[43415] in Hotline Meeting
another named attack
daemon@ATHENA.MIT.EDU (Jonathon Weiss)
Sun May 17 12:04:39 1998
From: Jonathon Weiss <jweiss@MIT.EDU>
To: cfyi@MIT.EDU, dcns-cluster@MIT.EDU, hotline@MIT.EDU, helpstaff@MIT.EDU
Cc: ops@MIT.EDU, network@MIT.EDU
Date: Sun, 17 May 1998 12:04:34 EDT
It would appear that there was another attack on named this AM.
Here's the message I sent out last time, in case anyone needs a
reminder on how to fix machines.
Jonathon
[9133] daemon@ATHENA.MIT.EDU (Jonathon Weiss) Consulting_FYI 04/28/98 08:31 (51 lines)
Subject: attack on named breaking cluster machines
From: Jonathon Weiss <jweiss@MIT.EDU>
To: cfyi@MIT.EDU, dcns-cluster@MIT.EDU, hotline@MIT.EDU, helpstaff@MIT.EDU
Cc: ops@MIT.EDU, network@MIT.EDU
Date: Tue, 28 Apr 1998 08:31:55 EDT
Helpdesk folks: see note about non-Athena machines at the bottom.
Appearantly, there was a fairly widescale attack on MITnet last night.
The attack caused the named program on many cluster workstations to
die. Workstations depend on their named for several things, including
name service, and hesiod. In turn the workstations depend on hesiod
to figure out which system packs to attach. As a result, you may see
some complaints about users being unable to log into athena
workstations probably with an error that says something about a
network failure.
There are a couple of ways to correct the problem:
The easiest solution is to simply reboot the machine.
However, there may be some reason not to reboot a given machine, in
which case you should hit control-P at the xlogin window to get a
console login prompt and log in as root (the machine may appear to
hang for a minute as it times out on a nameservice query). Once you
get logged inyou should restart named using the appropriate command
for the OS of the particular machine you're dealing with.
Solaris: /usr/sbin/in.named
IRIX: /usr/sbin/named
NetBSD: /usr/sbin/named
Linux: /usr/sbin/named
Ultrix: /etc/named
and then reactivate the machine by running:
/etc/athena/reactivate
(If there are people logged into the machine remotely, you want to
skip this step, because it may log them out, and the system packs are
probably still attached anyway.)
Helpdesk: You're likely to get questions from owners of non-athena
machines that were attacked. For those machines, it is probably
sufficient to log in as root and restart named.
Note that none of this will prevent a similar attack from occuring
again.
Jonathon
--[9133]--
