If IIS would have been patched as per Microsoft's Security bulletin (June
18th 2001) then you would have not been affected.
Maybe this incident will teach the IT admins a lesson, take security
seriously and patch servers as soon as vulnerabilities are found. If admins
would have patched servers when the advisory was released this would have
been a non-issue.
Subscribe to Microsoft's security bulletin at
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/notify.asp and patch servers when vulnerabilities are found. You
may also want to subscribe to Cert's list for advisories at
http://www.cert.org/contact_cert/certmaillist.html.
Just my 2c
Peter Verzoni
----- Original Message -----
From: "Curtis Faulkner" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, July 20, 2001 9:56 AM
Subject: Re: [imail] If you are running IIS read this.
> If anyone believes this is off topic for an IMail list, I apologize. I
> happen to believe it is very much on topic considering the number of us
> who run IMail on servers that also run IIS. Ron, you can correct me and
> summarily punish me if I am incorrect.
>
> I noticed my systems monitor server showed my IIS web services as
> unavailable at 9:00 am yesterday but the IMail web services on that
> machine were still available. I went to the server and ran my IIS
> Management Console, only to see that all my web sites had Stopped. I
> started the services again and went back to a meeting. A while later, I
> got a page saying the web site was again unavailable. Again, the same
> symptoms persisted. I rebooted and the machine stayed clean for a
> little while, then did it again. At this point (given that IMail's web
> service never stopped) I was sure it had to be an IIS attack of some sort.
>
> I worked with my server until the end of my shift and beyond. Just
> being the only pair of (weary) eyes, I was unable to find the strange
> network traffic connecting to the server. I went home after shutting
> down the IIS services.
>
> This morning, the first alert I saw in my e-mail had been sent to me
> last night by a colleague at another school system who (along with his
> team) had found the problem and patch. A while after that e-mail, the
> various security organizations had e-mailed the same info.
>
> After patching up, I went to incidents.org and saw eEye's analysis of
> the worm. The full analysis is available at
> http://www.eeye.com/html/Research/Advisories/AL20010717.html
> and was done by Ryan Permeh and Marc Maiffret of eEye Digital Security.
> What follows is an excerpt from incidents.org's version of the analysis:
>
> 1. Set up initial worm environment on infected system.
>
> 2. Check: Is the number of threads = 100?
> If yes: go to step 7.
>
> 3. Create a new thread. Give the thread an identical
> copy of the worm code (each thread will run
> through this identical sequence of events starting
> at step 2).
>
> 4. Check: Does C:\notworm exist?
> If yes: go dormant.
>
> 5. Check: Is the day of the month between 20 and 27 UTC, or later?
> If between: go to step 11.
> If later: sleep.
>
> 6. Scan random IPs on port 80/tcp and attempt to infect others.
> If a data send completes successfully, go to step 4.
>
> 7. Check: Is local system default language = English (US)?
> If no: go to step 4.
>
> 8. Sleep for 2 hours.
>
> 9. Attempt to modify infected system web pages in memory
> using "hooking" technique. Display "Hacked by Chinese"
> webpage for 10 hours.
>
> 10. Return system to original state. Go to step 4.
>
> 11. Connect to www.whitehouse.gov on port 80.
> Perform 98304 (=0x18000) 1-byte sends to www.whitehouse.gov.
>
> 12. Sleep for 4.5 hours. Upon waking, go to step 11.
>
> Hope this helps,
> Curtis
>
>
> Michael Abbott wrote:
>
> > What problems did your system show. I have been experiencing problems
with IIS. Web and FTP stopping for no reason.
> >
> > Michael
> >
>
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
