Security Incidents mailing list archives

Re: new IIS worm? (rcp lsass.exe)

From: Christoph Puppe <puppe () hisolutions com>
Date: Wed, 25 Sep 2002 11:17:29 +0200

zeno wrote:

Does anyone know of a gui windows tool that scans your system and provides you with a list
of needed patches, and then allows you to select, and have it autodownload and install them?
I can't seem to find one (needed mostly for iis).

Try the IIS Lockdown Tool, removes most extensions (htw, idq et all) andeven more important, removes the execute permission from command linetools which are commonly used by attackers (cmd, tftp, ...).


Remember to re-run it after installing a SP!

It installs the URLScann as well, but this seems to be a little flask ofsnake oil, because it checks URLs before they go into the deeper layersof the IIS (remember the first 3 Patches for the doubel-encoding andUnicode Vulns!).

Remember to scan your hosts often (like once a week) with a securityscanner, for example Nessus.org or IIS or Lanscan from GFI.


--
Mit freundlichen Gruessen,
Christoph Puppe

We secure your business.(TM)
***************************************************************
HiSolutions AG                phone:  +49 30 533289-0
Bouchestrasse 12                fax:  +49 30 533289-99
D-12435 Berlin                  www:  http://www.HiSolutions.com/
***************************************************************



____________________________________

E-Mail Disclaimer

Der Inhalt dieser E-Mail ist ausschliesslich fuer den bezeichneten
Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat
dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie

bitte, dass jede Form der Kenntnisnahme, Veroeffentlichung,Vervielfaeltigung oder Weitergabe des Inhalts dieser E-Mailunzulaessig ist. Wir bitten Sie, sich in diesem Fall mit dem Absenderder E-Mail in Verbindung zu setzen.The information contained in this email is intended solelyfor the addressee. Access to this email by anyone else isunauthorized. If you are not the intended recipient, any formof disclosure, reproduction, distribution or any action takenor refrained from in reliance on it, is prohibited and may beunlawful. Please notify the sender immediately.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.

For more information on this free incident handling, managementand tracking system please see: http://aris.securityfocus.com

Current thread:

Slapper worm DoS, (continued)
- - Slapper worm DoS james (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) Mike Lewinski (Sep 24)
  - Re: new IIS worm? (rcp lsass.exe) Eloy A. Paris (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) Mark Challender (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) zeno (Sep 24)
  - Re: new IIS worm? (rcp lsass.exe) James Williams (Sep 24)
  - RE: new IIS worm? (rcp lsass.exe) Ben Timby (Sep 24)
  - Re: new IIS worm? (rcp lsass.exe) sunzi (Sep 25)
  - Re: new IIS worm? (rcp lsass.exe) Nick FitzGerald (Sep 25)
    - Re: new IIS worm? (rcp lsass.exe) Faisal Ashraf (Sep 26)
  - Re: new IIS worm? (rcp lsass.exe) Christoph Puppe (Sep 25)
- Re: new IIS worm? (rcp lsass.exe) zeno (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) John Campbell (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) Dostie, Joe (Sep 25)
- RE: new IIS worm? (rcp lsass.exe) webbi (Sep 25)
- RE: new IIS worm? (rcp lsass.exe) John Campbell (Sep 25)
- Re: new IIS worm? (rcp lsass.exe) zeno (Sep 25)
- RE: new IIS worm? (rcp lsass.exe) Gaydosh, Adam (Sep 25)
- RE: new IIS worm? (rcp lsass.exe) David LeBlanc (Sep 26)
- RE: new IIS worm? (rcp lsass.exe) Dallas Jordan (Sep 26)
- RE: new IIS worm? (rcp lsass.exe) Bax . Plemons (Sep 26)

(Thread continues...)