Re: lug-bg: e sia si eba mamata
- Subject: Re: lug-bg: e sia si eba mamata
- From: atl@xxxxxxxxxxx (Anton Tinchev)
- Date: Sun, 26 Jan 2003 09:39:05 +0100
Dosta ste barzi.
Poveche ot polovinata drugi golemi ISP-ta bulvaha do sledobed.
Edin oshte produlzava.
Prlamenta i Virtualen sviat napraviha nai-goliamoto show.
Osobeno v parlamenta imashe pone 3-4 mashini, i kat zakova
na 40+MB, otpra chak do sledobiada :).
Boyan Krosnov wrote:
> izobshto ne si e ebalo mamata.
> vsicko e pod kontrol.
>
> vremenata sa bylgarski
> 7:30 nachalo na atakata, naj-weroqtno chrez prashtane na worma na 10-na
> hilqdi predwaritelno prowereni mssql servera
> 7:31 burqta e w pylnata si sila, ne mojete da si predstawite za kolko
> malko wreme se e razprostranilo. nqkoi hora koito imat packet dumpowe ot
> towa wreme kazwat che e otnelo po-malko ot 30 sekundi da im se zapylnqt
> opornite wryzki.
> 9:30 V LirexNet i BAN e tishina, postaweni sa filtri na internet
> wryzkite, a trafika idwasht po peering wryzkite kym udp destination port
> 1434 se zapiswa bez da se dropi.
> 14:00 w bylgariq weche e srawnitelno tiho, mashinite koito sa bili na
> byrzi vryzki i zarazeni sa ili izljucheni ot mrejata ili filtrirani.
>
> Kak naj-lesno se oprawq problema.
> 1. postawqte filtyr za udp destination port 1434 na in i na out
> Cisco IOS:
> ip access-list ext mssql
> deny udp any gt 1023 any eq 1434
> permit ip any any
> iptables router:
> iptables -I FORWARD -p udp --sport 1023:65535 --dport 1434 -j DROP
>
> 2. restartirate infektiraniq kompjutyr (mojelo i sys restart na
> service-a, no ne e sigurno dali shte uspeete)
> 3. preinstalirate si mashinata na koqto e bil mssql-a zashtoto buga
> kojto polzwa worma e izwesten ot Juni 2002-ra, koeto oznachawa che
> poweche ot 6 meseca e mojelo da vi hacknat sys publichen exploit. I SE
> NAUCHETE DA SE PATCHWATE NAVREME. (da izpolzwam li sluchaq da kaja che
> po-dobre da polzwate nqkoq prilichna free baza danni kato postgresql ili
> mysql, ta bilo to i vyrhu os kato windows)
>
> V dopylnenie shte dobavq spisyk sys mashini ot koito sym poluchil pone 4
> paketa prilichashti na worma (t.e. s dyljina 404 bytes (ip 20 + udp 8 +
> payload 376), protokol udp, destination port 1434, source port wsqkakyv
> razlichen ot 53(dns) i 161(snmp)).
>
> dump Sat Jan 25 12:23:20 2003 - Sat Jan 25 18:22:34 2003
> 193.109.55.8 67
> 193.110.217.150 10
> 193.193.163.6 10
> 194.141.69.142 5
> 194.141.70.70 4
> 195.34.103.39 14
> 195.34.113.122 10
> 195.34.96.26 20
> 195.34.96.35 363
> 195.34.96.8 85
> 212.116.128.148 4
> 212.116.151.239 60
> 212.124.71.104 9
> 212.36.10.136 4
> 212.36.27.122 14
> 212.36.3.129 23
> 212.36.3.20 11
> 212.36.3.26 7
> 212.50.10.166 6
> 212.72.214.59 8
> 213.169.56.55 9
> 213.169.62.41 11
> 213.226.4.234 13
> 217.145.160.129 7
> 217.197.134.122 94
> 217.75.128.36 4
> 217.79.34.120 7
> 217.9.226.114 12
> 217.9.226.174 5
> 62.176.115.53 4
> 62.213.161.130 17
> 80.72.65.101 39
> chisloto vyv vtorata kolona e broj na paketite.
>
> Ako nqkoj si razpoznava negov adres da fixva byrzo (ako oshte ne e). Ako
> nqkoj se interesuwa da widi packet dumpowe ot worma - da mi pishe mail.
>
> BR,
> Boyan Krosnov, CCIE#8701
> http://boyan.ludost.net/
> Just another techie speaking for himself
>
>
>
>>-----Original Message-----
>>From: Anton Tinchev [mailto:atl@xxxxxxxxxxx]
>>Sent: Saturday, January 25, 2003 6:57 PM
>>To: lug-bg@xxxxxxxxxxxxxxxxxx
>>Subject: lug-bg: e sia si eba mamata
>>
>>
>>http://slashdot.org/articles/03/01/25/1245206.shtml?tid=109
>>
>>==============================================================
>>==============
>>A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers).
>>http://www.linux-bulgaria.org - Hosted by Internet Group Ltd.
>>- Stara Zagora
>>To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
>>==============================================================
>>==============
>>
>
> ============================================================================
> A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers).
> http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora
> To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
> ============================================================================
============================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers).
http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora
To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
============================================================================
|