PCBUILD Archives

Personal Computer Hardware discussion List

PCBUILD@LISTSERV.ICORS.ORG

Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
From:
Brad Loomis <[log in to unmask]>
Reply To:
PCBUILD - Personal Computer Hardware discussion List <[log in to unmask]>
Date:
Thu, 19 Jul 2001 21:43:14 -0700
Content-Type:
text/plain
Parts/Attachments:
text/plain (91 lines)
Yesterday, Shawn M. Shea  wrote:

> Help!!!!! The web publishing service keeps shutting down on a client IIS
4.0
> web server.

Hi, I don't run IIS, but the following from SANS, www.sans.org may be of
great concern to those who are.
Brad Loomis
Los Angeles, CA
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



**** SANS Security Alert *****
Plus a status update of interest to most security professionals.

The rapidly spreading IIS Code Red Worm is a problem of sufficient
magnitude to bring the Internet's INFOCON Alert Status to YELLOW --
and that is now reflected at Incidents.Org.

If you or anyone you know has an IIS server, please get it patched,
now!

The patch is posted at:
http://www.microsoft.com/technet/security/bulletin/MS01-033.asp
[Yes that's a real Microsoft site]

Two hundred thousand systems may already have been infected. If you
are unsure whether yours is one of them, turn it off after you have
patched it.  The current worm seems to disappear when the machine
is powered down, but you will be quickly reinfected if you are not
patched.

Please stay tuned to www.incidents.org and www.cert.org for further
information as it becomes available.

**************************************

SANS Training, GIAC Certification, and SANS Research Update
Edition 5, July 20, 2001

Greetings! I am Stephen Northcutt and this is the fifth time since
the beginning of GIAC we have issued one of these newsletters.
The primary focus of this note is to share opportunities for your
involvement in the research projects from the SANS Institute.


Table of Contents
- - Lessons from the W32leaveworm
- - Cyber Defense Initiative
- - Top 10 List
- - Intrusion Detection with Snort/Acid Step-by-Step
- - Incident Handling Step-by-Step
- - IO Wargames Conference
- - Conference and Training Information
- - Closing Thought - Impact of Being Hacked


****************************************
Lessons from the W32leaveworm infestation

The full analysis is available at:
http://www.incidents.org/react/w32leaveworm.php
The magnitude of this attack is astounding. Given the rate of
increase in the Leave worm and its less sophisticated variants, the
defensive community could be facing many thousands of zombie agents
on compromised Windows platforms that can be instructed to download
code and are time synchronized.  That represents enough distributed
denial of service force to flatten an entire country from an Internet
connectivity perspective.

To make matters more interesting, as soon as we had half a
handle on leave, a different, IIS based worm was beginning
to spread rapidly for more information you can check:
http://www.incidents.org/archives/intrusions/msg01080.html or the
easiest thing to do may be to check the :Handler's diary when you
get to work every morning at
http://www.incidents.org/diary/diary.php

Whatever worm is running when you read this, please make sure YOU are
not one of their servants. Update and run your anti-virus signatures
to make sure you can detect these critters; then make your mother,
your brother, and your next-door neighbor do the same.  If you are
running IIS PLEASE stay tuned with Microsoft for hot fixes.

              The NOSPIN Group is now offering Free PC Tech
                     support at our newest website:
                          http://freepctech.com

ATOM RSS1 RSS2