I saw that on a server that had the patch. I think another machine that was infected
was bombing the patched server (trying to infect it) and the patched server at that
point couldn't handle the traffic. I know I saw my firewall creep to a halt from
multiple servers trying to infect my web servers.
---------- Original Message ----------------------------------
From: "Domain Administrator" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Date: Tue, 24 Jul 2001 08:01:15 -0700
>I saw exactly the same thing... on a box I would have bet money had the
>patch... but must not have...
>
>----- Original Message -----
>From: "Madscientist" <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Sent: Monday, July 23, 2001 3:26 PM
>Subject: RE: [IMail Forum] IIS 5 - Chinese Worm
>
>
>> We saw that on the IIS4 box we have.
>>
>> | -----Original Message-----
>> | From: [EMAIL PROTECTED]
>> | [mailto:[EMAIL PROTECTED]]On Behalf Of IMail Admin at
>> | BC Web
>> | Sent: Thursday, July 19, 2001 8:55 PM
>> | To: [EMAIL PROTECTED]
>> | Subject: Re: [IMail Forum] IIS 5 - Chinese Worm
>> |
>> |
>> | We were apparently hit by this, but it didn't work exactly as described.
>> | I'm not sure if we got hit by something else at the same time
>> | (coincidence)
>> | or if the worm was unable to fully infect us, so it just go part way.
>> |
>> | In our case, the worm causes all our web services to stop. That is, the
>> | www, ftp, smtp, and similar services were stopped. If we restarted
>them,
>> | they would be stopped again within a few seconds. We applied the
>> | recommended MS patch (01-033), and that seems to have stopped the
>attack.
>> |
>> | Did anyone else see symptons like ours? Also, the patches block
>> | the attach,
>> | but I'm wondering how to actually remove any infecting files from our
>> | systems.
>> |
>> | Ben Bednarz
>> | BC Web
>> |
>> | ----- Original Message -----
>> | From: "David Setzer" <[EMAIL PROTECTED]>
>> | To: <[EMAIL PROTECTED]>
>> | Sent: Thursday, July 19, 2001 2:56 PM
>> | Subject: [IMail Forum] IIS 5 - Chinese Worm
>> |
>> |
>> | > Slightly off topic but I know alot of us are running IIS 5.
>> | This hit 5 of
>> | > our servers this am. Uses the same seed to generate random IPs for
>> | > additional targets so early infected machines get hit with each new
>> | > infectee. Patch seems to have worked. M$ support lines busy,
>> | hard to get
>> | > through.
>> | >
>> | > http://www.eeye.com/html/Research/Advisories/AL20010717.html
>> | >
>> | http://support.microsoft.com/support/kb/articles/q300/9/72.asp?id=
>> 300972&SD=
>> > MSKB
>> >
>> > David
>> >
>> >
>> > Please visit http://www.ipswitch.com/support/mailing-lists.html
>> > to be removed from this list.
>> >
>> > An Archive of this list is available at:
>> > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
>> >
>>
>>
>> Please visit http://www.ipswitch.com/support/mailing-lists.html
>> to be removed from this list.
>>
>> An Archive of this list is available at:
>> http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
>>
>>
>> Please visit http://www.ipswitch.com/support/mailing-lists.html
>> to be removed from this list.
>>
>> An Archive of this list is available at:
>> http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
>>
>>
>
>
>Please visit http://www.ipswitch.com/support/mailing-lists.html
>to be removed from this list.
>
>An Archive of this list is available at:
>http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
>
________________________________________________________________
Sent via the WebMail system at lohrtech.com
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
