Original Issue Date: 20th July 2001 We are currently seeing many malicious traffics on many networks, thus we would advice you to take security measures to ensure all your systems are patched and secured. Some extensive exploits are seen on Windows IIS server (Windows NT and Windows 2000. There have been reoccurring incidents due to failure to completely follow the hardening procedures for Window platform.
However, Microsoft hotfixes and patches are fast deploying, due to the frequent “discovery” of loopholes, thus system administrators, are required to keep current on the patches. More information are available at:
IIS 5.0
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/tools/iis5chk.asp
IIS 4.0
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/tools/iischk.asp
More Microsoft Security Tools and Checklists are available at:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/tools/tools.asp
We are also highlighting other releases of advisories which we think are relevant and in abundance among local computers.
Code Red Worm
Eeye calls it .ida Code Red Worm, SANS calls it Code Red worm and CERTCC call it “Code Red” worm. Currently, as we publish this, MyCERT, NISER has received a growing number of reports on Code Red Worm attacks and probes among Malaysian host as well as foreign host, and we are seeing HEAVY scanning on many networks. These had caused networks to go down in a few organisations due to DDoS effect. Network administrators are advised to monitor logs within network and to identify those traffics that are originating from internal host, indicate that host has been compromised. The host MUST be patched to refrain it from becoming a contributor. The attack is very difficult to be stopped since it tunnels through port 80, which firewalls normally allow through.
The Code Red Worm is rapidly spreading among IIS servers on the Internet and this calls us to issue this preliminary document to alert all Microsoft IIS administrators to patch their machines. We would like to stress this again –
THOSE RUNNING MICROSOFT IIS, PLEASE PATCH YOUR MACHINES!
The "Code Red" worm can be identified on victim machines by the presence of the following string in IIS log files:
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u909
0%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u5
31b%u53ff%u0078%u0000%u00=a |
The Microsoft Bulletin on this issues is posted at:
http://www.microsoft.com/technet/security/bulletin/MS01-033.asp
Vendor patches are:
For Windows NT 4.0
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833
For Windows 2000 Professional, Server, and Advanced Server
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800
According to SANS Institute, two hundred thousand systems may already have been infected. If you are unsure whether yours is one of them, please patch and power off. The current worm seems to disappear when the machine is powered down, but you will be quickly reinfected if you are not patched. Our analysis also discovered that after the patches, the probes on the ISAPI udp ports will still come into the network. Thus removal of the “.ida” and “.idq” files if they are not required to run any of your application, is strongly recommended.
Updates of this worm will be posted as more information come in at:
http://www.incidents.org
http://www.eeye.com
http://www.mycert.org.my
Those using IDS and Firewalls are advised to update your signature files and firewall rules to ensure that your system will detect and block such traffic.
Other July 2001 Advisories
19 July 2001
Several implementations of the Lightweight Directory Access Protocol (LDAP) protocol contain vulnerabilities that may allow denial-of -service attacks, unauthorized privileged access, or both. If your site uses any of the products listed in this advisory, the CERT/CC encourages you to follow the advice provided in the Solution section below.
CERTCC Advisory : http://www.cert.org/advisories/CA-2001-18.html
10 July 2001 - "Serious" Vulnerability In Check Point Firewalls
A hole has been discovered that allows outsiders to snoop inside networks that are protected by Check Point Firewalls. The vulnerability exploits the fact that RDP packets traverse Check Point firewall gateways. Representatives of CERT/CC called the problem serious.
CERTCC Advisory: http://www.cert.org/advisories/CA-2001-17.html
Checkpoint Advisory: http://www.checkpoint.com/techsupport/alerts/rdp.html
Patch: http://www.checkpoint.com/techsupport/downloads.html
5 July 2001 - Oracle Patches High Risk Security Hole in 8i
Oracle acknowledged a buffer overflow problem in the "listener" component of its database. The attacker who uses the vulnerability can read or change any information in the database. Oracle issued a patch
News article: http://news.cnet.com/news/0-1003-200-6469566.html?tag=owv
Advisory: http://www.pgp.com/research/covert/advisories/050.asp
