RE: inetinfo.exe & hacking problem
From: Lisa Cozzens [MSFT] (lcozzens_at_online.microsoft.com)
Date: 08/05/03
- Next message: Angel: "Install SSL Cert - NO KEY Manger in IIS 5"
- Previous message: Mark Hildreth: "Re: Script access - IIS 6"
- In reply to: MikeS: "inetinfo.exe & hacking problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 05 Aug 2003 00:32:21 GMT
After infecting a server, a lot of worms (such as Code Red and Nimda)
attempt to propagate themselves by connecting to port 80 on random IP
addresses and sending the same requests they used to infect their "host"
server. From the infected server's perspective, this will show up as
connection attempts to port 80 on other IP addresses coming from
inetinfo.exe.
Normally a virus scan will pick up when you've been infected by an IIS
worm, but keep in mind that worms do not behave the same on all machines.
Some machines will only show a few symptoms of an attack, and I am willing
to bet that this is what is going on in your case. Since version 5.0.2151.1
of inetinfo.exe was shipped with Windows 2000 gold (i.e. no service packs),
I would highly suspect that you've been infected by one of these worms.
Recommended course of action:
1. Reformat and reinstall Windows with the network cable unplugged
2. Go into Services in Control Panel and set World Wide Web Publishing
Service to Disabled.
3. Plug in the network cable.
4. Go to http://windowsupdate.microsoft.com. Start with Service Pack 4 and
keep patching until Windows Update says you're up-to-date.
5. Set WWW Publishing back to Automatic startup.
6. Keep visiting Windows Update on a regular basis to make sure you keep up
with your patches.
If that's too drastic:
1. Set WWW Publishing to Disabled.
2. Check your IIS logs, and try to determine when you were infected and by
which worm (Code Red and Nimda are the likely suspects) and variant.
3. Use an appropriate clean-up tool to remove the infection. (Keep in mind
that even the best cleanup tools may miss some pieces of the infection,
which can lead to reinfection even on a properly patched server. This is
why I recommend reformatting/reinstalling if at all possible.)
4. Follow steps 4-6 above.
Hope this helps,
Lisa
> I got a call from my isp saying that my computer is
> scanning port 80 on multiple ip addresses.
>
> When I look at my linksys router's logviewer, I see that
> my private ip is scanning port 80 on other ip addresses
> and the application doing this is inetinfo.exe
>
> I searched my server for any other inetinfo.exe files, but
> the only one i had was in winnt/system32.
>
> I did a virus scan with norton 2003 with updated
> definitions, but no virus was detected.
>
> The file I have is 14,608 bytes and has 2 version numbers.
> The ver # on top is 5.0.2151.1
> The ver # under product version is 5.00.0984
>
> How could a hacker use this file for port scanning?
> How can I fix this?
>
> Thanks
> MikeS
>
-----
This posting is provided "AS IS" with no warranties, and confers
no rights. You assume all risk for your use.
© 2003 Microsoft Corporation. All rights reserved.
- Next message: Angel: "Install SSL Cert - NO KEY Manger in IIS 5"
- Previous message: Mark Hildreth: "Re: Script access - IIS 6"
- In reply to: MikeS: "inetinfo.exe & hacking problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
