Re: new IIS worm? (rcp lsass.exe)

From: Christoph Puppe (puppeat_private)
Date: Wed Sep 25 2002 - 02:17:29 PDT

Next message: Gordon Chamberlin: "Modap Worm Infection and Subsequent Scanning"

Previous message: Nick FitzGerald: "Re: new IIS worm? (rcp lsass.exe)"
In reply to: zeno: "Re: new IIS worm? (rcp lsass.exe)"
Next in thread: zeno: "Re: new IIS worm? (rcp lsass.exe)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

zeno wrote:
> Does anyone know of a gui windows tool that scans your system and provides you with a list
> of needed patches, and then allows you to select, and have it autodownload and install them?
> I can't seem to find one (needed mostly for iis).

Try the IIS Lockdown Tool, removes most extensions (htw, idq et all) and
even more important, removes the execute permission from command line
tools which are commonly used by attackers (cmd, tftp, ...).

Remember to re-run it after installing a SP!

It installs the URLScann as well, but this seems to be a little flask of
snake oil, because it checks URLs before they go into the deeper layers
of the IIS (remember the first 3 Patches for the doubel-encoding and
Unicode Vulns!).

Remember to scan your hosts often (like once a week) with a security
scanner, for example Nessus.org or IIS or Lanscan from GFI.

--
Mit freundlichen Gruessen,
Christoph Puppe

We secure your business.(TM)
***************************************************************
HiSolutions AG phone: +49 30 533289-0
Bouchestrasse 12 fax: +49 30 533289-99
D-12435 Berlin www: http://www.HiSolutions.com/
***************************************************************

____________________________________

E-Mail Disclaimer

Der Inhalt dieser E-Mail ist ausschliesslich fuer den bezeichneten
Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat
dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie
bitte, dass jede Form der Kenntnisnahme, Veroeffentlichung,
Vervielfaeltigung oder Weitergabe des Inhalts dieser E-Mail
unzulaessig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender
der E-Mail in Verbindung zu setzen.

The information contained in this email is intended solely
for the addressee. Access to this email by anyone else is
unauthorized. If you are not the intended recipient, any form
of disclosure, reproduction, distribution or any action taken
or refrained from in reliance on it, is prohibited and may be
unlawful. Please notify the sender immediately.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Next message: Gordon Chamberlin: "Modap Worm Infection and Subsequent Scanning"
Previous message: Nick FitzGerald: "Re: new IIS worm? (rcp lsass.exe)"
In reply to: zeno: "Re: new IIS worm? (rcp lsass.exe)"
Next in thread: zeno: "Re: new IIS worm? (rcp lsass.exe)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 25 2002 - 19:56:24 PDT