Date: 20 July 2001
Click here for printable version
Click here for PGP verifiable version
AusCERT Update - Increased Activity - "Code Red" IIS worm
20 July 2001
-----BEGIN PGP SIGNED MESSAGE-----
Dear AusCERT member,
AusCERT has received reports of significantly increased activity
of the "Code Red" worm. The worm has been nicknamed "Code Red" by
eEye Digital Security, who have published an alert at:
http://www.eeye.com/html/Research/Advisories/AL20010717.html
The worm targets a recently patched vulnerability in the Microsoft
Internet Information Server (IIS) Indexing Service DLL.
This worm allegedly has the potential to affect sites in two distinct
ways. The exploit has a web defacement component which may result
in the default page for a site being replaced with one containing
the words "Hacked by Chinese". Additionally, the manner in which
the worm propagates may have a denial-of-service effect on sites
targeted early in an outbreak.
Sites are strongly encouraged to apply the Microsoft patch listed
in the AusCERT External Security Bulletins:
ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.238
ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.241
AusCERT stress that this worm has the potential to adversely affect
member sites, and we encourage system administrators to be alert
for evidence of any activity on their systems that may indicate
its presence.
- From eEye Digital Security (http://www.eeye.com/):
] I have been infected by this worm what can I do?
] ------------------------------------------------
]
] The first thing you must do is goto the Microsoft security site, as
] referenced above, and install the .ida patch ASAP. The worm will remain
] in memory until you reboot your server so make sure to reboot after
] installing the .ida patch.
]
]
] I think I am infected, how can I tell?
] --------------------------------------
]
] An infected system will show an increase in load (processor/network). It
] will also show a number of external connections (or attempts) to port 80
] of random IP addresses. You can see this by doing a "netstat -an" from a
] MS-DOS prompt. Either way do not take any chances... if your system is
] missing the .ida patch then install it ASAP and reboot.
AusCERT is very interested in any reports regarding this activity.
If you have any information, comments or questions about this
threat, please contact us.
Regards,
The AusCERT Team.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Facsimile: (07) 3365 7031
===========================================================================
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBO1ftfyh9+71yA2DNAQGMxAP8DvP87XLAnHxtg0qxYVus11vBxI2TTu5q
R2IMHyjgWo4F7UfjLi6c0U0jyOKkDi5Av+u8FGOIclDJw1FoOuIcZcsxJKnMl/3D
Evr4DPU4k/82PgJdztygWVnuMPbO7lEm6nDo/tbxUzSrhRx4PqQBBGEAjJSARbAU
QhJQsm9eB20=
=gpS+
-----END PGP SIGNATURE-----
|