Re: code red - some questions

["Bronek Kozicki" <brok () rubikon pl>]

> "Code Red" exploits the IIS vulnerability referenced in
> http://www.eeye.com/html/Research/Advisories/AD20010618.html
> and CA-2001-13. OK. But how can one exactly determine, if a system has
> been compromised?

Examing threads executed in inetinfo.exe. Threads can be displayed with
tlist.exe tool (which is part of "Windows 20000 Support Tools" and can be
found on installation CD-ROM). Of course, sniffing HTTP connections
initiated from WWW server will reveal worm too - if it's not "sleeping".


> In the full analysis (http://www.eeye.com/html/advisories/codered.zip)
> it is said that the worm sets up 100 threads. But in what context are
> they running? How, if, can they be seen in Task Manager or an other
> tool? I would guess IIS.exe taking up more memory and processing power
> than normal may be an indication?

IIS process is named "inetinfo.exe", not iis.exe. This process is executing
worm code. Sadly, its running as "LocalSystem" account, which is equivalent
to local root on unices. That's why security hole exploited by worm is so
dangerous. Fortunately Code Red is not hacking local system (does not try to
reconfigure it permamently, put backdors etc.) , but other worms do not need
to be so "polite".

> So how to find dormant "code red" instances?

Once again: examine inetinfo.exe threads. I'm unable to say more at the
moment, as I do not have worm handy to examine how its working threads look
like.

> If I'm not mistaken a reboot would clear "code red".

Yes, you are right.

> So should anybody reboot and patch? What would be the generic "safe"
> answer to customers?

sample response would look like:
---
It's high time to install: Windows 2000 Service Pack 2
http://www.microsoft.com/windows2000/downloads/servicepacks/sp2/default.asp
and hotfixes:
Q297860 http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764 IIS
5.0 Security and Post-Windows NT 4.0 SP5 IIS 4.0 Patch Rollup
Q300972 http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800
Unchecked Buffer in ISAPI Extension Can Cause Server Compromise
Remember to restart you server after installing service pack and each
hotfix!
---

Worm is using only the last exploit Q300972, but others are also critical
for IIS security.

> security () hotmail com came back as "account disabled". Other obvious
> addreses did not result in any reaction.

try secure () microsoft com (Microsoft owns @hotmail.com server)


Regards

B.



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com