News from PANUG - September 18, 2001 http://panug.org NEW IIS ATTACK by Ed Sawicki While we were preparing the last email broadcast, another IIS-related worm started to attack. It's being called Nimda or W32.nimda.a.mm and started this morning at about 8:30 pacific time. This is not the Code Red Worm or a variant. It is spreading rapidly. It affects IIS servers version 4.0 and 5.0. Apache servers are not vulnerable. Your Apache logs will show the attack with lines starting with: mail.aero.net ||scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir For those of you that are logging these attacks, if you send me the relavent entries in your logs - or the entire log if you don't know how to filter your logs - I'll combine all this into a list of IP addresses that we can all use to filter out these attacks at our firewalls. My email address is ed@alcpress.com. For details, visit the following web sites: http://www.sarc.com/avcenter/venc/data/w32.nimda.a@mm.html http://www.trusecure.com/html/tspub/hypeorhot/rxalerts/tsa01024_cid177.s html GOBE PRODUCTIVE FOR WINDOWS/LINUX by Ed Sawicki At the August 2000 PANUG meeting, Gobe Software, a Portland-based company, did a presentation on the BeOS operating system and their office suite for BeOS, called gobe Productive. Much has happened since then. BeOS is owned by Be Incorporated (www.be.com). Last month, Be announced that BeOS was being sold to Palm, Inc. Palm intends on rolling BeOS features into their PalmOS. The days of running BeOS on Intel-based desktop computers are over. But what of gobe Productive? Gobe has ported gobe Productive to Windows and Linux! The Windows version will be available in a few weeks and the Linux version before the end of the year. I'll not tell you about its features because Gobe will be at the October PANUG meeting - except to say that it can read and write Microsoft Office file formats. THE GOBE FAMILY LICENSE One of the nicest things about gobe Productive is its license - the family license. When you purchase gobe Productive, you can install it on all the computers in your house as well on your computer at work. Viewed the other way, if your employer purchases gobe Productive you are free to take it home and install it on all the family computers. When you buy gobe Productive, you get BOTH the Windows and Linux versions! You can run it on your Windows computer at work and your Linux computer at home. The cost of all this? $49 OPEN RELAYS Gregg Berkholtz offers the following URL that ranks the software used by open relays. Open relays are misconfigured mail servers that spammers exploit. In most cases, the companies that run these mail servers are unaware that they are running open relays and often find themselves on Realtime Blackhole Lists (RBLS) that other mail servers use to reject mail. Microsoft Exchange with 26.77% and sendmail with 22.26% are the top two on the list. There are far more mail servers in the world running sendmail than Exchange (sendmail powers more than half of the world's mail servers), so this puts Exchange far in the lead percentage-wise. It means that if you're running Microsoft Exchange, you should check to be certain that you're not relaying mail for spammers. If you end up on a RBL, some of your company's email will never get delivered. Note that some mail server software was designed with anti-spamming features from the start. Exim and Postfix are good examples. You have to deliberately misconfigure them to make them behave as open relays. Some administrators have managed to do that since both appear on the list (0.32% and 0.24%). http://www.ordb.org/daemons/ FEEDBACK Thomas Gibson points out a sad statistic he gleaned from a email he received from W2Knews - that over 430,000 IIS servers are "owned" by attackers. here's the relevant excerpt: >More than 430K servers running IIS can now be "owned". That >means remotely controlled by crackers, using the trojan that >code red and the Sadmind/IIS installed. It is very likely that >you THINK your systems are safe, but you had been infected >already before you made the patch. That means a back-door was >installed on your IIS box, and still is there. > >This trojan is called root.exe. The worms rename an NT's >cmd.exe to root.exe and place it in a folder that is accessible >from the Web. With that in place, a cracker using just a Web >browser can send a range of commands to the server. That server >is no longer secure and any sensitive data can be pulled off. The latest Netcraft survey results are here: