Patches are easy to find if you have determined what specifically the
problem is. Without prior knowledge of the 'Code Red' worm, its not easy to
pinpoint it initially. Your first real indication of the problem is the
'Hacked by Chinese' message which comes over 2 hours after initial infection
and replication. And theres so many potential securtiy holes that are yet
unknown it takes some time to determine #1 what the problem is, what caused
it and how to resolve it.
And btw, If you got hit with the Code Red and you didn't reboot after the
patch then you've fixed nothing since it resides in memory. Read the fine
print, MUST reboot after applying the patch.
I'd like to applaud those who did enlighten others about this problem,
obviously it slipped past many including myself.
-Chh2
----- Original Message -----
From: "T. Bradley Dean" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, July 20, 2001 9:32 PM
Subject: RE: [imail] If you are running IIS read this.
> Um, 'search around'? Patches are pretty easy to find, it's not like they
> hide them. Plus, newer patches don't even need a reboot.
>
> ~Brad
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Webmaster Oilfield Directory
> Sent: Friday, July 20, 2001 7:14 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [imail] If you are running IIS read this.
>
>
> Well excuseeeeeeeeeeee me! Some of us have a life, and some of us
underpaid
> and overworked IT guys and don't have the time to search around for other
> "resources!
>
> webmaster
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Mail
> Sent: Friday, July 20, 2001 7:12 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [imail] If you are running IIS read this.
>
>
> If IIS would have been patched as per Microsoft's Security bulletin (June
> 18th 2001) then you would have not been affected.
>
> Maybe this incident will teach the IT admins a lesson, take security
> seriously and patch servers as soon as vulnerabilities are found. If
admins
> would have patched servers when the advisory was released this would have
> been a non-issue.
>
> Subscribe to Microsoft's security bulletin at
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
> bulletin/notify.asp and patch servers when vulnerabilities are found. You
> may also want to subscribe to Cert's list for advisories at
> http://www.cert.org/contact_cert/certmaillist.html.
>
> Just my 2c
>
> Peter Verzoni
>
>
> ----- Original Message -----
> From: "Curtis Faulkner" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, July 20, 2001 9:56 AM
> Subject: Re: [imail] If you are running IIS read this.
>
>
> > If anyone believes this is off topic for an IMail list, I apologize. I
> > happen to believe it is very much on topic considering the number of us
> > who run IMail on servers that also run IIS. Ron, you can correct me and
> > summarily punish me if I am incorrect.
> >
> > I noticed my systems monitor server showed my IIS web services as
> > unavailable at 9:00 am yesterday but the IMail web services on that
> > machine were still available. I went to the server and ran my IIS
> > Management Console, only to see that all my web sites had Stopped. I
> > started the services again and went back to a meeting. A while later, I
> > got a page saying the web site was again unavailable. Again, the same
> > symptoms persisted. I rebooted and the machine stayed clean for a
> > little while, then did it again. At this point (given that IMail's web
> > service never stopped) I was sure it had to be an IIS attack of some
sort.
> >
> > I worked with my server until the end of my shift and beyond. Just
> > being the only pair of (weary) eyes, I was unable to find the strange
> > network traffic connecting to the server. I went home after shutting
> > down the IIS services.
> >
> > This morning, the first alert I saw in my e-mail had been sent to me
> > last night by a colleague at another school system who (along with his
> > team) had found the problem and patch. A while after that e-mail, the
> > various security organizations had e-mailed the same info.
> >
> > After patching up, I went to incidents.org and saw eEye's analysis of
> > the worm. The full analysis is available at
> > http://www.eeye.com/html/Research/Advisories/AL20010717.html
> > and was done by Ryan Permeh and Marc Maiffret of eEye Digital Security.
> > What follows is an excerpt from incidents.org's version of the
analysis:
> >
> > 1. Set up initial worm environment on infected system.
> >
> > 2. Check: Is the number of threads = 100?
> > If yes: go to step 7.
> >
> > 3. Create a new thread. Give the thread an identical
> > copy of the worm code (each thread will run
> > through this identical sequence of events starting
> > at step 2).
> >
> > 4. Check: Does C:\notworm exist?
> > If yes: go dormant.
> >
> > 5. Check: Is the day of the month between 20 and 27 UTC, or later?
> > If between: go to step 11.
> > If later: sleep.
> >
> > 6. Scan random IPs on port 80/tcp and attempt to infect others.
> > If a data send completes successfully, go to step 4.
> >
> > 7. Check: Is local system default language = English (US)?
> > If no: go to step 4.
> >
> > 8. Sleep for 2 hours.
> >
> > 9. Attempt to modify infected system web pages in memory
> > using "hooking" technique. Display "Hacked by Chinese"
> > webpage for 10 hours.
> >
> > 10. Return system to original state. Go to step 4.
> >
> > 11. Connect to www.whitehouse.gov on port 80.
> > Perform 98304 (=0x18000) 1-byte sends to www.whitehouse.gov.
> >
> > 12. Sleep for 4.5 hours. Upon waking, go to step 11.
> >
> > Hope this helps,
> > Curtis
> >
> >
> > Michael Abbott wrote:
> >
> > > What problems did your system show. I have been experiencing problems
> with IIS. Web and FTP stopping for no reason.
> > >
> > > Michael
> > >
> >
> >
> >
> >
> > ______________________________________________________________________
> > The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> > Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> > Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> > To Manage your Subscription......... http://humankindsystems.com/lists
> >
>
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
