RE: Re: IIS Worm

["Mark Hetherington \(egroups\)" <mark.egroups@xxxxxxx>]

Graham,

Glad to hear that things seem to be finally looking up.

The IIS LockDown tool I mentioned in last night's email is very efficient
at
securing the system. A system secured with it would have not been vunerable
to Code Red/Blue or Nimda or similar attacks even without the appropriate
patches and service packs so if you did not get chance to install it yet,
that should be your first step towards security and is something you can do
while you are waiting on tech support since it is quite a small download so
even with the dodgy link, should not be too tedious to upload. Although
since your FTP is working, I guess uploading is much less of a pain now.

Once everything is back up I am quite happy to, and I am sure others will
be
as well, give tips on securing the system. It is easier once it has net
access since you will be able to install direct from the web some useful
utilities and we can check the system's integrity using various online
tools. We can also verify the settings for the remaining shares at that
time.

WRT, AV software, you are correct in that it would not have been much
protection against this attack, but then AV software generally protects
against known and projected threats so this applies to any system anyway.
It
would have enabled you to fix the virus much more quickly though since the
updates for the main packages were available within hours of the virus
first
hitting servers so it is a worthwhile system to have for that reason if no
other. Also if any of your customers have access to their hosting on your
server, you do not really want them "accidentally" uploading
virii. An AV
solution is an integral part of any security solution so I strongly
recommend that you install something.

WRT L****x, it is not usually very well protected by a default install so
it
would not be a plug and play security solution anyway. Securing L***x is an
art, as is securing Windows and IIS. Newer distributions do attempt to
offer
auto security configurations, but even they are often seriously flawed.

Shout up when the server is fully back online and let's give the L***x
peeps
a run for their money :)

Mark.

> -----Original Message-----
> From: Graham Howe [mailto:graham@xxxxxxx]
> Sent: 20 September 2001 23:09
> To: ukha_d@xxxxxxx
> Subject: RE: [ukha_d] Re: IIS Worm
>
>
> Believe it or not I have just got off the phone to them and after
> explaining
> all the symptoms (especially the fact the ftp in both directions
> is working)
> they also think that some sort of firewall or other security measure
may
> have been invoked on their end. The co-located server team get in at
8am
> tomorrow so with any luck I may get this sorted then.
>
> The shares also appear to be OK as when viewing the server through
network
> neighbourhood they don't appear. I guess they must be just admin
shares
> after all.
>
> All in all this has been a thoroughly unpleasant experience and I
really
> don't want it to happen again. But I must say I'm not sure what to do
to
> protect myself (Linux boys, don't even think about suggesting it
> OK ;-)). I
> had applied the Code Red patches as soon as I came across them, but I
had
> missed an earlier patch, from now on I will keep even more up to date.
> However who is to say that the next worm/virus will exploit a hole
that is
> already known/patched, how would a virus checker have helped in
> this type of
> attack where the point of entry was through the web server (in
> other words a
> point that is supposed to be accessed by unknown visitors) and
> the virus was
> not known. Is there anything more I should be doing to protect
> myself and do
> I have to become a network security expert just so I can develop and
host
> web sites.
>
> Ironically I have just been appointed to do a web site for another
client
> and returned this evening from a meeting with them where I discussed
the
> design of the web site I'm doing for them. It was a great meeting and
I'm
> sure that they are going to be pleased with the site when I finish it,
yet
> right now I am wondering if I can cope with the stress of having to
worry
> about their site stability on top of the others.
>
> Oh well enough moaning, my problems are nothing compared with some
poor
> souls this month, I'll shut up now.
>
> Graham
>
> > -----Original Message-----
> > From: Keith Doxey [mailto:ukha@xxxxxxx]
> > Sent: 20 September 2001 22:14
> > To: ukha_d@xxxxxxx
> > Subject: RE: [ukha_d] Re: IIS Worm
> >
> >
> > Have you contacted the hosting ISP to see it they have put
> > any blocking in
> > place.
> >
> > One of the measures we took to stop the spread was to block
> > port 80 which
> > disabled all HTTP thereby halting one means of spreading the
> > worm. Servers
> > can still be pinged and FTP'd.
> >
> > Maybe your ISP realised it was infected and shut it off from
> > the net to try
> > to prevent other infections.
> >
> > Just my 0.02
> >
> > I really dont want to see another worm or virus like this bugger
:-(
> >
> > Keith
> >
> >
> > -----Original Message-----
> > From: Graham Howe [mailto:graham@xxxxxxx]
> > Sent: 20 September 2001 22:00
> > To: ukha_d@xxxxxxx
> > Subject: RE: [ukha_d] Re: IIS Worm
> >
> >
> > I actually managed to download all the patches at home and
> > then transfer
> > them to the server. I also uninstalled IIS completely and
> > removed all my web
> > sites for off server 'cleaning'. I then copied a fresh
> > version of the IIS
> > install files and reinstalled IIS. I also reinstalled SP6 and all
the
> > patches. I have run find again for all files associated with the
worm,
> > including searching in all files for readme.eml and the
> > signature. I can
> > find nothing wrong. However the shares are still there (which
> > is not really
> > concerning me too much) and web browsing is not working to or
from the
> > server. This is extremely serious as this is my web server.
> > As always, any
> > suggestions would be most welcome. Pinging by name and by IP
> > address works
> > fine both too and from the server and I can browse the server
> > from itself by
> > both name and IP address.
> >
> > Regards
> >
> > Graham
> >
> >
> > For more information: http://www.automatedhome.co.uk
> > Post message: ukha_d@xxxxxxx
> > Subscribe:  ukha_d-subscribe@xxxxxxx
> > Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
> > List owner:  ukha_d-owner@xxxxxxx
> >
> > Your use of Yahoo! Groups is subject to
> http://docs.yahoo.com/info/terms/
>
>
>
>
>
> For more information: http://www.automatedhome.co.uk
> Post message: ukha_d@xxxxxxx
> Subscribe:  ukha_d-subscribe@xxxxxxx
> Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
> List owner:  ukha_d-owner@xxxxxxx
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
>
>


For more information: http://www.automatedhome.co.uk
Post message: ukha_d@xxxxxxx
Subscribe:  ukha_d-subscribe@xxxxxxx
Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
List owner:  ukha_d-owner@xxxxxxx

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/