Dosta ste barzi. Poveche ot polovinata drugi golemi ISP-ta bulvaha do sledobed. Edin oshte produlzava. Prlamenta i Virtualen sviat napraviha nai-goliamoto show. Osobeno v parlamenta imashe pone 3-4 mashini, i kat zakova na 40+MB, otpra chak do sledobiada :). Boyan Krosnov wrote: > izobshto ne si e ebalo mamata. > vsicko e pod kontrol. > > vremenata sa bylgarski > 7:30 nachalo na atakata, naj-weroqtno chrez prashtane na worma na 10-na > hilqdi predwaritelno prowereni mssql servera > 7:31 burqta e w pylnata si sila, ne mojete da si predstawite za kolko > malko wreme se e razprostranilo. nqkoi hora koito imat packet dumpowe ot > towa wreme kazwat che e otnelo po-malko ot 30 sekundi da im se zapylnqt > opornite wryzki. > 9:30 V LirexNet i BAN e tishina, postaweni sa filtri na internet > wryzkite, a trafika idwasht po peering wryzkite kym udp destination port > 1434 se zapiswa bez da se dropi. > 14:00 w bylgariq weche e srawnitelno tiho, mashinite koito sa bili na > byrzi vryzki i zarazeni sa ili izljucheni ot mrejata ili filtrirani. > > Kak naj-lesno se oprawq problema. > 1. postawqte filtyr za udp destination port 1434 na in i na out > Cisco IOS: > ip access-list ext mssql > deny udp any gt 1023 any eq 1434 > permit ip any any > iptables router: > iptables -I FORWARD -p udp --sport 1023:65535 --dport 1434 -j DROP > > 2. restartirate infektiraniq kompjutyr (mojelo i sys restart na > service-a, no ne e sigurno dali shte uspeete) > 3. preinstalirate si mashinata na koqto e bil mssql-a zashtoto buga > kojto polzwa worma e izwesten ot Juni 2002-ra, koeto oznachawa che > poweche ot 6 meseca e mojelo da vi hacknat sys publichen exploit. I SE > NAUCHETE DA SE PATCHWATE NAVREME. (da izpolzwam li sluchaq da kaja che > po-dobre da polzwate nqkoq prilichna free baza danni kato postgresql ili > mysql, ta bilo to i vyrhu os kato windows) > > V dopylnenie shte dobavq spisyk sys mashini ot koito sym poluchil pone 4 > paketa prilichashti na worma (t.e. s dyljina 404 bytes (ip 20 + udp 8 + > payload 376), protokol udp, destination port 1434, source port wsqkakyv > razlichen ot 53(dns) i 161(snmp)). > > dump Sat Jan 25 12:23:20 2003 - Sat Jan 25 18:22:34 2003 > 193.109.55.8 67 > 193.110.217.150 10 > 193.193.163.6 10 > 194.141.69.142 5 > 194.141.70.70 4 > 195.34.103.39 14 > 195.34.113.122 10 > 195.34.96.26 20 > 195.34.96.35 363 > 195.34.96.8 85 > 212.116.128.148 4 > 212.116.151.239 60 > 212.124.71.104 9 > 212.36.10.136 4 > 212.36.27.122 14 > 212.36.3.129 23 > 212.36.3.20 11 > 212.36.3.26 7 > 212.50.10.166 6 > 212.72.214.59 8 > 213.169.56.55 9 > 213.169.62.41 11 > 213.226.4.234 13 > 217.145.160.129 7 > 217.197.134.122 94 > 217.75.128.36 4 > 217.79.34.120 7 > 217.9.226.114 12 > 217.9.226.174 5 > 62.176.115.53 4 > 62.213.161.130 17 > 80.72.65.101 39 > chisloto vyv vtorata kolona e broj na paketite. > > Ako nqkoj si razpoznava negov adres da fixva byrzo (ako oshte ne e). Ako > nqkoj se interesuwa da widi packet dumpowe ot worma - da mi pishe mail. > > BR, > Boyan Krosnov, CCIE#8701 > http://boyan.ludost.net/ > Just another techie speaking for himself > > > >>-----Original Message----- >>From: Anton Tinchev [mailto:[EMAIL PROTECTED]] >>Sent: Saturday, January 25, 2003 6:57 PM >>To: [EMAIL PROTECTED] >>Subject: lug-bg: e sia si eba mamata >> >> >>http://slashdot.org/articles/03/01/25/1245206.shtml?tid=109 >> >>============================================================== >>============== >>A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). >>http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. >>- Stara Zagora >>To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html >>============================================================== >>============== >> > > ============================================================================ > A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). > http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora > To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html > ============================================================================
============================================================================ A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html ============================================================================
