Ben,
We had exactly the same thing happen. Yesterday around 2:00, I got a call
that one of our web servers developed this particular problem. He said "do
you have any idea why the web and ftp services won't run for more than 5
minutes? I've rebooted several times and it doesn't help." My mind was
thinking that something got changed or corrupt and was causing the INET
service to hang...we've had that happen before on another box that had added
components. I sent him through a handful of diagnostic things that turned
up nothing. Around 3:30, I got that mail from EEYE and sent that off to him
saying "just for kicks...try this...". He called me back around 4:30 and
said he patched it and it seems to be running fine. 8:15 the next morning
and it's still up.
I told him to apply that patch as sort of a last resort to get the machine
back up. I now wish I had taken a few minutes to see what was happening now
that I know more about that worm. According to eeye, it creates 100
threads, 99 of which search for other IIS boxes, the last one infects your
own web pages. There's a few cases that they cannot narrow down where the
worm continues to create threads indefinitely. I'm guessing this happened
to us and it killed the inet service after a few minutes of of creating
threads. Just a guess, though.
The weird thing is that I *thought* I patched all our boxes last month when
this thing came out. Maybe we just missed one.
--Todd.
----- Original Message -----
From: "IMail Admin at BC Web" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, July 19, 2001 8:54 PM
Subject: Re: [IMail Forum] IIS 5 - Chinese Worm
> We were apparently hit by this, but it didn't work exactly as described.
> I'm not sure if we got hit by something else at the same time
(coincidence)
> or if the worm was unable to fully infect us, so it just go part way.
>
> In our case, the worm causes all our web services to stop. That is, the
> www, ftp, smtp, and similar services were stopped. If we restarted them,
> they would be stopped again within a few seconds. We applied the
> recommended MS patch (01-033), and that seems to have stopped the attack.
>
> Did anyone else see symptons like ours? Also, the patches block the
attach,
> but I'm wondering how to actually remove any infecting files from our
> systems.
>
> Ben Bednarz
> BC Web
>
> ----- Original Message -----
> From: "David Setzer" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Thursday, July 19, 2001 2:56 PM
> Subject: [IMail Forum] IIS 5 - Chinese Worm
>
>
> > Slightly off topic but I know alot of us are running IIS 5. This hit 5
of
> > our servers this am. Uses the same seed to generate random IPs for
> > additional targets so early infected machines get hit with each new
> > infectee. Patch seems to have worked. M$ support lines busy, hard to
get
> > through.
> >
> > http://www.eeye.com/html/Research/Advisories/AL20010717.html
> >
>
http://support.microsoft.com/support/kb/articles/q300/9/72.asp?id=300972&SD=
> > MSKB
> >
> > David
> >
> >
> > Please visit http://www.ipswitch.com/support/mailing-lists.html
> > to be removed from this list.
> >
> > An Archive of this list is available at:
> > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
> >
>
>
> Please visit http://www.ipswitch.com/support/mailing-lists.html
> to be removed from this list.
>
> An Archive of this list is available at:
> http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
>
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
