Um, 'search around'? Patches are pretty easy to find, it's not like they
hide them. Plus, newer patches don't even need a reboot.
~Brad
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Webmaster Oilfield Directory
Sent: Friday, July 20, 2001 7:14 PM
To: [EMAIL PROTECTED]
Subject: RE: [imail] If you are running IIS read this.
Well excuseeeeeeeeeeee me! Some of us have a life, and some of us underpaid
and overworked IT guys and don't have the time to search around for other
"resources!
webmaster
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Mail
Sent: Friday, July 20, 2001 7:12 AM
To: [EMAIL PROTECTED]
Subject: Re: [imail] If you are running IIS read this.
If IIS would have been patched as per Microsoft's Security bulletin (June
18th 2001) then you would have not been affected.
Maybe this incident will teach the IT admins a lesson, take security
seriously and patch servers as soon as vulnerabilities are found. If admins
would have patched servers when the advisory was released this would have
been a non-issue.
Subscribe to Microsoft's security bulletin at
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/notify.asp and patch servers when vulnerabilities are found. You
may also want to subscribe to Cert's list for advisories at
http://www.cert.org/contact_cert/certmaillist.html.
Just my 2c
Peter Verzoni
----- Original Message -----
From: "Curtis Faulkner" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, July 20, 2001 9:56 AM
Subject: Re: [imail] If you are running IIS read this.
> If anyone believes this is off topic for an IMail list, I apologize. I
> happen to believe it is very much on topic considering the number of us
> who run IMail on servers that also run IIS. Ron, you can correct me and
> summarily punish me if I am incorrect.
>
> I noticed my systems monitor server showed my IIS web services as
> unavailable at 9:00 am yesterday but the IMail web services on that
> machine were still available. I went to the server and ran my IIS
> Management Console, only to see that all my web sites had Stopped. I
> started the services again and went back to a meeting. A while later, I
> got a page saying the web site was again unavailable. Again, the same
> symptoms persisted. I rebooted and the machine stayed clean for a
> little while, then did it again. At this point (given that IMail's web
> service never stopped) I was sure it had to be an IIS attack of some sort.
>
> I worked with my server until the end of my shift and beyond. Just
> being the only pair of (weary) eyes, I was unable to find the strange
> network traffic connecting to the server. I went home after shutting
> down the IIS services.
>
> This morning, the first alert I saw in my e-mail had been sent to me
> last night by a colleague at another school system who (along with his
> team) had found the problem and patch. A while after that e-mail, the
> various security organizations had e-mailed the same info.
>
> After patching up, I went to incidents.org and saw eEye's analysis of
> the worm. The full analysis is available at
> http://www.eeye.com/html/Research/Advisories/AL20010717.html
> and was done by Ryan Permeh and Marc Maiffret of eEye Digital Security.
> What follows is an excerpt from incidents.org's version of the analysis:
>
> 1. Set up initial worm environment on infected system.
>
> 2. Check: Is the number of threads = 100?
> If yes: go to step 7.
>
> 3. Create a new thread. Give the thread an identical
> copy of the worm code (each thread will run
> through this identical sequence of events starting
> at step 2).
>
> 4. Check: Does C:\notworm exist?
> If yes: go dormant.
>
> 5. Check: Is the day of the month between 20 and 27 UTC, or later?
> If between: go to step 11.
> If later: sleep.
>
> 6. Scan random IPs on port 80/tcp and attempt to infect others.
> If a data send completes successfully, go to step 4.
>
> 7. Check: Is local system default language = English (US)?
> If no: go to step 4.
>
> 8. Sleep for 2 hours.
>
> 9. Attempt to modify infected system web pages in memory
> using "hooking" technique. Display "Hacked by Chinese"
> webpage for 10 hours.
>
> 10. Return system to original state. Go to step 4.
>
> 11. Connect to www.whitehouse.gov on port 80.
> Perform 98304 (=0x18000) 1-byte sends to www.whitehouse.gov.
>
> 12. Sleep for 4.5 hours. Upon waking, go to step 11.
>
> Hope this helps,
> Curtis
>
>
> Michael Abbott wrote:
>
> > What problems did your system show. I have been experiencing problems
with IIS. Web and FTP stopping for no reason.
> >
> > Michael
> >
>
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
