RE: Code Red 2 cleanup; reporting..

[Roeland Meyer <rmeyer () mhsc com>]

[HTML formatting removed]
I should have been more clear [comments about nit-picky bit-heads, removed].


Win2K Active Directory clients run some parts of IIS, in order to support
Active Directory. Even if, you never installed IIS explicitly. Especially,
there is some serious LDAP/IIS integration here. Note the option to share a
directory on the web, how do you think that happens? Also note that, users
very often don't understand the difference between SMB file sharing and Web
Sharing and Win2K goes to great lengths to obfuscate those two anyway.

Win2K is a major re-write of the Domain Controller and its clients. Expect
large bugs, roaches the size of small dogs. MSFT [lack of] design QA is well
known. If you've never built large software systems, you'd not know that you
can integration-test the hell out of one [large software system] and still
never catch design flaws because it all meets specification. It is the
specifications that are wrong. The exploit that CodeRed uses is a classic
example. The only thing that works there is remorseless/ruthless high-level
architectural peer review. MSFT doesn't do those. They replace that process
with a bazillion integration testers.


-----Original Message-----
From: Tim Devries [mailto:Tim.Devries () Q9 com]
Sent: Friday, August 10, 2001 8:23 AM
To: 'Roeland Meyer'; 'up () 3 am'; nanog () merit edu
Subject: RE: Code Red 2 cleanup; reporting.. 



-----Original Message----- 
From: Roeland Meyer [mailto:rmeyer () mhsc com] 
Sent: Friday, August 10, 2001 11:22 AM 
To: 'up () 3 am'; nanog () merit edu 
Subject: RE: Code Red 2 cleanup; reporting.. 



> From: up () 3 am [mailto:up () 3 am] 
> Sent: Friday, August 10, 2001 8:09 AM 
>
> On Fri, 10 Aug 2001, Roeland Meyer wrote: 
>
> > Win2K boxen are ALWAYS running IIS. It doesn't matter 
> whether you have Pro 
> > or Server. ALL Win2K systems need to run the patch. MSFT 
> chose to integrate 
> > much of the IIS stuff into DLLs with other system critical 
> stuff. As a 
> > result, IIS can't be completely removed without killing off 
> other critical 
> > functions. Yes, what they proved in court is even more true 
> with Win2K than 
> > with Win98 (Duh! MSFT didn't lie, but they didn't tell the 
> whole truth 
> > either). WinXP is even more in that direction, from all reports. 
>
> I admit to knowing very little about Win2k, but on the only box I've 
> installed Win2k on, it doesn't *appear* to be running: 
>
> Port    State       Protocol  Service 
> 135     open        tcp        loc-srv 
> 139     filtered    tcp        netbios-ssn 
> 445     open        tcp        microsoft-ds 
> 1025    open        tcp        list 
>
> ...unless it runs on one of those 3 other open ports?  This was Win2k 
> Client, not server, BTW...perhaps you mean every Win2k Server? 
Win2k proffesional can run IIS.  Goto add remove programs -->add/remove
windows components ---> IIS. 
You probably did not select the component on the install. 
So I guess that means that not every w2k box is vulnerable. 
Tim