| Author |
 Topic  |
|
warrior
Starting Member
Sweden
32 Posts |
 Posted - 30 July 2001 : 14:24:06
|
Her is more info about worm
Wormholes on your server
To determine if your IIS systems are affected, simply search your file system for anything named root.exe. If you find anything, you have most likely been compromised.
The root.exe file is simply a copy of cmd.exe, placed in a directory that is accessible to and executable by an attacker using the Unicode vulnerability. The file is generally located in the C: > Program Files > Common Files > System > msadc directory. If you find this executable, it is most likely that you have been remotely compromised. To verify that you are actually vulnerable, type this URL into a browser, using your own address:
http://Your IP/msadc/root.exe?+/c+dir
If your server is compromised, your browser will display a directory listing of the msadc directory. (Of course, virtually any command execution is possible with this script.) Note that some variations of the worm could potentially use a directory other than msadc, so note where your copy of root.exe was found.
When were you compromised?
Did you find root.exe on your IIS server? Wondering when it happened? Search your IIS logs for the strings /../../ and root.exe. These strings will be in the GET requests logged by your IIS server, as shown in this excerpt of the CERT advisory:
2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 GET /scripts/../../winnt/system32/cmd.exe /c+dir 200 -
2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 GET /scripts/../../winnt/system32/cmd.exe /c+dir+..\ 200 -
2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 GET /scripts/../../winnt/system32/cmd.exe /c+copy+\winnt\system32\cmd.exe+root.exe 502 -
Note the time/date stamp associated with these entries.
The worm
This worm, commonly referred to as the Sadmind/IIS worm, is unique in that it compromises both Windows and Unix (Solaris) systems. Like the distributed denial of service attacks of recent infamy, this worm uses intermediate Unix systems as robots or zombies. Each Unix robot is used to launch attacks against thousands of IIS systems as well as other Solaris systems. Each compromised Solaris system is then used to attack other systems--hence the prolific nature of the worm.
The worm exploits two common vulnerabilities that were addressed by their respective vendors months earlier. On the Solaris side, the vulnerability is in the Sadmind service. This remote procedure call service is commonly enabled on Solaris systems and is used for remote system administration tasks. Obtaining a patch from the vendor or simply disabling this seldom-used service will prevent compromise. (Disable the service by appending a # in front of the Sadmind line in the /etc/inetd.conf file.) The IIS vulnerability is the Unicode vulnerability, which we discussed in detail in the previous column.
The full CERT advisory explains the worm in more detail. Digital Offense maintains a copy of the worm that can be downloaded and examined. It is important to remember that modifications to this source code have most likely been made, and mutants of this worm could use names other than root.exe.
Remain vigilant
The primary reason that we bring this worm to your attention is to demonstrate firsthand the effects of Web server vulnerabilities. Hopefully, many of you have discovered and corrected this vulnerability in your IIS servers. Unfortunately, we are constantly surprised by the number of vulnerable systems on the Internet. We are amazed by the sometimes lackadaisical attitude of administrators, who, when faced with this compromise, simply ignore it. Awareness and understanding are the first steps toward better security.
It is important to remember that this particular worm is one of many security issues that may affect your Web server. While this worm provides a dramatic example of what can happen, keep in mind that even if you don't have a root.exe on your system, your Web server may still be vulnerable. The superfluous decode and more recent IIS vulnerabilities all provide attackers with a similar remote command execution capability. Just because they were not part of a massively propagated Internet worm does not mean they are any less severe. Did you find root.exe on your IIS server? Let us know
her is the sorce
http://builder.cnet.com/webbuilding/0-7532-8-6557183-1.html?tag=st.bl.7532.pro_h7532-8-6557183-1
Moved from Code Support: ASP by Gor
Edited by - warrior on 30 July 2001 15:25:34 |
|
|
gor
Retired Admin
Netherlands
5511 Posts |
Posted - 30 July 2001 : 15:05:08
|
Warrior,
I moved you topic here, but would you mind posting the source of this info also ?
btw, please don't cross-post, I removed the other copy of the post.
Pierre
Join a Snitz Mailinglist |
 |
|
|
warrior
Starting Member
Sweden
32 Posts |
Posted - 30 July 2001 : 15:27:34
|
quote:
Warrior,
I moved you topic here, but would you mind posting the source of this info also ?
btw, please don't cross-post, I removed the other copy of the post.
Pierre
Join a Snitz Mailinglist
I´m sorry for the cross-post
I put the info to the wrong forum
big smile
|
|
|
|
Deleted
deleted
4116 Posts |
Posted - 30 July 2001 : 15:42:56
|
Thank you for the info...
Think Pink |
|
|
|
Doug G
Support Moderator
USA
6493 Posts |
|
|
Cyber Paladin
New Member
55 Posts |
Posted - 01 August 2001 : 00:01:29
|
Best place to go for info is from the source. :)
http://www.eeye.com/html/Research/Advisories/AL20010717.html
MS got their information from them. It's quite the nasty little worm. Seeing as it's the end of the month... If you didn't know you had, well then you will now. **** thing has been all over the news and then some. I can't understand why but some news broadcasts report it as a virus (or that it attacks all MS software, or it's spread through e-mail, etc...). They should really get their facts straight a worm is much different then a virus (in respect to infection and possibly function).  |
|
|
|
gor
Retired Admin
Netherlands
5511 Posts |
Posted - 01 August 2001 : 00:47:34
|
quote:
I can't understand why but some news broadcasts report it as a virus (or that it attacks all MS software, or it's spread through e-mail, etc...). They should really get their facts straight a worm is much different then a virus (in respect to infection and possibly function).
Yeah, and the way the explain what it does: "the virus eats away all the files on the computer" just to make it sound like a real living thing.
It is funny btw that I needed to click trhough 3 times from Dougs link to get to the download of the patch here where it then is reffered to as:
This update resolves the "Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise" security vulnerability in Windows 2000 computers running Internet Information Service (IIS) 5.0
Not a word about it being the patch for the Code Red worm. Should have helped finding it.
A search for the words code red from the Windows 2000 homepage returns no results even though it is listed as top-story on that page with a link to the article Doug mentioned.
Why make it easy.....
Pierre
Join a Snitz Mailinglist |
|
|
|
Doug G
Support Moderator
USA
6493 Posts |
Posted - 01 August 2001 : 03:49:13
|
quote:
Not a word about it being the patch for the Code Red worm. Should have helped finding it.
Part of the reason is that the MS patch was released some time before a 'code red' worm was ever identified.
You're right, though, you'd think a search for "code red" would return something from the MS site.
======
Doug G
====== |
|
|
|
Deleted
deleted
4116 Posts |
Posted - 01 August 2001 : 04:19:39
|
M$ has a very robust web SW which does not let any crawler get into their web sites [:))]
Think Pink |
|
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
Posted - 01 August 2001 : 05:19:21
|
They were talking about searching from the Microsoft Windows 2000 homepage, as Gor had pointed out. Not from a search engine.
- David |
|
|
|
Deleted
deleted
4116 Posts |
Posted - 01 August 2001 : 11:20:14
|
Man, it was a joke !
Think Pink |
|
|
|
A A Cates
Starting Member
USA
30 Posts |
Posted - 04 August 2001 : 13:17:26
|
As of July 17 (I think, about the 17th) MS has a Security Rollup Pack out that applies all the security patches released since SP6a.
You can get more info and the pack by reading Q299444 in MS KB. At the end of the article they have a list of the included patches and links to the KB articles that describe them.
Keep the sand dunes open for people - http://www.GlamisOnline.org |
|
|
|
GauravBhabu
Advanced Member
4288 Posts |
Posted - 05 August 2001 : 21:01:04
|
| Since yesterday i was experiencing problems with IIS. It will stop after every few minutes. I installed the security patch recommended for RED WORM. The IIS is working fine since. But I am unable to locate refernce to root.exe as mentioned above. Because I do not understand where to look. Do I need to take some extra steps. |
|
|
|
Deleted
deleted
4116 Posts |
Posted - 05 August 2001 : 21:16:40
|
quote:
Since yesterday i was experiencing problems with IIS. It will stop after every few minutes. I installed the security patch recommended for RED WORM. The IIS is working fine since. But I am unable to locate refernce to root.exe as mentioned above. Because I do not understand where to look. Do I need to take some extra steps.
As indicated above by Doug G, the first post is not speaking of the RED WORM (thus no root.exe:). RED WORM lives only in RAM memory, thus if you restart your server everything will be fine (you did it already while applying the patches).
Think Pink |
|
|
|
GauravBhabu
Advanced Member
4288 Posts |
Posted - 05 August 2001 : 21:32:39
|
Thanks bozden, that helps.
Share A Square at forumSquare
gauravbhabu
There is only one miracle...That is LIFE! |
|
|
|
Doug G
Support Moderator
USA
6493 Posts |
Posted - 06 August 2001 : 00:34:28
|
Just FYI, Windows Update installs critical server patches for both W2K and NT4. I find it easier than sifting through a bunch of individual patches.
======
Doug G
====== |
|
|
|
Topic |
|
Topic Locked
