Re: IIS Worm

["Mark Hetherington" <mark.egroups@xxxxxxx>]

--- In ukha_d@y..., "Graham Howe" <graham@s...> wrote:
> I have stopped all web sites on the server, do i need to disable
the actual
> IIS service too? If so then where is the best place to do this (I
am not an
> NT4 server expert).

Stopping all web services will suffice. All IIS service management is
done from the management console. This is also the place where most
security measures can be taken.

I do also suggest preventing the web server from accessing the
Internet at all until it is fixed so you do not infect any others
while you fix the server.

> It appears to be much worse than this, I have over 4500 files that
have been
> altered today and they appear to include every page in every site
on the
> server (even the example stuff included in the initial
installation).
> Looking at the pages they all have the following added to the end
of the
> page:
>
> <html><script
language="JavaScript">window.open("readme.eml",
null,
>
"resizable=no,top=6000,left=6000")</script></html>
>
> which obviously causes problems for those visiting my sites.

Yes, this is one of the payloads of the virus. It attempts to exploit
a security weakenss in MIME types in some versions of IE. (IE patch
available at URL below)

Microsoft have just released information to fix the problems that the
worm causes together with a list of the necessary security updates
required to prevent reinfection:

http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/security/topics/Nimda.asp

I am not sure if there is something to fix all the html files that
have been altered or not. If not then the best bet is to download a
text editor which provides replace across files. Personally I use The
Semware Editor from www.semware.com (and have for years) which
provides this function but I am sure many programmer type editors
will have it as well. Then you merely have to open the files in the
editor and replace across all with nothing to remove the added data.
Semware do a 30 day trial which you could use for this task if you
cannot find another one to use.

> Please give idiot proof instructions on this, I am not sure of the
best way
> of sorting out script access and resources.

The fixes at the URL above should disable most script accesses for
you so even better than idiot proof since it will be automatic :) I
will draft something later this evening when I have a bit more free
time which talks about it in more depth but the fixes on the above
page should be enough to get you running again and pretty secure.

> I thought I had! Code Red was done but not Code Blue, I am now using
> hfnetchk to see that all patches are there, is this best solution?

That should be fine. However, follow the advice on the page above
since the patch may not have propograted to all systems yet.

> I don't need remote admin, so should I simply stop the admin site
within IIS

Yes, if you don't need it, stopping it is the best way.

> > Ensure authoring permissions etc are set to maximum security
> > and anything
> > that seems slightly suspicious is set to use challenge response
> > authentication only.
> >
> I tend to do everything through Frontpage publishing and SQL Server
> Enterprise Manager. Both require passwords for access, but I am not
sure how
> secure they are. Again are there any idiot guides as to what I
should set
> up?

In either the IIS management console or the FrontPage extensions
management console, there will be settings for authoring which will
have the option of basic or challenge response authentication. Basic
is simply a cleartext password and therefore very insecure. Challenge
response will require a user name and password on the machine itself
and is much more secure. You can also tie the authoring capabilities
to an IP address which I also recommend. I will cover this more in
depth in my post this evening.

> All these files are not present or else seem fine (old dates)

The dates will be the same as the original file. One of the things
Code Red and later variants did was to copy CMD.EXE as ROOT.EXE into
the IISScripts directory allowing a backdoor into the machine even if
the security patches were put in place afetr the attack. Basically if
there are any files in your INETPUB directory that you did not put
there and are not using yourself, remove them no matter the date. The
Code Red II tool from the MS page should go through and find all
these changes automatically.

> It has but more help would still be welcome.

Hopefully the link above will let you resecure the system and prevent
the local reinfection. To stop the problem with getting reinfected
after reboot, edit system.ini and find

Shell = explorer.exe load.exe -dontrunold

remove the 'load.exe -dontrunold' portion. This will prevent the worm
from loading at system startup.

The bigger problem is that the worm may have infected DLL and EXE
files which mean running an application such as MS Word on the
server, will reinfect you.

Norton at least now have a patch to update their AV software to
detect and repair damaged EXE and DLLs. If you use another AV
program, I suggest grabbing the NAV trial version so you can use
their patch immediately.

HTH.

Mark.

P.S. More IIS goodies tonight, but if anything particularly urgent
comes up, I will try to reply during the course of the day as time
allows.



For more information: http://www.automatedhome.co.uk
Post message: ukha_d@xxxxxxx
Subscribe:  ukha_d-subscribe@xxxxxxx
Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
List owner:  ukha_d-owner@xxxxxxx

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/