RE: IIS Worm

["Mark Hetherington \(egroups\)" <mark.egroups@xxxxxxx>]

Hard to say really given the lack of information on it... first thing I
suggest is close the IIS down if you have not already since you will
currently be unwittingly attacking neighbouring IP ranges. (You will make
at
least 16 attacks)

The next stage will be for the moment the hard one. Finding out what was
done to your system. If it follows Code Red as closely as current
suggestions are then you will find multiple version of index.htm(l) and
default.htm(l) in all web directories and some system directories. These
files will contain any new "content" and as such should be
immdeiately
destroyed.

Assuming you have logging turned on for W3SRV then this might not be too
difficult to track. The log will tell you everything that was done through
IIS. It will also show you the successful loophole in your system that
allowed it to happen. (see later)

A simple and effective although possibly time consuming excercise is to use
the simple Find Files mechanism of Windows on your entire drive. You should
be able to get a potential time from the W3SRV log files or at least
between
when you knew you were OK and when you discovered the breach. Any files in
this timeframe should be examined for potential corruption.

If you find cmd.exe or similar in the IISSCRIPTS directory usally after a
Code Red type attack, but check the whole InetPub tree, delete this file.

Use Find files again to serach for *.eml. This is what you web server has
been instructed to download and parse in order to install the worm. If the
file isn't known to be yours, delete it without opening it or at worst
archive to floppy and check on another machine not running IIS4/5.

Do a find *in* files looking for "readme.eml". This is the rogue
file your
server will attempt to distribute. Remove or fix any files containing a
reference to it.

Before resuming IIS service in any way, you need to ensure that you are
secure.

Disable script access to all directories across the board except where
specifically needed and ensure that the scripts can only access known
resources as INETUSER. One attempt, although largely unsuccessful, to
access
an IIS machine is using the scripts supplied in the default installation.

Use Windows Update or your preferred mechanism to install all know updates
particularly service
packs and security updates.

Look at:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/ms00-078.asp

and similar articles.

If you need external access for configuration use IP based access to
protect
against password cracking attempts. If you do not, disable the  remote
administration interface for IIS if it is enabled and remove the default
installation of files in the INETPUB directory or set IIS to use a non
standard root which will do effectively the same thing but preserves the
original files for your reference if you want them.

Ensure authoring permissions etc are set to maximum security and anything
that seems slightly suspicious is set to use challenge response
authentication only.

The following are known attacks of this virus. After you have installed the
malformed URL fix, you will be immune to all, however, these items in your
logs will indicate files you need to serach for and where appropriate
destroy:

get_mem_bin
vti_bin owssvr.dll
Root.exe
CMD.EXE
.../ (Unicode)
Getadmin.dll
Default.IDA
/Msoffice/ cltreq.asp


Also look out for readme.exe and admin.dll (56K) with a 'audio xwave' mime
type which were the original propogation.

HTH.

Mark.


> -----Original Message-----
> From: Graham Howe [mailto:graham@xxxxxxx]
> Sent: 18 September 2001 21:31
> To: ukha_d@xxxxxxx
> Subject: RE: [ukha_d] IIS Worm
>
>
> My server has been hit, any idead what to do about it?
>
> Graham
>
> > -----Original Message-----
> > From: Mark Hetherington (egroups)
> > [mailto:mark.egroups@xxxxxxx]
> > Sent: 18 September 2001 21:02
> > To: ukha_d@xxxxxxx
> > Subject: RE: [ukha_d] IIS Worm
> >
> >
> > A seemingly very prolific one it seems given the huge number of
http
> > requests my PC is getting. (There is a web server there but
> > no tpublished
> > and nothing on it) Getting 4+ attempts per incoming IP so
> > seems likely to be
> > the worm. I have been getting them for a while now but
> > tonight has been
> > almost constant since logon.
> >
> > My Norton Internet Security installation has never been so busy
:)
> >
> > Mark.
> >
> > > -----Original Message-----
> > > From: Broadfoot, Kieran J [mailto:Kieran.Broadfoot@xxxxxxx]
> > > Sent: 18 September 2001 17:40
> > > To: 'ukha_d@xxxxxxx'
> > > Subject: [ukha_d] IIS Worm
> > >
> > >
> > >
> > > Those of you who need to concern yourselves with these
> > kinds of things
> > > probably know but for those who dont you might want to shut
> > down your IIS
> > > servers if you are directly connected to the web right now
> > (w32.nimda.amm)
> > >
> > > There is a rather nasty new worm out and about on a pipe
near you.
> > >
> > > http://slashdot.org/articles/01/09/18/151203.shtml
> > >
> > > Thanks
> > > 	kieran
> > >
> > > For more information: http://www.automatedhome.co.uk
> > > Post message: ukha_d@xxxxxxx
> > > Subscribe:  ukha_d-subscribe@xxxxxxx
> > > Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
> > > List owner:  ukha_d-owner@xxxxxxx
> > >
> > > Your use of Yahoo! Groups is subject to
> > http://docs.yahoo.com/info/terms/
> > >
> > >
> > >
> >
> >
> > For more information: http://www.automatedhome.co.uk
> > Post message: ukha_d@xxxxxxx
> > Subscribe:  ukha_d-subscribe@xxxxxxx
> > Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
> > List owner:  ukha_d-owner@xxxxxxx
> >
> > Your use of Yahoo! Groups is subject to
> > http://docs.yahoo.com/info/terms/
> >
> >
> >
> >
>
>
> For more information: http://www.automatedhome.co.uk
> Post message: ukha_d@xxxxxxx
> Subscribe:  ukha_d-subscribe@xxxxxxx
> Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
> List owner:  ukha_d-owner@xxxxxxx
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
>
>