izobshto ne si e ebalo mamata.
vsicko e pod kontrol.
vremenata sa bylgarski
7:30 nachalo na atakata, naj-weroqtno chrez prashtane na worma na 10-na
hilqdi predwaritelno prowereni mssql servera
7:31 burqta e w pylnata si sila, ne mojete da si predstawite za kolko
malko wreme se e razprostranilo. nqkoi hora koito imat packet dumpowe ot
towa wreme kazwat che e otnelo po-malko ot 30 sekundi da im se zapylnqt
opornite wryzki.
9:30 V LirexNet i BAN e tishina, postaweni sa filtri na internet
wryzkite, a trafika idwasht po peering wryzkite kym udp destination port
1434 se zapiswa bez da se dropi.
14:00 w bylgariq weche e srawnitelno tiho, mashinite koito sa bili na
byrzi vryzki i zarazeni sa ili izljucheni ot mrejata ili filtrirani.
Kak naj-lesno se oprawq problema.
1. postawqte filtyr za udp destination port 1434 na in i na out
Cisco IOS:
ip access-list ext mssql
deny udp any gt 1023 any eq 1434
permit ip any any
iptables router:
iptables -I FORWARD -p udp --sport 1023:65535 --dport 1434 -j DROP
2. restartirate infektiraniq kompjutyr (mojelo i sys restart na
service-a, no ne e sigurno dali shte uspeete)
3. preinstalirate si mashinata na koqto e bil mssql-a zashtoto buga
kojto polzwa worma e izwesten ot Juni 2002-ra, koeto oznachawa che
poweche ot 6 meseca e mojelo da vi hacknat sys publichen exploit. I SE
NAUCHETE DA SE PATCHWATE NAVREME. (da izpolzwam li sluchaq da kaja che
po-dobre da polzwate nqkoq prilichna free baza danni kato postgresql ili
mysql, ta bilo to i vyrhu os kato windows)
V dopylnenie shte dobavq spisyk sys mashini ot koito sym poluchil pone 4
paketa prilichashti na worma (t.e. s dyljina 404 bytes (ip 20 + udp 8 +
payload 376), protokol udp, destination port 1434, source port wsqkakyv
razlichen ot 53(dns) i 161(snmp)).
dump Sat Jan 25 12:23:20 2003 - Sat Jan 25 18:22:34 2003
193.109.55.8 67
193.110.217.150 10
193.193.163.6 10
194.141.69.142 5
194.141.70.70 4
195.34.103.39 14
195.34.113.122 10
195.34.96.26 20
195.34.96.35 363
195.34.96.8 85
212.116.128.148 4
212.116.151.239 60
212.124.71.104 9
212.36.10.136 4
212.36.27.122 14
212.36.3.129 23
212.36.3.20 11
212.36.3.26 7
212.50.10.166 6
212.72.214.59 8
213.169.56.55 9
213.169.62.41 11
213.226.4.234 13
217.145.160.129 7
217.197.134.122 94
217.75.128.36 4
217.79.34.120 7
217.9.226.114 12
217.9.226.174 5
62.176.115.53 4
62.213.161.130 17
80.72.65.101 39
chisloto vyv vtorata kolona e broj na paketite.
Ako nqkoj si razpoznava negov adres da fixva byrzo (ako oshte ne e). Ako
nqkoj se interesuwa da widi packet dumpowe ot worma - da mi pishe mail.
BR,
Boyan Krosnov, CCIE#8701
http://boyan.ludost.net/
Just another techie speaking for himself
> -----Original Message-----
> From: Anton Tinchev [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, January 25, 2003 6:57 PM
> To: [EMAIL PROTECTED]
> Subject: lug-bg: e sia si eba mamata
>
>
> http://slashdot.org/articles/03/01/25/1245206.shtml?tid=109
>
> ==============================================================
> ==============
> A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers).
> http://www.linux-bulgaria.org - Hosted by Internet Group Ltd.
> - Stara Zagora
> To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
> ==============================================================
> ==============
>
============================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers).
http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora
To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
============================================================================
