TUCoPS :: Web :: IIS :: al200108.txt

AusCERT Alert 2001.08 Current widespread intruder activity against IIS and sunrpc

-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T
                                      
                        AL-2001.08  --  AUSCERT ALERT
         Current widespread intruder activity against IIS and sunrpc
                                 8 May 2001

===========================================================================

PROBLEM:  

	  AusCERT has received increased numbers of reports of apparently
	  automated activity directed against vulnerable implementations
	  of Microsoft Internet Information Server (IIS) and Sun portmapper
	  (sunrpc) services on Internet hosts within Australia and New
	  Zealand over the past few days. Web site defacements have been
	  reported that may be a result of this activity.

	  The cause of this activity is believed to be a new worm that is
	  similar to 1i0n or Ramen.  The worm is believed to operate by
	  compromising Solaris machines running vulnerable services
	  available via sunrpc.  These compromised platforms are then used
	  to launch web defacement attacks utilising the "Unicode Bug"
	  against vulnerable IIS 4.0 and 5.0 servers.

	  The IIS attack is based on a relatively old vulnerability in
	  unpatched versions of Microsoft IIS 4.0 and IIS 5.0. This
	  vulnerability is more commonly known as the "Unicode Bug". More
	  information is available from the previous AusCERT Alert:

        	ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-2001.02

	  and the AusCERT External Security Bulletin:

        	ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2000.360

	  It appears that this attack is accompanied by attempts to exploit
	  services available via sunrpc (port 111) on Sun Solaris machines.
	  Information about the most recent vulnerabilities are in the
	  AusCERT External Security Bulletins:

        	ftp://ftp.auscert.org.au/pub/auscert/AA/AL-2001.06
        	ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.132
        	ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2000.222
		ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-1999.203

	  These attacks are currently widespread and AusCERT is releasing
	  this information to alert system administrators to this activity.
	  Member sites may wish to check their systems for evidence of
	  attacker activity directed at sunrpc services or malformed URL
	  requests directed at IIS servers.

PLATFORM:

	  For the sunrpc activity, currently only Solaris platforms which
	  have unpatched services available via sunrpc (port 111) may be
	  vulnerable to these attacks.

	  For the Unicode Bug, unpatched IIS 4.0 and 5.0 servers are
	  vulnerable to these attacks.

IMPACT:

	  Sun Solaris systems are being actively attacked and root
	  compromised.

	  Servers running IIS 4.0 and 5.0 are being actively attacked and
	  defaced.


RECOMMENDATIONS: 

          A. Patch Vulnerable Solaris Services

	  Solaris System Administrators are urged to check their systems for
	  insecure versions of sunrpc services as per AusCERT Alerts and
	  Bulletins available from:

        	ftp://ftp.auscert.org.au/pub/auscert/AA/AL-2001.06
        	ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.132
		ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2000.222
		ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-1999.203

          B. Patch Vulnerable Versions of IIS

	  Microsoft System Administrators are urged to check their systems
	  for insecure versions of IIS services as per AusCERT Alerts and
	  Bulletins available from:

        	ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-2001.02
        	ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2000.360

          C. Consider Wrapping portmap 

	  Administrators may wish to consider wrapping the portmap service
	  using tools such as portmapper as provided by Wietse Venema:

                http://ftp.porcupine.org/pub/security/portmap_4.tar.gz

          D.  Check For Signs of Compromise
       
          If you suspect that your site may have been compromised, we
          encourage you to read:

                ftp://ftp.auscert.org.au/pub/cert/tech_tips/intruder_detection_checklist

          If your site has been compromised, we encourage you to read:

                http://www.auscert.org.au/Information/Auscert_info/Papers/win-UNIX-system_compromise.html

	  AusCERT is currently monitoring this problem, if you detect your
	  systems have been compromised please contact AusCERT.


- ---------------------------------------------------------------------------

The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation.  The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures.  AusCERT takes no
responsibility for the consequences of applying the contents of this
document.

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT
and AusCERT Advisories, and other computer security information.

AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business
		hours which are GMT+10:00 (AEST).  On call
		after hours for emergencies.
						       
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld  4072
AUSTRALIA
===========================================================================

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBOvgXaCh9+71yA2DNAQG56wP9HdNfMQZlCnDgDBoCGnNRi2eLAB0QRsqX
OYYR/ufK0oxcQIyvZoe+7JPB5MSX9jTp30d9eqHE3khkwHSZ2s9GqN7jbYxeD/IL
9wW/r/tk82PtrbbtDk/b2XJeNh/gLHgQRmK2xAK5qRM61J3Rkw2HGWP0CMPiWWxx
Dng6ZwQApV8=
=aPEl
-----END PGP SIGNATURE-----

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH