OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Russ (Russ.CooperRC.ON.CA)
Date: Fri Aug 10 2001 - 12:23:22 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----

    There's a common misconception floating around that Windows 2000
    Professional cannot be participating in the Code Red issue. This is
    flat out wrong!

    Its believed that PWS (Personal Web Server) on W2K Professional is
    somehow *not* IIS 5.0 (Internet Information Services 5.0). This is
    flat out wrong!

    Let me try and lay this one to rest. PWS on W2K **IS** IIS 5.0. The
    difference between these two "products" is not in the code that they
    operate, or the features they support, its strictly within the
    Management Interface.

    PWM, or Personal Web Manager, is an executable which provides limited
    control over the web server. Internet Services Manager is the
    full-blown MMC snap-in which provides all control over the web
    server.

    Either can be used on a W2K Professional Box which has installed IIS
    (or PWS). They can be found on such a box in the following locations;

    Personal Web Manager
    %SystemRoot%\system32\inetsrv\pws.exe

    Internet Services Manager
    %SystemRoot%\System32\Inetsrv\iis.msc

    See;

    http://windows.microsoft.com/windows2000/en/professional/iis/htm/core/
    iiabuti.htm?id=8

    or your Windows 2000 Professional documentation for a fuller
    explanation.

    Neither PWS or IIS are installed by default on a W2K Professional
    **CLEAN INSTALL**. If a Windows NT 4.0 Workstation box with Personal
    Web Server installed is upgraded to Windows 2000 Professional, then
    by default IIS 5.0 will be installed.

    When IIS is on a W2K Professional box, by default, it has .ida and
    .idq script mappings in place and IDQ.DLL is there too. So, if they
    aren't patched, or the MMC Snap-in isn't used to remove the mappings
    (you can't remove the mappings through PWM), then the box can be
    infected and will participate in Code Red attacks.

    IIS is also installed by default on W2K Professional boxes if you
    install Visual Studio's Visual Interdev. Its used to test/create web
    applications.

    So, please stop trying to put out your internal infections by relying
    on your belief in what machines are running web servers. This is
    clearly not working for many companies, the root of the problem
    partially being mistaken beliefs like the one above. I strongly
    suspect that anyone who runs an HTTP scan against their entire
    network space (using something like NetCat) is going to find at least
    one unexpected web server. More often than not people are finding
    hundreds of them.

    Cheers,
    Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

    -----BEGIN PGP SIGNATURE-----
    Version: PGP Personal Privacy 6.5.2

    iQCVAwUBO3QYihBh2Kw/l7p5AQGTywP/d1outE4HuhvVlTDtInwqRVdGw0XEDLKn
    6SWLeyy7FZH+Y9esGrabFSaK9dOvxw6iyd/IlZSLH4UD+5FbYyTybx3zvGNpgQbA
    eit72k52+6vW2I6OpSW18uRmOUVkNZI7Op46odKcDR36PrUIcQag1e4XlZiIML2A
    KYkpf+3l3d8=
    =sL1v
    -----END PGP SIGNATURE-----