RE: Re: IIS Worm

["Graham Howe" <graham@xxxxxxx>]

Believe it or not I have just got off the phone to them and after
explaining
all the symptoms (especially the fact the ftp in both directions is
working)
they also think that some sort of firewall or other security measure may
have been invoked on their end. The co-located server team get in at 8am
tomorrow so with any luck I may get this sorted then.

The shares also appear to be OK as when viewing the server through network
neighbourhood they don't appear. I guess they must be just admin shares
after all.

All in all this has been a thoroughly unpleasant experience and I really
don't want it to happen again. But I must say I'm not sure what to do to
protect myself (Linux boys, don't even think about suggesting it OK ;-)). I
had applied the Code Red patches as soon as I came across them, but I had
missed an earlier patch, from now on I will keep even more up to date.
However who is to say that the next worm/virus will exploit a hole that is
already known/patched, how would a virus checker have helped in this type
of
attack where the point of entry was through the web server (in other words
a
point that is supposed to be accessed by unknown visitors) and the virus
was
not known. Is there anything more I should be doing to protect myself and
do
I have to become a network security expert just so I can develop and host
web sites.

Ironically I have just been appointed to do a web site for another client
and returned this evening from a meeting with them where I discussed the
design of the web site I'm doing for them. It was a great meeting and I'm
sure that they are going to be pleased with the site when I finish it, yet
right now I am wondering if I can cope with the stress of having to worry
about their site stability on top of the others.

Oh well enough moaning, my problems are nothing compared with some poor
souls this month, I'll shut up now.

Graham

> -----Original Message-----
> From: Keith Doxey [mailto:ukha@xxxxxxx]
> Sent: 20 September 2001 22:14
> To: ukha_d@xxxxxxx
> Subject: RE: [ukha_d] Re: IIS Worm
>
>
> Have you contacted the hosting ISP to see it they have put
> any blocking in
> place.
>
> One of the measures we took to stop the spread was to block
> port 80 which
> disabled all HTTP thereby halting one means of spreading the
> worm. Servers
> can still be pinged and FTP'd.
>
> Maybe your ISP realised it was infected and shut it off from
> the net to try
> to prevent other infections.
>
> Just my 0.02
>
> I really dont want to see another worm or virus like this bugger :-(
>
> Keith
>
>
> -----Original Message-----
> From: Graham Howe [mailto:graham@xxxxxxx]
> Sent: 20 September 2001 22:00
> To: ukha_d@xxxxxxx
> Subject: RE: [ukha_d] Re: IIS Worm
>
>
> I actually managed to download all the patches at home and
> then transfer
> them to the server. I also uninstalled IIS completely and
> removed all my web
> sites for off server 'cleaning'. I then copied a fresh
> version of the IIS
> install files and reinstalled IIS. I also reinstalled SP6 and all the
> patches. I have run find again for all files associated with the worm,
> including searching in all files for readme.eml and the
> signature. I can
> find nothing wrong. However the shares are still there (which
> is not really
> concerning me too much) and web browsing is not working to or from the
> server. This is extremely serious as this is my web server.
> As always, any
> suggestions would be most welcome. Pinging by name and by IP
> address works
> fine both too and from the server and I can browse the server
> from itself by
> both name and IP address.
>
> Regards
>
> Graham
>
>
> For more information: http://www.automatedhome.co.uk
> Post message: ukha_d@xxxxxxx
> Subscribe:  ukha_d-subscribe@xxxxxxx
> Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
> List owner:  ukha_d-owner@xxxxxxx
>
> Your use of Yahoo! Groups is subject to
http://docs.yahoo.com/info/terms/





For more information: http://www.automatedhome.co.uk
Post message: ukha_d@xxxxxxx
Subscribe:  ukha_d-subscribe@xxxxxxx
Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
List owner:  ukha_d-owner@xxxxxxx

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/