In message <3B7360B4.71755CA7@deaddrop.org>, Etaoin Shrdlu writes:
mike harrison wrote:
FWIW, I just tried to telnet to the 20 most recent hosts I got Code Red II probes from, and didn't get a shell prompt on any of them. Are people cleaning up their boxes that quickly?
I have been told, but not personally conformed confirmed of non IIS machines being infected with CodeRed (I or II not known, assume II). Infection method: running an file from somewhere? They still scan out and seek victims, just no webserver running.
Spent nearly two days convincing someone who was managing a server that he was beating up machines all over the company. It finally took someone at close to VP level to get him to fix it. Last I heard, he was saying something on the phone like "Yes sir, you're right sir. Sorry sir." The thing that sucks is that he KNEW he couldn't be a problem, since he wasn't running IIS. I had the packet captures and obvious grabs for default.ida to prove it.
Believe it. I have at least three verified, and that was using web server logs they'd hit, and ethereal running on the openbsd machine in my office, which sits right next to the local building router. [Yes, it's true. IRL, I work for Big Company X.]
So -- if he wasn't running IIS, what was he running? --Steve Bellovin, http://www.research.att.com/~smb
"Steven M. Bellovin" wrote:
In message <3B7360B4.71755CA7@deaddrop.org>, Etaoin Shrdlu writes:
[judicious clipping]
Believe it. I have at least three verified, and that was using web server logs they'd hit, and ethereal running on the openbsd machine in my office, which sits right next to the local building router. [Yes, it's true. IRL, I work for Big Company X.]
So -- if he wasn't running IIS, what was he running?
Just a server, with the indexing vulnerability thing present and exploited. It started a service at port 80 for him (lucky guy), but he had definitely not started IIS. In fact, it had that stupid default page up that I've usually seen in past when some application is installed the "personal web server" for an unsuspecting user. I'm a little tired, and suspect that I no longer have the specific stuff that was from that machine, but it wasn't show anything at port 80 before 12:08 on Wednesday last, and it sure was after. It lives in a DHCP range (what's a server doing on DHCP? I don't know, he's already shown that he doesn't think things through), so I occasionally look for anon ftp and web servers, usually set up by crap that people install from MS without realizing that they are now open to the world (at least internally, they got pretty strict on the firewall rules quite a while back). It looked like it was just a big disk space thing to me, although the /scripts/root.exe directory did show up after he was exploited. I'll have to ask him what the purpose of the machine was after things calm down. You know, it's really bad when the television news folk are the biggest security resource for people who should know better. I wish I had the opportunity to take any of the three machines apart (out of curiousity, and in the interest of furthering knowledge of the thing), but they are already scrubbed (sort of) and back in service. I think that they've just run that thing that MS offered up that removes the trojans and changes the registry entries back. Personally, I believe that a triple low level format is the appropriate response for trojans and virii (format, change the disk geometry, format, change it back, format), but they don't let me make policy. Bummer. -- Open source should be about giving away things voluntarily. When you force someone to give you something, it's no longer giving, it's stealing. Persons of leisurely moral growth often confuse giving with taking. -- Larry Wall
On Fri, 10 Aug 2001 02:11:21 PDT, Etaoin Shrdlu <shrdlu@deaddrop.org> said:
It started a service at port 80 for him (lucky guy), but he had definitely not started IIS. In fact, it had that stupid default page up that I've usually seen in past when some application is installed the "personal web server" for an unsuspecting user. I'm a little tired, and suspect that I no
Aha. I have been told that the *most* common reason for finding IIS on a non-server install of NT or W2K is that although IIS is *NOT* installed by default on non-server boxes, it *IS* installed if you are upgrading and it finds traces of 'Personal Web Server'. Would that explain what you're seeing? -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
Valdis.Kletnieks@vt.edu wrote:
On Fri, 10 Aug 2001 02:11:21 PDT, Etaoin Shrdlu <shrdlu@deaddrop.org> said:
It started a service at port 80 for him (lucky guy), but he had definitely not started IIS. In fact, it had that stupid default page up that I've usually seen in past when some application is installed the "personal web server" for an unsuspecting user. I'm a little tired, and suspect that I no
Aha.
I have been told that the *most* common reason for finding IIS on a non-server install of NT or W2K is that although IIS is *NOT* installed by default on non-server boxes, it *IS* installed if you are upgrading and it finds traces of 'Personal Web Server'.
Would that explain what you're seeing?
Good call. That is indeed what appears to have happened. I am still seeing "odd" behaviour from that machine, and there are a lot of inappropriate ports open on it (maybe explainable, maybe not). There may be an update on monday. Since officially that machine never had a web server on it, it took a little behind the scenes work to verify this. I feel quite relieved, truthfully. I like the world to keep working in an explainable and rational manner (yeah, yeah, I know, but I do). -- Open source should be about giving away things voluntarily. When you force someone to give you something, it's no longer giving, it's stealing. Persons of leisurely moral growth often confuse giving with taking. -- Larry Wall
participants (3)
-
Etaoin Shrdlu
-
Steven M. Bellovin
-
Valdis.Kletnieks@vt.edu