Re: Secured IIS Project - msg 2
From: Russ (Russ.Cooper@RC.ON.CA)Date: 07/20/01
- Previous message: Russ: "Alert: Secured IIS Project"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <E9A01F52DC939448BBDE44ED2E1C468F167A88@muskie.rc.on.ca> Date: Fri, 20 Jul 2001 13:30:57 -0400 From: Russ <Russ.Cooper@RC.ON.CA> Subject: Re: Secured IIS Project - msg 2 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
-----BEGIN PGP SIGNED MESSAGE-----
I'm overwhelmed with responses, this is great!
I've spoken with Johannes B. Ullrich, he runs a service called
DSHIELD (www.dshield.org). The purpose of DShield is to collect logs
from Firewalls and Intrusion Detection Systems from around the world
and determine attack trends, top attacking addresses, that sort of
thing.
Given the scope of this worm, he's putting in an extra effort to
extract IP addresses and automatically send an email to the
(believed) responsible party for an infected box. This is a great
first step, although my effort will be to go beyond that and actually
get someone on the phone.
Meanwhile, he has facilities established to collect log information,
parse it, and extract the relevant information I need. So rather than
recreate that wheel, I'm asking everyone to start forwarding their
logs to his addresses until further notice.
Read through http://www.dshield.org/howto.html if you have logs from
anything other than Apache or IIS servers (like Firewall or IDS
logs).
For Apache or IIS logs, send them to redalert@dshield.org
Feel free to grep your logs to remove anything but entries of the
worm, or worm-like requests (anything trying for .ida, .idq, .htr,
.printer).
Meanwhile, I have a script almost ready to go that will automate the
mapping removal process, as well as make a couple of other necessary
checks. I'll be placing it in the Downloads section of the website
shortly, I'll drop a note when its there.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2
iQCVAwUBO1hq0RBh2Kw/l7p5AQEyVAP+PTb9R0IlVUvUlm6hbxnG0W89jGbFZ2m5
xx1mQbh0PTnezX3VBSNIkU8h5mE/fArMMaCbr+bdr3o2ocorq3nNYA9XjVzpIUV5
Zmll2T579lULFmbgE4em1OjraSf/x8L+GTC2ElyeZK/CEe7PWOZ8IlbO6/hibMaN
G+ESWD1Eyww=
=7M6U
-----END PGP SIGNATURE-----
----------------------------------------------------------------------------
Delivery co-sponsored by Trend Micro
============================================================================
TREND MICRO REAL-TIME VIRUS ALERTS
If you would like to know about a virus outbreak before CNN and ZDNet get
Trend Micro Virus Info Feed FREE. Simply copy and paste a small piece of
code to give your visitors a real-time top 10 list and the latest virus
advisories. Setup takes just 10 minutes and requires no server-side code on
your Web site. All content is updated automatically from Trend Micro's Web
site.
http://www.antivirus.com/banners/tracking.asp?si=8&bi=237&ul=/syndication/
vinfo/
----------------------------------------------------------------------------
- Previous message: Russ: "Alert: Secured IIS Project"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
