If anyone believes this is off topic for an IMail list, I apologize. I
happen to believe it is very much on topic considering the number of us
who run IMail on servers that also run IIS. Ron, you can correct me and
summarily punish me if I am incorrect.
I noticed my systems monitor server showed my IIS web services as
unavailable at 9:00 am yesterday but the IMail web services on that
machine were still available. I went to the server and ran my IIS
Management Console, only to see that all my web sites had Stopped. I
started the services again and went back to a meeting. A while later, I
got a page saying the web site was again unavailable. Again, the same
symptoms persisted. I rebooted and the machine stayed clean for a
little while, then did it again. At this point (given that IMail's web
service never stopped) I was sure it had to be an IIS attack of some sort.
I worked with my server until the end of my shift and beyond. Just
being the only pair of (weary) eyes, I was unable to find the strange
network traffic connecting to the server. I went home after shutting
down the IIS services.
This morning, the first alert I saw in my e-mail had been sent to me
last night by a colleague at another school system who (along with his
team) had found the problem and patch. A while after that e-mail, the
various security organizations had e-mailed the same info.
After patching up, I went to incidents.org and saw eEye's analysis of
the worm. The full analysis is available at
http://www.eeye.com/html/Research/Advisories/AL20010717.html
and was done by Ryan Permeh and Marc Maiffret of eEye Digital Security.
What follows is an excerpt from incidents.org's version of the analysis:
1. Set up initial worm environment on infected system.
2. Check: Is the number of threads = 100?
If yes: go to step 7.
3. Create a new thread. Give the thread an identical
copy of the worm code (each thread will run
through this identical sequence of events starting
at step 2).
4. Check: Does C:\notworm exist?
If yes: go dormant.
5. Check: Is the day of the month between 20 and 27 UTC, or later?
If between: go to step 11.
If later: sleep.
6. Scan random IPs on port 80/tcp and attempt to infect others.
If a data send completes successfully, go to step 4.
7. Check: Is local system default language = English (US)?
If no: go to step 4.
8. Sleep for 2 hours.
9. Attempt to modify infected system web pages in memory
using "hooking" technique. Display "Hacked by Chinese"
webpage for 10 hours.
10. Return system to original state. Go to step 4.
11. Connect to www.whitehouse.gov on port 80.
Perform 98304 (=0x18000) 1-byte sends to www.whitehouse.gov.
12. Sleep for 4.5 hours. Upon waking, go to step 11.
Hope this helps,
Curtis
Michael Abbott wrote:
> What problems did your system show. I have been experiencing problems with IIS.
>Web and FTP stopping for no reason.
>
> Michael
>
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
