RE: WARNING: Hacker Alert

Randal, Phil Tue, 18 Sep 2001 08:43:48 -0700
>From NTBugTraq:

There have been numerous reports of IIS attacks being generated by
machines over a broad range of IP addresses. These "infected"
machines are using a wide variety of attacks which attempt to exploit
already known and patched vulnerabilities against IIS.

It appears that the attacks can come both from email and from the
network.

A new worm, being called w32.nimda.amm, is being sent around. The
attachment is called README.EXE and comes as a MIME-type of
"audio/x-wav" together with some html parts. There appears to be no
text in this message when it is displayed by Outlook when in
Auto-Preview mode (always a good indication there's something not
quite right with an email.)

The network attacks against IIS boxes are a wide variety of attacks.
Amongst them appear to be several attacks that assume the machine is
compromised by Code Red II (looking for ROOT.EXE in the /scripts and
/msadc directory, as well as an attempt to use the /c and /d virtual
roots to get to CMD.EXE). Further, it attempts to exploit numerous
other known IIS vulnerabilities.

One thing to note is the attempt to execute TFTP.EXE to download a
file called ADMIN.DLL from (presumably) some previously compromised
box.

Anyone who discovers a compromised machine (a machine with ADMIN.DLL
in the /scripts directory), please forward me a copy of that .dll
ASAP.

Also, look for TFTP traffic (UDP69). As a safeguard, consider doing
the following;

edit %systemroot/system32/drivers/etc/services.

change the line;

tftp 69/udp

to;

tftp 0/udp

thereby disabling the TFTP client. W2K has TFTP.EXE protected by
Windows File Protection so can't be removed.

More information as it arises.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK 

> -----Original Message-----
> From: Kevin Lundy [mailto:[EMAIL PROTECTED]]
> Sent: 18 September 2001 16:28
> To: NT System Admin Issues
> Subject: RE: WARNING: Hacker Alert
> 
> 
> http://www.nipc.gov/warnings/advisories/2001/01-021.htm
> 
> 
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
> 
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
> 

http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: WARNING: Hacker Alert

Reply via email to
