[lug] possible intrusion

D. Stimits stimits at idcomm.com
Thu Jul 19 14:13:52 MDT 2001 

"Michael J. Hammel" wrote:
> 
> Thus spoke Calvin Dodge
> > Even if this is not the specific exploit being tried against your server, it does seem to be an IIS-only issue.  So if you're using Apache you should be OK (I see other IIS exploits once or twice a month on our Apache server).
> 
> Not exactly.  BugTraq has been brewing with discussion on this.  It appears
> some Cisco DSL routers with Web-enabled interfaces are also vulnerable.
> There may be other systems as well.

Getting into the Cisco could be a way to neutralize any firewalling it
has, assuming it is being used that way. It's an interesting issue.

Deva, do you use a Cisco DSL router? If so, can you block its web access
port? Anyway, the linux box itself, and apache, will be immune to this I
think. My checks on the port 80 of several hits I'm getting all indicate
MS IIS...if the machines being infected are MS, it makes sense that they
would also be trying to infect more MS machines. Then again, we don't
know about the machines hitting Deva.

Deva, try this on the attacking URL's (and yes, it is legal). telnet
wherever.com 80, which gets you to the web server. Type:
GET
<hit enter key>

See if it mentions MS or IIS near the top of the output. It's an easy
way to see what web server is running. If it has actual web page
content, you might get the html scroll of their default web page, so set
your scrollback large enough for the task.

D. Stimits, stimits at idcomm.com

> 
> (Long URL's coming - prepare yourself...)
> 
> The Red Worm (as this is being called) analysis:
> http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26start%3D2001-07-15%26mid%3D197828%26threads%3D0%26end%3D2001-07-21%26fromthread%3D0%26
> 
> The first note of other systems being vulnerable:
> http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26start%3D2001-07-15%26mid%3D197992%26threads%3D0%26end%3D2001-07-21%26fromthread%3D0%26
> 
> --
> Michael J. Hammel           |
> The Graphics Muse           |   Democracy is a beautiful thing, except for that
> mjhammel at graphics-muse.org  |     part about letting just any old yokel vote.
> http://www.graphics-muse.com
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list