[Date Prev][Date
Next][Thread Prev][Thread Next][Date
Index][Thread Index]
RE: Re: IIS Worm
- To: <ukha_d@xxxxxxx>
- Subject: RE: Re: IIS Worm
- From: "Graham Howe" <graham@xxxxxxx>
- Date: Wed, 19 Sep 2001 19:21:15 +0100
- Delivered-to: mailing list ukha_d@xxxxxxx
- Mailing-list: list ukha_d@xxxxxxx; contact
ukha_d-owner@xxxxxxx
- Reply-to: ukha_d@xxxxxxx
I have already confirmed all of the steps you mention but still have shares
re-appearing after every re-boot and can not browse from the server. I have
re-applied SP6 and all patches to no avail. I am starting to think that the
only way to sort this is to format the system drive and reinstall which is
going to put my server out of action for a long time. My clients have
already been without their web sites for 24 hours now. This really is a
major set back for me. If anyone has any more ideas about how to get this
working again please let me know. Thanks for all the assistance so far.
Graham
> -----Original Message-----
> From: galeforce9@xxxxxxx [mailto:galeforce9@xxxxxxx]
> Sent: 19 September 2001 17:56
> To: ukha_d@xxxxxxx
> Subject: [ukha_d] Re: IIS Worm
>
>
> Hi All
> If the shares keep coming back the virus is still active !
>
> I got hit by it today on an ME machine with IE5.5 but no service
> pack. Anyone reading this using IE5.5 and no service pack I STRONGLY
> recommend putting service pack 2 on ASAP.
>
> I had the same thing, here is what I did and it seems to have gone
> for good now !
>
> edit the shell line in system.ini to read just
> shell - explorer.exe
>
> delete the contents of
> wininit.ini
>
> delete all .eml files
> (I do not use them if you do then act accordingly)
>
> open a DOS shell and goto c:\windows\system
> delete riched20.dll
> this is a hidden system file
> also delete load.exe
> also a hidden system file
>
> search for anymore occurances of either riched20.dll and load.exe and
> delete if found.
>
> remove shares
>
> recheck system.ini and wininit.ini for re infection whilst you have
> been working.
>
> re-boot.
>
> your machine should now be clear.
>
> I hope this helps, it has cleared my machine but be advised delete
> files at your own risk!
>
> Ian
>
>
>
>
> --- In ukha_d@y..., "Graham Howe" <graham@s...> wrote:
> > >
> > > Look in Tools -> Internet Options -> Connection. Make
sure that
> IE is
> > > not trying to use some mythical DUN to connect.
> > >
> > No DUN settings at all (never have been as the server never had a
> modem on
> > it)
> >
> > > In the same place, check any proxy settings are valid. Try
turning
> > > the proxy off completely in case it just happens to be
temporarily
> > > unavailable.
> > >
> > No proxy settings either
> >
> > > If Connection Wizard is missing files, it seems that the IE
5.5
> > > installation may be compromised. I suggest going back to IE
6
> since
> > > it should install appropriate files for the IE 6 connection
wizard
> > > assuming you downloaded the appropriate files for it. For a
LAN
> > > connection it is as you say pretty pointless anyway other
than it
> > > selecting LAN as the routing mechanism which can be acheived
> through
> > > options.
> > >
> > Can't go back to 6, it updated online and files were not
> downloaded. I am
> > now trying to copy across a complete set of windows update files
to
> > reinstall IE5. Problem is this is a lot of data and going via a
slow
> > pcAnywhere link!
> >
> > > Is IE reporting any error messages?
> > >
> > No, other than it eventually fails to find the page.
> >
> > > Try browsing to the local machine. You should be able to
browse
> to:
> > > http://machinename/dirfromwwwroot/file.htm(l)
> > > http://localhost/dirfromwwwroot/file.htm(l)
> > > http://127.0.0.1/dirfromwwwroot/file.htm(l)
> > > http://yourstaticip/dirfromwwwroot/file.htm(l)
> > >
> >
> > It says page can not be displayed, which is as expected as web
> server is
> > disabled until I am sure everything is secure! However it did go
> straight to
> > the page, so problem seems to be around the routing rather than
IE.
> >
> > > The path and filename is optional but you will likely get
> > > an "unauthorised" response if there is nothing
appropriate in the
> > > root of wwwroot for the local host to display.
> > >
> > > This will help decide whether it is merely routing of some
form
> or a
> > > problem with the IE installation.
> > >
> > > BTW on a security note while you are checking this, if the
above
> > > reports a directory list when using not path or filename,
you will
> > > need to disable directory browsing from the IIS Management
> Console on
> > > the wwwroot tree.
> > >
> > > HTH.
> > >
> > > Mark.
> > >
> > BTW for problem 1 I had turned off all shares manually but the
keep
> coming
> > back every time I reboot.
> >
> > Graham
>
>
> ------------------------ Yahoo! Groups Sponsor
> ---------------------~-->
> FREE COLLEGE MONEY
> CLICK HERE to search
> 600,000 scholarships!
> http://us.click.yahoo.com/47cccB/4m7CAA/ySSFAA/IBOolB/TM
> --------------------------------------------------------------
> -------~->
>
> For more information: http://www.automatedhome.co.uk
> Post message: ukha_d@xxxxxxx
> Subscribe: ukha_d-subscribe@xxxxxxx
> Unsubscribe: ukha_d-unsubscribe@xxxxxxx
> List owner: ukha_d-owner@xxxxxxx
>
> Your use of Yahoo! Groups is subject to
> http://docs.yahoo.com/info/terms/
>
>
>
>
Home |
Main Index |
Thread Index
|