-
--DNS2003.12.22
-
--DNS [email protected]
-
DNSDNS
-
DNSInternetDNS
-
DNS
-
DNSBIND9viewIPDNSDNSDNSDNS
-
DNSDNSDNS
DNS
-
DNSDNSDNSIPDNSIPDNSDNSDNSDNSDNSDNS
-
DNSDNSDNSDNSDNS
DNS
-
IDSIPDNSIPIPDNSWarning Information Server
-
IPDNSIPIPHTTPWebTelnetSMTPPOP3
-
IDSconfmonitor session 1 source 9/1 destination 9/3alert icmp
$HOME_NET any -> $EXTERNAL_NET any (msg:"Nachi";
content:"|aaaaaa|";dsize:64;itype:8;offset:1;depth:6;
reference:arachnids,154; sid:483; classtype:misc-activity;
rev:2;)IP
-
BIND 9 (con.)ACLIP/var/named/ipacl "fakeresponse"
{202.112.50.214; # the ip of one infected
machine.};/var/named/fake.cn$TTL 600@IN SOA ccert.edu.cn.
hostmaster.ccert.edu.cn ( 2002031801 28800 1800 604800 86400 )IN NS
127.0.0.1*.IN A 202.112.57.9 #the ip of WIS
-
BIND 9 (#)named.confinclude "ip";view "internal" { match-clients
{ "fakeresponse";}; zone "." in { type master; file "fake.cn";
};};ACL
-
WISInternetHTTPTelnetSMTPPOP3
-
Telnet
(con.)telnet#!/bin/sh########################################################Fake
Telnetd for warning infected machines! ## ##By Hui ZHENG.
2003.11.27
########################################################
echo "May be your machine have been infected by Nachi worm!"
echo "Please download pache software from this site!" echo
"http://ccert.tsinghua.edu.cn"/root/DNS/Port23.sh
-
Telnet (con.)telnetd[root@spark root]# cd
/etc/xinetd.d[root@spark xinetd.d]# cp telnet telnet.bak[root@spark
xinetd.d]# vim telnet
-
Telnet (#)xinetd/etc/init.d/xinetd restart
-
POP3 (con.)POP3#!/usr/bin/expect
########################################################Fake
POP3d for warning infected machines! ## ##By Hui ZHENG. 2003.12.10
########################################################
send "+OK Qpopper (version 4.0.5) at ccert.edu.cn starting.
\r\n"
expect {"USER" {send "+OK Password required for
zhenghui.\r\n";exp_continue}"PASS" {send "+OK zhenghui has 1
visible message in 575 octets.\r\n";exp_continue}"STAT" {send "+OK
1 575\r\n";exp_continue}"UIDL" {send -- "-ERR
\r\n";exp_continue}"TOP" {send -- "-ERR \r\n";exp_continue}"LIST"
{send "+OK 1 visible messages 575 octets\r\n";send "1 372\r\n";send
".\r\n";exp_continue}"RETR" {send "+OK 575 octets\r\n";send "From:
[email protected]\r\n"; send "Subject: warning\r\n\r\n"; send
"May be your computer was infected by Nachi worm!\r\n"; send
"Please download patch software from:\r\n"; send
"http://www.ccert.edu.cn\r\n"; send ".\r\n";exp_continue}"DELE"
{send "+OK \r\n";exp_continue}"QUIT" {send "+OK Pop server at
ccert.edu.cn signing
off.\r\n";close;exp_continue}}/root/DNS/Port110.sh
-
POP3 (con.)POP3[root@spark root]# cd /etc/xinetd.d[root@spark
xinetd.d]# cp ipop3 ipop3.bak[root@spark xinetd.d]# vim ipop3
-
POP3 (#)xinetd/etc/init.d/xinetd restart
-
IPIPIPDNSDNSDNSIPDNSDNSHTTPWebTelnetSMTPPOP3
-
(con.)DNSIPIPIPIPDNSDNS
-
(#)Perl#!/usr/bin/perl -w
#############################################DNS isolation
concept samples. ## ##Program Name: Trans.pl ## ##Funciton
Desription: ##Listening on a port(53), as a DNS server, ##response
normal DNS query. If client in ##black list, a fake response packet
given. ## ##By zhenghui_at_ccert.edu.cn. 2003.10.29 ##
#############################################
-
DNS
-
DNSDNS
-
1DNS
Chart2
686
674
648
653
711
746
887
764
706
998
934
886
904
916
931
901
892
812
859
899
833
741
743
723
615
636
683
671
704
736
623
622
627
691
649
688
654
646
631
656
658
609
521
529
566
471
521
588
645
699
633
615
523
570
693
732
725
706
577
500
484
448
435
449
421
424
330
321
95_254
37,895686
37,896674
37,897648
37,898653
37,899711
37,900746
37,901887
37,902764
37,903706
37,904998
37,905934
37,906886
37,907904
37,908916
37,909931
37,910901
37,911892
37,912812
37,913859
37,914899
37,915833
37,916741
37,917743
37,918723
37,919615
37,920636
37,921683
37,922671
37,923704
37,924736
37,925623
37,926622
37,927627
37,928691
37,929649
37,930688
37,931654
37,932646
37,933631
37,934656
37,935658
37,936609
37,937521
37,938529
37,939566
37,940471
37,941521
37,942588
37,943645
37,944699
37,945633
37,946615
37,947523
37,948570
37,949693
37,950732
37,951725
37,952706
37,953577
37,954500
37,955484
37,956448
37,957435
37,958449
37,959421
37,960424
37,961330
37,962321
95_254
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
-
2DNSI(k) IPB(k) (WIS)IPDNSS=B(k)/I(K) DNSACLDNS
-
3DNS
Chart2
0.2439716312
0.2447916667
0.2264529058
0.2505175983
0.2572706935
0.2557603687
0.140625
0.1738095238
0.1820330969
0.2158054711
0.2
DNS
b_I
37,9521727050.2439716312
37,9531415760.2447916667
37,9541134990.2264529058
37,9551214830.2505175983
37,9561154470.2572706935
37,9571114340.2557603687
37,958634480.140625
37,959734200.1738095238
37,960774230.1820330969
37,961713290.2158054711
37,962643200.2
b_I
DNS
-
4DNSWISIPDNSWISDNS
-
5DNS3~480%
Chart1
0.55813953490.59574468090.5575221239
0.40116279070.41134751770.3539823009
0.33139534880.32624113480.2566371681
0.26744186050.27659574470.185840708
0.2267441860.19148936170.1592920354
0.18604651160.1702127660.1327433628
0.15116279070.12765957450.1327433628
0.12209302330.07801418440.0530973451
1127
1128
1129
Sheet1
0.55813953490.59574468090.55752212390
0.40116279070.41134751770.35398230091
0.33139534880.32624113480.25663716812
0.26744186050.27659574470.1858407083
0.2267441860.19148936170.15929203544
0.18604651160.1702127660.13274336285
0.15116279070.12765957450.13274336286
0.12209302330.07801418440.05309734517
Sheet1
1127
1128
1129
Sheet2
Sheet3
-
NachiDNSCCERT Paul Albitz & Cricket Liu
DNSBIND2002RFC1939POP3http://www.fanqiang.com/a6/b9/20010929/1305001372.html
-
Thanks !
