Message Board -  Archive

[ Login ] [ Create Account ]
[ Board List ] [ View Board ] [ Post Reply ]
  Author  Subject: Re: Lion worm
Archive  

Posted on 04-19-2001 01:57 a.m. ET  reply

Original Poster: Mark Krentel

> The Lion worm is similar to the Ramen worm. However, this worm is
> significantly more dangerous and should be taken very seriously. It
> infects Linux machines running the BIND DNS server.

Before anyone panics too much, let me point out that this attacks the
DNS SERVER, not the client, and thus the vast majority of Linux users
are not affected. Most home users have no need to run the server
(named) and should not be running it. The SyrLUG web server doesn't
even run named.

So, rather than running the lionfind script, you're better off just
checking that you're not accidentally running named. The server is
called "named" (pronounced "name-dee", d for daemon), and you can see
if it's running with "ps auxww", or "ps auxww | grep name". You can
change which servers are started at boot time with "ntsysv".

For RPM-based systems, try "rpm -qa" to see a list of all installed
packages. The server package is usually called "bind" (Berkeley
Internet Name Daemon). The "bind-utils" package contains clients
(nslookup, dig) and should be ok.

--Mark

< Previous 1 Next >

Site Contents