[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Re: WORM PROPATATION at port 1433/1434
- Subject: Re: [cobalt-users] Re: WORM PROPATATION at port 1433/1434
- From: "Ted" <ted@xxxxxxxxxxxxxxx>
- Date: Wed Nov 19 07:41:00 2003
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
I installed the pkg file and tried to run it and got this error.
[root init.d]# ./ipchains start
./ipchains: /etc/init.d/functions: No such file or directory
Guess my question is two part:
I thought the PKG file actually made the directories needed and files.
Since the directories are not there, where are the files it loads as its
config file?
second how does one "uninstall" this pkg file ?
----- Original Message -----
From: "Bruce Timberlake" <bruce@xxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Tuesday, November 18, 2003 11:32 PM
Subject: [cobalt-users] Re: WORM PROPATATION at port 1433/1434
> > Our server is cobalt raq4r. We have installed *snort* at the server
.. But
> > today suddenly load started to increase and we found too many *httpd*
processes
> > are running. Load went to too high. Finally we could able to stop the
httpd.
> > Then we stopped the *snort*.. Load came down and luckily we could able
to save
> > the server to crash...
> >
> > We found in the *snort* log file the following messages.. It is an
attempt
> > of /WORM PROPATATION/ . How could we save our server , we did not keep
the
> > 1434/1433 ports opened in our server. Basically we are not using these
ports at
> > all..
> >
> > Could anyone suggest that how could we start snort - so that for
snort
> > the system does not get effected due to load etc... But what we feel
that due
> > to the too much traffic the load went too high. Do you think as snort
was
> > detecting the messages - due to that reason load went
> > high?
>
> I don't know if snort was the problem or not. I use ipchains on my RaQ
> 4r to block/log all 1433/1434 attempts even though they won't affect my
> server. If you don't have ipchains installed, there's a PKG at
> http://www.cobaltfaqs.com/ in the "RaQ 3 and RaQ 4 downloads" section.
>
> My ipchains rules live in /etc/rc.d/init.d/firewall (remember to set the
> file executable with "chmod +x"), and is symlinked to
> /etc/rc.d/rc3.d/S01firewall to autostart the "firewall" with each server
> boot. By using S01firewall as the name, it's set to be first in the boot
> sequence to ensure packet blocking happens as soon as possible.
>
> The top of my ipchains file (with relevant rules for your issue) is:
>
> ### START OF FILE ###
>
> # IP Fragmentation Protection
> echo 1 > /proc/sys/net/ipv4/ip_always_defrag
>
> # IP Bogus Error Response Protection
> echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
>
> # Set a variable for where this lives. Easier to change
> # in the future if needed...
> IPCHAINS=/sbin/ipchains
>
> # First we'll flush the chains
> $IPCHAINS -F input
>
> # Allow everything outbound. Some may disagree with this...
> $IPCHAINS -A output -i eth0 -s 0/0 -d 0/0 -j ACCEPT
>
> # Allow everything in and out on localhost
> $IPCHAINS -A input -i lo -s 0/0 -d 0/0 -j ACCEPT
> $IPCHAINS -A output -i lo -s 0/0 -d 0/0 -j ACCEPT
>
> # Deny spoofed networks from the outside world
> $IPCHAINS -A input -i eth0 -s 10.0.0.0/8 -d 0/0 -j DENY
> $IPCHAINS -A input -i eth0 -s 127.0.0.0/8 -d 0/0 -j DENY
> $IPCHAINS -A input -i eth0 -s 172.16.0.0/12 -d 0/0 -j DENY
> $IPCHAINS -A input -i eth0 -s 192.168.0.0/16 -d 0/0 -j DENY
>
> # Allow the server's own IP addresses
> # List each IP assigned to the RaQ, one per line, here
> $IPCHAINS -A input -i eth0 -s xxx.xxx.xxx.xxx -j ACCEPT
> $IPCHAINS -A input -i eth0 -s xxx.xxx.xxx.xxx -j ACCEPT
>
> # Then start adding the IPs and ports to block
> # -A <chain> add this rule to chain <chain>
> # -i <ethx> enforce rule on interface <ethx>
> # -s ip.ad.re.ss source IP address
> # -p [tcp|udp] type of packets
> #
> # ! x anything but port x
> # x:y from port x to port Y
> #
> # -l log any action
> # -j <action> jump to action
>
> # TFTP
> $IPCHAINS -A input -i eth0 -s 0/0 -d 0/0 69 -p tcp -l -j DENY
> $IPCHAINS -A input -i eth0 -s 0/0 -d 0/0 69 -p udp -l -j DENY
>
> # MSSQL worm
> $IPCHAINS -A input -i eth0 -s 0/0 -d 0/0 1433:1434 -p udp -l -j DENY
> $IPCHAINS -A input -i eth0 -s 0/0 -d 0/0 1433:1434 -p tcp -l -j DENY
>
> # NetBIOS
> $IPCHAINS -A input -i eth0 -s 0/0 -d 0/0 137:139 -p tcp -j DENY
> $IPCHAINS -A input -i eth0 -s 0/0 -d 0/0 137:139 -p udp -j DENY
>
> # RPC "worm" (CERT 2003-19)
> $IPCHAINS -A input -i eth0 -s 0/0 -d 0/0 135 -p tcp -j DENY
> $IPCHAINS -A input -i eth0 -s 0/0 -d 0/0 135 -p udp -j DENY
> $IPCHAINS -A input -i eth0 -s 0/0 -d 0/0 445 -p tcp -j DENY
> $IPCHAINS -A input -i eth0 -s 0/0 -d 0/0 445 -p udp -j DENY
> $IPCHAINS -A input -i eth0 -s 0/0 -d 0/0 4444 -p tcp -l -j DENY
>
>
> ipchains output (anything with a "-l" switch creates a log entry) is in
> /var/log/kernel.
>
>
> _____________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>
>