Sorry if I offended anyone, it definately wasn't my intention. The point I
was trying to make was that prevention is always better than cure.
The code red worm only defaced pages and brought down machines until
patched - who knows, the next one may be more serious requiring OS
re-install...
PV
----- Original Message -----
From: "Webmaster Oilfield Directory" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, July 20, 2001 10:14 PM
Subject: RE: [imail] If you are running IIS read this.
> Well excuseeeeeeeeeeee me! Some of us have a life, and some of us
underpaid
> and overworked IT guys and don't have the time to search around for other
> "resources!
>
> webmaster
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Mail
> Sent: Friday, July 20, 2001 7:12 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [imail] If you are running IIS read this.
>
>
> If IIS would have been patched as per Microsoft's Security bulletin (June
> 18th 2001) then you would have not been affected.
>
> Maybe this incident will teach the IT admins a lesson, take security
> seriously and patch servers as soon as vulnerabilities are found. If
admins
> would have patched servers when the advisory was released this would have
> been a non-issue.
>
> Subscribe to Microsoft's security bulletin at
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
> bulletin/notify.asp and patch servers when vulnerabilities are found. You
> may also want to subscribe to Cert's list for advisories at
> http://www.cert.org/contact_cert/certmaillist.html.
>
> Just my 2c
>
> Peter Verzoni
>
>
> ----- Original Message -----
> From: "Curtis Faulkner" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, July 20, 2001 9:56 AM
> Subject: Re: [imail] If you are running IIS read this.
>
>
> > If anyone believes this is off topic for an IMail list, I apologize. I
> > happen to believe it is very much on topic considering the number of us
> > who run IMail on servers that also run IIS. Ron, you can correct me and
> > summarily punish me if I am incorrect.
> >
> > I noticed my systems monitor server showed my IIS web services as
> > unavailable at 9:00 am yesterday but the IMail web services on that
> > machine were still available. I went to the server and ran my IIS
> > Management Console, only to see that all my web sites had Stopped. I
> > started the services again and went back to a meeting. A while later, I
> > got a page saying the web site was again unavailable. Again, the same
> > symptoms persisted. I rebooted and the machine stayed clean for a
> > little while, then did it again. At this point (given that IMail's web
> > service never stopped) I was sure it had to be an IIS attack of some
sort.
> >
> > I worked with my server until the end of my shift and beyond. Just
> > being the only pair of (weary) eyes, I was unable to find the strange
> > network traffic connecting to the server. I went home after shutting
> > down the IIS services.
> >
> > This morning, the first alert I saw in my e-mail had been sent to me
> > last night by a colleague at another school system who (along with his
> > team) had found the problem and patch. A while after that e-mail, the
> > various security organizations had e-mailed the same info.
> >
> > After patching up, I went to incidents.org and saw eEye's analysis of
> > the worm. The full analysis is available at
> > http://www.eeye.com/html/Research/Advisories/AL20010717.html
> > and was done by Ryan Permeh and Marc Maiffret of eEye Digital Security.
> > What follows is an excerpt from incidents.org's version of the
analysis:
> >
> > 1. Set up initial worm environment on infected system.
> >
> > 2. Check: Is the number of threads = 100?
> > If yes: go to step 7.
> >
> > 3. Create a new thread. Give the thread an identical
> > copy of the worm code (each thread will run
> > through this identical sequence of events starting
> > at step 2).
> >
> > 4. Check: Does C:\notworm exist?
> > If yes: go dormant.
> >
> > 5. Check: Is the day of the month between 20 and 27 UTC, or later?
> > If between: go to step 11.
> > If later: sleep.
> >
> > 6. Scan random IPs on port 80/tcp and attempt to infect others.
> > If a data send completes successfully, go to step 4.
> >
> > 7. Check: Is local system default language = English (US)?
> > If no: go to step 4.
> >
> > 8. Sleep for 2 hours.
> >
> > 9. Attempt to modify infected system web pages in memory
> > using "hooking" technique. Display "Hacked by Chinese"
> > webpage for 10 hours.
> >
> > 10. Return system to original state. Go to step 4.
> >
> > 11. Connect to www.whitehouse.gov on port 80.
> > Perform 98304 (=0x18000) 1-byte sends to www.whitehouse.gov.
> >
> > 12. Sleep for 4.5 hours. Upon waking, go to step 11.
> >
> > Hope this helps,
> > Curtis
> >
> >
> > Michael Abbott wrote:
> >
> > > What problems did your system show. I have been experiencing problems
> with IIS. Web and FTP stopping for no reason.
> > >
> > > Michael
> > >
> >
> >
> >
> >
> > ______________________________________________________________________
> > The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> > Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> > Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> > To Manage your Subscription......... http://humankindsystems.com/lists
> >
>
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
