RE: Re: IIS Worm

["Graham Howe" <graham@xxxxxxx>]

I actually managed to download all the patches at home and then transfer
them to the server. I also uninstalled IIS completely and removed all my
web
sites for off server 'cleaning'. I then copied a fresh version of the IIS
install files and reinstalled IIS. I also reinstalled SP6 and all the
patches. I have run find again for all files associated with the worm,
including searching in all files for readme.eml and the signature. I can
find nothing wrong. However the shares are still there (which is not really
concerning me too much) and web browsing is not working to or from the
server. This is extremely serious as this is my web server. As always, any
suggestions would be most welcome. Pinging by name and by IP address works
fine both too and from the server and I can browse the server from itself
by
both name and IP address.

Regards

Graham

> -----Original Message-----
> From: Mark Hetherington (egroups)
> [mailto:mark.egroups@xxxxxxx]
> Sent: 19 September 2001 22:39
> To: ukha_d@xxxxxxx
> Subject: RE: [ukha_d] Re: IIS Worm
>
>
> That doesn't sound too bad. I would be wary of everybody
> having change but
> it really depends on what exactly the shares are. Admin shares do not
> usually let you view the properties for them since they are
> irrelevant so if
> you can change the permissions, they are probably not admin
> shares. Since
> change is not full access, it is not too huge a security risk
> at this point.
>
> However, for now I suggest ignoring the shares and trying to
> secure the
> system. I noticed one of the AV companies is releasing a
> stand alone tool to
> combat this virus so we may as well install a few other
> things and restart
> the WWW service to see what happens.
>
> Goto
> http://www.microsoft.com/technet/treeview/default.asp?url=/tec
> hnet/security/
> topics/Nimda.asp
>
> >From here follow the links to the lockdown tool, download
> and install it.
> Also grab the URLScan tool but it is a more advanced tool so
> is an optional
> thing to install so don't worry about it immediately.
>
> The lockdown tool is sufficient to prevent a Code
> Red/Blue/Nimda attack
> event without patches, so while we test the security of the
> system, it will
> prevent any other attacks causing problems and will also be
> much easier to
> secure everything than my original plan to give you an
> overview. I will
> still do the overview sometime once you are up an running
> again if you wish,
> but lockdown will be the quickest and easiest way for now.
>
> It is probably worth just running the express settings to
> begin with if you
> want to test everything ASAP. The proper configuration should
> not take too
> long to work through but could be done either immediately or
> after we are
> sure everything is OK depending on your urgency to restore service.
>
> One of the reasons we are bring W3SVC back online is to check
> it actually
> works and all the fixes we have applied over the last 24
> hours have not
> damaged the IIS installation. This will also discover if the
> outbound IE
> routing problem is limited to IE and does not affect incoming
> connections.
>
> The other reason we are doing this is to see if we got the virus since
> without AV software and without WWW routing, we cannot verify
> this 100%. If
> we didn't get it, expect to be reinfected quite quickly so be
> ready to take
> the system back offline if anything untoward occurs.
>
> So to summarise, after installing and running lockdown, cross
> your fingers
> and restart W3SVC. Let me know how you get on.
>
> Mark.
>
>
> > -----Original Message-----
> > From: Graham Howe [mailto:graham@xxxxxxx]
> > Sent: 19 September 2001 22:20
> > To: ukha_d@xxxxxxx
> > Subject: RE: [ukha_d] Re: IIS Worm
> >
> >
> > I knew this was the case for Win2K but is it also the case for NT
> > (remember
> > it is an NT4 server). Also if these are just the admin
> shares then what
> > should the directory permissions be (mine are showing
> Administrators,
> > SYSTEM, CREATOR OWNER as having Full Control and Server
> Operators and
> > Everyone having Change).
> >
> > Graham
> >
> > > -----Original Message-----
> > > From: Mark Hetherington (egroups)
> > > [mailto:mark.egroups@xxxxxxx]
> > > Sent: 19 September 2001 22:12
> > > To: ukha_d@xxxxxxx
> > > Subject: RE: [ukha_d] Re: IIS Worm
> > >
> > >
> > > > Graham I was under the inpression that under WIN2k
"ALL"
> > > local hardrives
> > > > where shared by default, instead of deleting thses
shares just
> > > > disable them,
> > > > see if that works, havnt used the server before but, so
> no actual
> > > > experience.
> > >
> > > Win2K can do some auto sharing of drives for administration
> > > purposes only.
> > > In this case it is not possible to turn sharing off since it
> > > is prohibited
> > > by the OS to try so I assumed that it was not shares such as
> > > these that
> > > Graham was concerned with.
> > >
> > > Mark.
> > >
> > >
> > > ------------------------ Yahoo! Groups Sponsor
> > > ---------------------~-->
> > > FREE COLLEGE MONEY
> > > CLICK HERE to search
> > > 600,000 scholarships!
> > > http://us.click.yahoo.com/47cccB/4m7CAA/ySSFAA/IBOolB/TM
> > >
--------------------------------------------------------------
> > > -------~->
> > >
> > > For more information: http://www.automatedhome.co.uk
> > > Post message: ukha_d@xxxxxxx
> > > Subscribe:  ukha_d-subscribe@xxxxxxx
> > > Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
> > > List owner:  ukha_d-owner@xxxxxxx
> > >
> > > Your use of Yahoo! Groups is subject to
> > http://docs.yahoo.com/info/terms/
> >
> >
> >
> >
> >
> >
> > For more information: http://www.automatedhome.co.uk
> > Post message: ukha_d@xxxxxxx
> > Subscribe:  ukha_d-subscribe@xxxxxxx
> > Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
> > List owner:  ukha_d-owner@xxxxxxx
> >
> > Your use of Yahoo! Groups is subject to
> http://docs.yahoo.com/info/terms/
> >
> >
> >
>
>
> ------------------------ Yahoo! Groups Sponsor
> ---------------------~-->
> FREE COLLEGE MONEY
> CLICK HERE to search
> 600,000 scholarships!
> http://us.click.yahoo.com/47cccB/4m7CAA/ySSFAA/IBOolB/TM
> --------------------------------------------------------------
> -------~->
>
> For more information: http://www.automatedhome.co.uk
> Post message: ukha_d@xxxxxxx
> Subscribe:  ukha_d-subscribe@xxxxxxx
> Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
> List owner:  ukha_d-owner@xxxxxxx
>
> Your use of Yahoo! Groups is subject to
> http://docs.yahoo.com/info/terms/
>
>
>
>


For more information: http://www.automatedhome.co.uk
Post message: ukha_d@xxxxxxx
Subscribe:  ukha_d-subscribe@xxxxxxx
Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
List owner:  ukha_d-owner@xxxxxxx

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/