Probably the best way to stop attacks from these type of vunrabilities is to
install a host based IDS. I can think of 2 decent ones on the market both
stopped CR Worm in it's tracks even before it was known.

http://www.entercept.com/products/codered.asp and
http://www.eeye.com/html/Products/SecureIIS/index.html

Both do a 30 or 45 day eval. Install it while all these problems are
happening.

Gavin

> This is another one of the signatures of the Code Red Worm. (which is
> learned by dealing with it, and not from the advisories). there are many
> other beasties that could do that as well, but I am betting that that is
> what you are dealing with.
>
> I bet if you reboot the box, this syndrome will go away. And then, if your
> box is not patched, it will come back in a few minutes of being connected
to
> the internet.
>
> CR worm treatments --
>
> reinstall latest SP
>
> install MS bulletins 26 and 33 (hotfixes)
>
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
> bulletin/MS01-026.asp
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
> bulletin/MS01-033.asp
>
> reboot.
>
> Some patched boxes then suffer DoS from the worm on other boxes (ie the
> other worms are trying to gain access to your box, and they can't, but the
> attempted buffer overflow will then shut down your IIS services
> repeatedly -- sometimes as fast as you can restart them. If your box is
> patched, and is still acting this way, you will have to unmap the .ida and
> .idq extensions in your webserver master properties, and apply that to all
> nodes on your webserver).
>
>
> ----- Original Message -----
> From: "Kania" <kaniaeuskalnet.net>
> To: <focus-mssecurityfocus.com>
> Sent: Monday, July 23, 2001 4:15 AM
> Subject: Worm ???
>
>
> > I've got developmente machine with Win2000 Server conected to the
Internet
> > with modem... I noticed that an huge amount of packets were being
sent...
> >
> > I did netstat -a and this is the result:
> >
> >
> > TCP makinon:http makinon:0 LISTENING
> > TCP makinon:epmap makinon:0 LISTENING
> > TCP makinon:https makinon:0 LISTENING
> > TCP makinon:microsoft-ds makinon:0 LISTENING
> > TCP makinon:1025 makinon:0 LISTENING
> > TCP makinon:1026 makinon:0 LISTENING
> > TCP makinon:1027 makinon:0 LISTENING
> > TCP makinon:1030 makinon:0 LISTENING
> > TCP makinon:1034 makinon:0 LISTENING
> > TCP makinon:1036 makinon:0 LISTENING
> > TCP makinon:1043 makinon:0 LISTENING
> > TCP makinon:1045 makinon:0 LISTENING
> > TCP makinon:1046 makinon:0 LISTENING
> > TCP makinon:1047 makinon:0 LISTENING
> > TCP makinon:1048 makinon:0 LISTENING
> > TCP makinon:1049 makinon:0 LISTENING
> > TCP makinon:1051 makinon:0 LISTENING
> > TCP makinon:1052 makinon:0 LISTENING
> > TCP makinon:1053 makinon:0 LISTENING
> > TCP makinon:1054 makinon:0 LISTENING
> > TCP makinon:1055 makinon:0 LISTENING
> > TCP makinon:1056 makinon:0 LISTENING
> > TCP makinon:1058 makinon:0 LISTENING
> > TCP makinon:1059 makinon:0 LISTENING
> > TCP makinon:1060 makinon:0 LISTENING
> > TCP makinon:1061 makinon:0 LISTENING
> > TCP makinon:1062 makinon:0 LISTENING
> > TCP makinon:1064 makinon:0 LISTENING
> > TCP makinon:1065 makinon:0 LISTENING
> > TCP makinon:1066 makinon:0 LISTENING
> > TCP makinon:1067 makinon:0 LISTENING
> > TCP makinon:1068 makinon:0 LISTENING
> > TCP makinon:1069 makinon:0 LISTENING
> > TCP makinon:1071 makinon:0 LISTENING
> > TCP makinon:1072 makinon:0 LISTENING
> > TCP makinon:1073 makinon:0 LISTENING
> > TCP makinon:1074 makinon:0 LISTENING
> > TCP makinon:1075 makinon:0 LISTENING
> > TCP makinon:1076 makinon:0 LISTENING
> > TCP makinon:1077 makinon:0 LISTENING
> > TCP makinon:1078 makinon:0 LISTENING
> > TCP makinon:1079 makinon:0 LISTENING
> > TCP makinon:1080 makinon:0 LISTENING
> > TCP makinon:1081 makinon:0 LISTENING
> > TCP makinon:1082 makinon:0 LISTENING
> > TCP makinon:1084 makinon:0 LISTENING
> > TCP makinon:1085 makinon:0 LISTENING
> > TCP makinon:1086 makinon:0 LISTENING
> > TCP makinon:1087 makinon:0 LISTENING
> > TCP makinon:1088 makinon:0 LISTENING
> > TCP makinon:1089 makinon:0 LISTENING
> > TCP makinon:1091 makinon:0 LISTENING
> > TCP makinon:1092 makinon:0 LISTENING
> > TCP makinon:1093 makinon:0 LISTENING
> > TCP makinon:1094 makinon:0 LISTENING
> > TCP makinon:1095 makinon:0 LISTENING
> > TCP makinon:1097 makinon:0 LISTENING
> > TCP makinon:1098 makinon:0 LISTENING
> > TCP makinon:1099 makinon:0 LISTENING
> > TCP makinon:1100 makinon:0 LISTENING
> > TCP makinon:1101 makinon:0 LISTENING
> > TCP makinon:1102 makinon:0 LISTENING
> > TCP makinon:1104 makinon:0 LISTENING
> > TCP makinon:1105 makinon:0 LISTENING
> > TCP makinon:1106 makinon:0 LISTENING
> > TCP makinon:1107 makinon:0 LISTENING
> > TCP makinon:1108 makinon:0 LISTENING
> > TCP makinon:1110 makinon:0 LISTENING
> > TCP makinon:1111 makinon:0 LISTENING
> > TCP makinon:1112 makinon:0 LISTENING
> > TCP makinon:1113 makinon:0 LISTENING
> > TCP makinon:1114 makinon:0 LISTENING
> > TCP makinon:1115 makinon:0 LISTENING
> > TCP makinon:1117 makinon:0 LISTENING
> > TCP makinon:1118 makinon:0 LISTENING
> > TCP makinon:1119 makinon:0 LISTENING
> > TCP makinon:1120 makinon:0 LISTENING
> > TCP makinon:1121 makinon:0 LISTENING
> > TCP makinon:1122 makinon:0 LISTENING
> > TCP makinon:1123 makinon:0 LISTENING
> > TCP makinon:1124 makinon:0 LISTENING
> > TCP makinon:1125 makinon:0 LISTENING
> > TCP makinon:1126 makinon:0 LISTENING
> > TCP makinon:1127 makinon:0 LISTENING
> > TCP makinon:1128 makinon:0 LISTENING
> > TCP makinon:1129 makinon:0 LISTENING
> > TCP makinon:1131 makinon:0 LISTENING
> > TCP makinon:1132 makinon:0 LISTENING
> > TCP makinon:1133 makinon:0 LISTENING
> > TCP makinon:1134 makinon:0 LISTENING
> > TCP makinon:1135 makinon:0 LISTENING
> > TCP makinon:1136 makinon:0 LISTENING
> > TCP makinon:1137 makinon:0 LISTENING
> > TCP makinon:1138 makinon:0 LISTENING
> > TCP makinon:1139 makinon:0 LISTENING
> > TCP makinon:1140 makinon:0 LISTENING
> > TCP makinon:1141 makinon:0 LISTENING
> > TCP makinon:1142 makinon:0 LISTENING
> > TCP makinon:1144 makinon:0 LISTENING
> > TCP makinon:1145 makinon:0 LISTENING
> > TCP makinon:1146 makinon:0 LISTENING
> > TCP makinon:1147 makinon:0 LISTENING
> > TCP makinon:1148 makinon:0 LISTENING
> > TCP makinon:1149 makinon:0 LISTENING
> > TCP makinon:1151 makinon:0 LISTENING
> > TCP makinon:1152 makinon:0 LISTENING
> > TCP makinon:1153 makinon:0 LISTENING
> > TCP makinon:1155 makinon:0 LISTENING
> > TCP makinon:1156 makinon:0 LISTENING
> > TCP makinon:1157 makinon:0 LISTENING
> > TCP makinon:1158 makinon:0 LISTENING
> > TCP makinon:1159 makinon:0 LISTENING
> > TCP makinon:1160 makinon:0 LISTENING
> > TCP makinon:1161 makinon:0 LISTENING
> > TCP makinon:1162 makinon:0 LISTENING
> > TCP makinon:1163 makinon:0 LISTENING
> > TCP makinon:1164 makinon:0 LISTENING
> > TCP makinon:1165 makinon:0 LISTENING
> > TCP makinon:1166 makinon:0 LISTENING
> > TCP makinon:1167 makinon:0 LISTENING
> > TCP makinon:1169 makinon:0 LISTENING
> > TCP makinon:1170 makinon:0 LISTENING
> > TCP makinon:1171 makinon:0 LISTENING
> > TCP makinon:1172 makinon:0 LISTENING
> > TCP makinon:1173 makinon:0 LISTENING
> > TCP makinon:3372 makinon:0 LISTENING
> > TCP makinon:4140 makinon:0 LISTENING
> > TCP makinon:http 216.86.32.9:3117 CLOSE_WAIT
> > TCP makinon:1032 galcott.com:http TIME_WAIT
> > TCP makinon:1034 uweb.syd.optusnet.com.au:http LAST_ACK
> > TCP makinon:1036 codeavionics.com:http ESTABLISHED
> > TCP makinon:1043 141.210.10.117:ftp ESTABLISHED
> > TCP makinon:1045 35.26.36.142:http ESTABLISHED
> > TCP makinon:1046 74.171.153.201:http ESTABLISHED
> > TCP makinon:1047 113.60.15.5:http ESTABLISHED
> > TCP makinon:1048 152.205.132.64:http ESTABLISHED
> > TCP makinon:1049 191.94.250.123:http ESTABLISHED
> > TCP makinon:1051 13.129.91.11:http ESTABLISHED
> > TCP makinon:1052 52.18.209.70:http ESTABLISHED
> > TCP makinon:1053 91.163.70.130:http ESTABLISHED
> > TCP makinon:1054 130.52.188.189:http ESTABLISHED
> > TCP makinon:1055 169.197.49.249:http ESTABLISHED
> > TCP makinon:1056 208.86.167.52:http LAST_ACK
> > TCP makinon:1058 30.121.146.171:http LAST_ACK
> > TCP makinon:1059 69.10.8.231:http LAST_ACK
> > TCP makinon:1060 108.155.125.34:http LAST_ACK
> > TCP makinon:1062 186.189.104.153:http ESTABLISHED
> > TCP makinon:1064 8.224.201.40:http ESTABLISHED
> > TCP makinon:1066 86.2.181.159:http ESTABLISHED
> > TCP makinon:1067 125.147.42.219:http ESTABLISHED
> > TCP makinon:1068 164.36.160.22:http ESTABLISHED
> > TCP makinon:1069 203.181.21.82:http ESTABLISHED
> > TCP makinon:1071 25.216.0.201:http ESTABLISHED
> > TCP makinon:1072 64.105.118.4:http LAST_ACK
> > TCP makinon:1073 103.250.235.63:http ESTABLISHED
> > TCP makinon:1074 142.139.97.123:http ESTABLISHED
> > TCP makinon:1075 181.28.215.182:http ESTABLISHED
> > TCP makinon:1076 220.173.76.242:http LAST_ACK
> > TCP makinon:1077 3.63.194.45:http ESTABLISHED
> > TCP makinon:1078 42.208.55.105:http ESTABLISHED
> > TCP makinon:1079 81.97.173.164:http ESTABLISHED
> > TCP makinon:1080 120.242.34.224:http ESTABLISHED
> > TCP makinon:1081 159.131.152.27:http ESTABLISHED
> > TCP makinon:1082 198.20.14.87:http ESTABLISHED
> > TCP makinon:1084 20.55.111.230:http ESTABLISHED
> > TCP makinon:1085 59.200.228.33:http ESTABLISHED
> > TCP makinon:1086 98.89.90.93:http ESTABLISHED
> > TCP makinon:1087 137.234.207.152:http ESTABLISHED
> > TCP makinon:1088 176.123.69.212:http ESTABLISHED
> > TCP makinon:1089 215.12.187.15:http ESTABLISHED
> > TCP makinon:1091 37.47.166.134:http ESTABLISHED
> > TCP makinon:1092 76.192.27.194:http ESTABLISHED
> > TCP makinon:1093 115.81.145.253:http ESTABLISHED
> > TCP makinon:1094 154.226.6.57:http ESTABLISHED
> > TCP makinon:1095 193.115.124.116:http ESTABLISHED
> > TCP makinon:1097 15.150.103.235:http ESTABLISHED
> > TCP makinon:1098 54.39.221.38:http ESTABLISHED
> > TCP makinon:1099 93.184.82.98:http ESTABLISHED
> > TCP makinon:1100 132.73.200.157:http ESTABLISHED
> > TCP makinon:1101 171.218.61.217:http ESTABLISHED
> > TCP makinon:1102 210.107.179.20:http ESTABLISHED
> > TCP makinon:1104 32.142.158.139:http ESTABLISHED
> > TCP makinon:1105 71.31.20.199:http ESTABLISHED
> > TCP makinon:1106 110.176.255.26:http ESTABLISHED
> > TCP makinon:1107 149.65.117.86:http ESTABLISHED
> > TCP makinon:1108 188.210.234.145:http ESTABLISHED
> > TCP makinon:1110 10.245.213.8:http ESTABLISHED
> > TCP makinon:1111 49.134.75.68:http ESTABLISHED
> > TCP makinon:1112 88.23.193.127:http ESTABLISHED
> > TCP makinon:1113 40.182.56.187:http ESTABLISHED
> > TCP makinon:1114 166.57.172.246:http LAST_ACK
> > TCP makinon:1115 205.202.33.50:http ESTABLISHED
> > TCP makinon:1117 27.237.12.169:http ESTABLISHED
> > TCP makinon:1118 66.126.130.228:http ESTABLISHED
> > TCP makinon:1119 105.15.248.31:http ESTABLISHED
> > TCP makinon:1120 144.160.109.91:http ESTABLISHED
> > TCP makinon:1121 183.49.227.150:http ESTABLISHED
> > TCP makinon:1122 222.194.88.210:http LAST_ACK
> > TCP makinon:1123 5.84.206.13:http ESTABLISHED
> > TCP makinon:1124 44.229.67.73:http ESTABLISHED
> > TCP makinon:1125 83.118.47.157:http ESTABLISHED
> > TCP makinon:1126 57.104.20.196:http ESTABLISHED
> > TCP makinon:1127 122.7.165.216:http ESTABLISHED
> > TCP makinon:1128 161.152.26.20:http ESTABLISHED
> > TCP makinon:1129 200.41.144.79:http ESTABLISHED
> > TCP makinon:1131 22.76.123.198:http LAST_ACK
> > TCP makinon:1132 61.221.240.1:http ESTABLISHED
> > TCP makinon:1133 100.110.102.61:http ESTABLISHED
> > TCP makinon:1134 139.255.219.120:http ESTABLISHED
> > TCP makinon:1135 178.144.81.180:http ESTABLISHED
> > TCP makinon:1136 217.33.199.239:http ESTABLISHED
> > TCP makinon:1137 0.179.60.43:http ESTABLISHED
> > TCP makinon:1138 39.68.178.102:http ESTABLISHED
> > TCP makinon:1139 78.213.39.162:http ESTABLISHED
> > TCP makinon:1140 117.102.157.221:http ESTABLISHED
> > TCP makinon:1141 156.247.18.25:http ESTABLISHED
> > TCP makinon:1142 195.136.136.84:http ESTABLISHED
> > TCP makinon:1144 17.171.115.203:http ESTABLISHED
> > TCP makinon:1145 201.68.51.228:http ESTABLISHED
> > TCP makinon:1146 58.224.4.214:http ESTABLISHED
> > TCP makinon:1147 135.140.185.80:http ESTABLISHED
> > TCP makinon:1148 171.123.214.199:http LAST_ACK
> > TCP makinon:1149 28.23.208.154:http ESTABLISHED
> > TCP makinon:1151 207.106.243.62:http ESTABLISHED
> > TCP makinon:1152 141.178.161.140:http ESTABLISHED
> > TCP makinon:1153 64.6.237.17:http LAST_ACK
> > TCP makinon:1155 177.161.190.3:http ESTABLISHED
> > TCP makinon:1156 34.61.144.245:http ESTABLISHED
> > TCP makinon:1157 147.216.137.200:http ESTABLISHED
> > TCP makinon:1158 189.211.16.73:http ESTABLISHED
> > TCP makinon:1159 207.122.53.32:http ESTABLISHED
> > TCP makinon:1160 81.145.71.248:http SYN_SENT
> > TCP makinon:1161 92.133.126.132:http SYN_SENT
> > TCP makinon:1162 165.218.228.184:http SYN_SENT
> > TCP makinon:1163 3.161.4.30:http SYN_SENT
> > TCP makinon:1164 171.0.237.218:http SYN_SENT
> > TCP makinon:1165 107.3.22.3:http SYN_SENT
> > TCP makinon:1166 209.164.48.6:http SYN_SENT
> > TCP makinon:1167 163.25.165.51:http SYN_SENT
> > TCP makinon:1169 33.187.157.109:http SYN_SENT
> > TCP makinon:1170 7.37.34.60:http SYN_SENT
> > TCP makinon:1171 203.2.75.30:http SYN_SENT
> > TCP makinon:1172 183.39.214.243:http SYN_SENT
> > TCP makinon:1173 74.222.225.56:http SYN_SENT
> > TCP makinon:netbios-ssn makinon:0 LISTENING
> > TCP makinon:1037 JUMBOTRON:netbios-ssn TIME_WAIT
> > UDP makinon:epmap *:*
> > UDP makinon:microsoft-ds *:*
> > UDP makinon:1028 *:*
> > UDP makinon:3456 *:*
> > UDP makinon:netbios-ns *:*
> > UDP makinon:netbios-dgm *:*
> > UDP makinon:isakmp *:*
> >
> >
> >
>

-------------------------------------------------------------------
CONFIDENTIALITY AND DISCLAIMER NOTICE

This e-mail is intended only for the addressee named above and the
contents should not be disclosed to any other person nor copies
taken. Any views or opinions presented are solely those of the
sender and do not necessarily represent those of Awarenet Ltd
(trading as Unipalm) unless otherwise specifically stated. As
internet communications are not secure we do not accept legal
responsibility for the contents of this message nor responsibility
for any change made to this message after it was sent by the
original sender. We advise you to carry out your own virus check
before opening any attachment as we cannot accept liability for any
damage sustained as a result of any software viruses.
-------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]