (public ethernet
interface) -p udp -s 0.0.0.0 -d (public ipaddress) domain

replace (public ethernet interface) with eth0, eth1 whichever appropriate
replace (public ipaddress) with your public/internet ip address
you need to block both tcp & udp because DNS packets can be either.

as one who has experience bind exploits, I speak with experience.

Craig