RE: Re: IIS Worm

["Phil Harris" <phillip.harris1@xxxxxxx>]

Glad you look to have it sorted though Graham...

Phil

> -----Original Message-----
> From: Graham Howe [mailto:graham@xxxxxxx]
> Sent: 20 September 2001 23:09
> To: ukha_d@xxxxxxx
> Subject: RE: [ukha_d] Re: IIS Worm
>
>
> Believe it or not I have just got off the phone to them and after
> explaining
> all the symptoms (especially the fact the ftp in both directions
> is working)
> they also think that some sort of firewall or other security measure
may
> have been invoked on their end. The co-located server team get in at
8am
> tomorrow so with any luck I may get this sorted then.
>
> The shares also appear to be OK as when viewing the server through
network
> neighbourhood they don't appear. I guess they must be just admin
shares
> after all.
>
> All in all this has been a thoroughly unpleasant experience and I
really
> don't want it to happen again. But I must say I'm not sure what to do
to
> protect myself (Linux boys, don't even think about suggesting it
> OK ;-)). I
> had applied the Code Red patches as soon as I came across them, but I
had
> missed an earlier patch, from now on I will keep even more up to date.
> However who is to say that the next worm/virus will exploit a hole
that is
> already known/patched, how would a virus checker have helped in
> this type of
> attack where the point of entry was through the web server (in
> other words a
> point that is supposed to be accessed by unknown visitors) and
> the virus was
> not known. Is there anything more I should be doing to protect
> myself and do
> I have to become a network security expert just so I can develop and
host
> web sites.
>
> Ironically I have just been appointed to do a web site for another
client
> and returned this evening from a meeting with them where I discussed
the
> design of the web site I'm doing for them. It was a great meeting and
I'm
> sure that they are going to be pleased with the site when I finish it,
yet
> right now I am wondering if I can cope with the stress of having to
worry
> about their site stability on top of the others.
>
> Oh well enough moaning, my problems are nothing compared with some
poor
> souls this month, I'll shut up now.
>
> Graham
>
> > -----Original Message-----
> > From: Keith Doxey [mailto:ukha@xxxxxxx]
> > Sent: 20 September 2001 22:14
> > To: ukha_d@xxxxxxx
> > Subject: RE: [ukha_d] Re: IIS Worm
> >
> >
> > Have you contacted the hosting ISP to see it they have put
> > any blocking in
> > place.
> >
> > One of the measures we took to stop the spread was to block
> > port 80 which
> > disabled all HTTP thereby halting one means of spreading the
> > worm. Servers
> > can still be pinged and FTP'd.
> >
> > Maybe your ISP realised it was infected and shut it off from
> > the net to try
> > to prevent other infections.
> >
> > Just my 0.02
> >
> > I really dont want to see another worm or virus like this bugger
:-(
> >
> > Keith
> >
> >
> > -----Original Message-----
> > From: Graham Howe [mailto:graham@xxxxxxx]
> > Sent: 20 September 2001 22:00
> > To: ukha_d@xxxxxxx
> > Subject: RE: [ukha_d] Re: IIS Worm
> >
> >
> > I actually managed to download all the patches at home and
> > then transfer
> > them to the server. I also uninstalled IIS completely and
> > removed all my web
> > sites for off server 'cleaning'. I then copied a fresh
> > version of the IIS
> > install files and reinstalled IIS. I also reinstalled SP6 and all
the
> > patches. I have run find again for all files associated with the
worm,
> > including searching in all files for readme.eml and the
> > signature. I can
> > find nothing wrong. However the shares are still there (which
> > is not really
> > concerning me too much) and web browsing is not working to or
from the
> > server. This is extremely serious as this is my web server.
> > As always, any
> > suggestions would be most welcome. Pinging by name and by IP
> > address works
> > fine both too and from the server and I can browse the server
> > from itself by
> > both name and IP address.
> >
> > Regards
> >
> > Graham
> >
> >
> > For more information: http://www.automatedhome.co.uk
> > Post message: ukha_d@xxxxxxx
> > Subscribe:  ukha_d-subscribe@xxxxxxx
> > Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
> > List owner:  ukha_d-owner@xxxxxxx
> >
> > Your use of Yahoo! Groups is subject to
> http://docs.yahoo.com/info/terms/
>
>
>
>
>
> For more information: http://www.automatedhome.co.uk
> Post message: ukha_d@xxxxxxx
> Subscribe:  ukha_d-subscribe@xxxxxxx
> Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
> List owner:  ukha_d-owner@xxxxxxx
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
>
>