Re: Log di apache/zope

[ Home | Liste | F.A.Q. | Risorse | Cerca... ]

[ Data: precedente | successivo | indice ] [ Argomento: precedente | successivo | indice ]

Archivio: Luglio 2001 ml@sikurezza.org
Soggetto: Re: Log di apache/zope
Mittente: Igor Falcomata'
Data: 20 Jul 2001 09:07:19 -0000

On Thu, Jul 19, 2001 at 09:36:01PM +0200, Andrea Fanfani wrote:

> [Finalmente un mail un po' piu' tecnico.]
> 
> Oggi un ragazzo da noi si e' trovato questa roba
> nei log della sua macchinina (nei log di zope). 
> Sospetto che si tratti di un tentativo di un worm
> per IIS di farsi un giro nella  macchinina 
> (cfr. http://www.newsbytes.com/news/01/168003.html). 

si' e' il worm "Code Red", sia CERT che SANS hanno rilasciato "advisor"
specifici e su bugtraq se ne sta parlando:

"
**** SANS Security Alert *****
Plus a status update of interest to most security professionals.

The rapidly spreading IIS Code Red Worm is a problem of sufficient
magnitude to bring the Internet's INFOCON Alert Status to YELLOW --
and that is now reflected at Incidents.Org.

If you or anyone you know has an IIS server, please get it patched,
now!

The patch is posted at:
http://www.microsoft.com/technet/security/bulletin/MS01-033.asp
[Yes that's a real Microsoft site]

Two hundred thousand systems may already have been infected. If you
are unsure whether yours is one of them, turn it off after you have
patched it.  The current worm seems to disappear when the machine
is powered down, but you will be quickly reinfected if you are not
patched.

Please stay tuned to www.incidents.org and www.cert.org for further
information as it becomes available.

[...]
"

"
CERT Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS
Indexing Service DLL

[...]

Overview

   The CERT/CC has received reports of new self-propagating malicious
   code that exploits certain configurations of Microsoft Windows
   susceptible to the vulnerability described in CERT advisory CA-2001-13
   Buffer Overflow In IIS Indexing Service DLL. These reports indicate
   that the "Code Red" worm may have already affected as many as 225,000
   hosts, and continues to spread rapidly.

[...]

   Additionally, web pages on victim machines may be defaced with the
   following message:

     HELLO! Welcome to http://www.worm.com! Hacked By Chinese!

[...]

Solutions

   The CERT/CC encourages all Internet sites to review CERT advisory
   CA-2001-13 and ensure workarounds or patches have been applied on all 
   affected hosts on your network.

   If you believe a host under your control has been compromised, you may
   wish to refer to

     http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

[...]
"

Tra il resto, una cosa molto importante passato su defaced-commentary di
attrition, sembra che il sito windowsupdate.microsoft.com sia stato
defaciato. (Non serve commentare oltre, credo :(

> Vale la pena sbattersi a  mandare mail
> oppure lascio correre ?

ma, se non e' una quantita eccessiva io mailerei l'owner dei netblock da cui
vengono gli attacchi giusto con un link all'advisor cert e alla patch
microsoft.

bye
Koba

-- 

Igor Falcomata'
IT Security Manager & Consultant
Infosec srl - http://www.infosec.it
Network Security and Data Defense
 --
free advertising: www.sikurezza.org - Italian Security Mailing List

________________________________________________________
http://www.sikurezza.org - Italian Security Mailing List

Data:
- precedente: No Subject, Anonymous
- successivo: R: info su checkpoint firewall-1, Daniele
- indice

Argomento:
- precedente: Log di apache/zope, Andrea Fanfani
- successivo: Re: Log di apache/zope, Fabio Pietrosanti (naif)
- indice

[ Home | Liste | F.A.Q. | Risorse | Cerca... ]

www.sikurezza.org - Italian Security Mailing List
(c) 1999-2005