> "Code Red" exploits the IIS vulnerability referenced in > http://www.eeye.com/html/Research/Advisories/AD20010618.html > and CA-2001-13. OK. But how can one exactly determine, if a system has > been compromised? Examing threads executed in inetinfo.exe. Threads can be displayed with tlist.exe tool (which is part of "Windows 20000 Support Tools" and can be found on installation CD-ROM). Of course, sniffing HTTP connections initiated from WWW server will reveal worm too - if it's not "sleeping". > In the full analysis (http://www.eeye.com/html/advisories/codered.zip) > it is said that the worm sets up 100 threads. But in what context are > they running? How, if, can they be seen in Task Manager or an other > tool? I would guess IIS.exe taking up more memory and processing power > than normal may be an indication? IIS process is named "inetinfo.exe", not iis.exe. This process is executing worm code. Sadly, its running as "LocalSystem" account, which is equivalent to local root on unices. That's why security hole exploited by worm is so dangerous. Fortunately Code Red is not hacking local system (does not try to reconfigure it permamently, put backdors etc.) , but other worms do not need to be so "polite". > So how to find dormant "code red" instances? Once again: examine inetinfo.exe threads. I'm unable to say more at the moment, as I do not have worm handy to examine how its working threads look like. > If I'm not mistaken a reboot would clear "code red". Yes, you are right. > So should anybody reboot and patch? What would be the generic "safe" > answer to customers? sample response would look like: --- It's high time to install: Windows 2000 Service Pack 2 http://www.microsoft.com/windows2000/downloads/servicepacks/sp2/default.asp and hotfixes: Q297860 http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764 IIS 5.0 Security and Post-Windows NT 4.0 SP5 IIS 4.0 Patch Rollup Q300972 http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800 Unchecked Buffer in ISAPI Extension Can Cause Server Compromise Remember to restart you server after installing service pack and each hotfix! --- Worm is using only the last exploit Q300972, but others are also critical for IIS security. > securityat_private came back as "account disabled". Other obvious > addreses did not result in any reaction. try secureat_private (Microsoft owns @hotmail.com server) Regards B. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jul 23 2001 - 11:31:45 PDT