My personal experience today with 3 mission critical web servers was that if you disabled the Internet Information Service, (not just stopped it, but actually disabled it so that it wouldn’t fire back up again after a reboot) and then rebooted those webservers, you could then work on the internet downloading all of the appropriate patches and Service Packs that you felt were necessary.
Caveat: My 3 webservers were WIN2K machines, one was a development machine running “Professional” and the other two are commercial servers running “Advanced Server”.
Shutting down the IIS functions disallows the “msblast worm” to successfully impregnate itself into a mission critical OS program which is already loaded into RAM which is called svchost.exe
My personal experience showed that there was no real effective way to keep your IIS functioning after the worm had impregnated itself into the svchost.exe’s memory space. You could try stopping the RPC service and the IIS and WWW Publisher services but no success sadly.
I actually have log files which show examples of the GET /.hash URL hits. I used “NEOTRACE” to search where these hits were coming from. Without exception, Bangkok and Manilla. GO figure. I guess a lot of porn webservers are based in those countries I’m thinking.
In closing? We had about 2 hours in total off air for our particular mission critical web database functions. Could have been worse with hindsight.
My personal belief is this - regardless of whether you’re running NT4.0, or 2000, or XP Advanced Server - I suspect that if your machine had been configured to NOT provide the IIS functions, then such machines would have been immune I rather think. However, once the worm was impregnated, your machine’s ability to send OUT nasty worm hits to other innocent machines might have been compromised.
To be fair to Microsoft, there is a Justice Department consent order that requires Microsoft to disclose vulnerabilities. Microsoft has no choice in the matter. Once disclosed, then this can be an illuminated bullseye for hackers to go after.
Keep your patches up to date people. The Slammer vulnerability had been patched about 6 months and then service packed months before that one hit.
That particular symptom was a direct result of the program called svchost.exe becoming infected in RAM. The file itself was not infected, merely the version loaded into RAM - and it’s the core program which is the basis of the Remote Procedure Call software - which is the mother program to a HELL of a lot of other services - ergo it really is quite a crippling blow to a webserver.
Dont know whats going on, but when i just tried to connect to the windows updates, the server was not responding. Fortunately i got the updates yesterday, but i have to wonder if the reason the server is not responding is:
a)so many ppl trying to get the updates at the last minute (just about as effective as an automate DoS attack)
b)Microsoft taking it offline for a while so they can protect it from an upcoming DoS
c)The W32.Blaster.Worm starting it’s attack
d)Microsoft’s general incompetance and/or a temporary glitch.
I managed to to delete the msblast while not connected to the internet, then I renamed a text file msblast.exe and stuck it in the temp folder, and that seemed to hold off the service downloading a new copy of it until I could get Trend’s stand alone downloaded and applied. What a pain! When PC-cillian was deleting the virus it was also deleting the TFTP folders and such, so I would assume that Anthracite wins the level-headedness award for the day. Apply the fix, apply the patch and I’m betting we’re all going to be safe. No way am I re-formatting my drive.
A note of amusement - if the file date on the Worm correctly suggests when it infected my system
it hit when I was downloading updates from MS!! Indeed it appears that I was infected as I was pulling down the updates.
It’s certainly a busy little worm today. I’m on a dialup, so I never bothered installing a firewall. This outbreak indicates that that’s no longer very safe, so I downloaded and installed ZoneAlarm. It’s getting port 135 hits several times a minute!!
Sure glad I retired a few years back (I used to be a sysadmin/LAN manager type guy). The next week or two are going to be ugly.
I got nailed with this yesterday, after I installed Earthlink. At first I thought it was on the Earthlink CD itself, but now I suspect that the IP address Earthlink gave me happened to be one that the worm scans for. I got hit within minutes of connected to the Earthlink network. It’s gone now, and the patch has been installed.
How can I know if my svcshost.exe file was affected? I don’t seem to have any of the symptoms, but I don’t see why my computer would not have been affected in this way while most people’s were…
Frylock: I don’t know if you could tell if that particular file was affected. Note that it’s supposedly only changed after being loaded into RAM, so if you just search for that file on your system and look at the modified dated, that won’t tell you.
If you’ve installed the patch, you’re fine. Don’t worry about it. Why weren’t you affected? Well, does Windows Update download updates automatically on your computer? If so, maybe you were already patched and didn’t even know it. If not, there’s always the possibility that the range of IP addresses yours is part of wasn’t scanned by attackers.
See, my problem is that no matter how I configure it, Zone Alarm blocks my wireless network.
My network consists of an ADSL modem plugged into a Sony Vaio USB port. The Vaio has a wireless router plugged into its ethernet port, which my Powerbook uses to get online. So no Vaio, no internet for the Powerbook. And when Zone Alarm is running on the Vaio, the internet won’t work on the Powerbook. And yes, I’ve put all the relevant IPs into trusted zones etc. Maybe Zone Alarm is just a bit crappity at this sort of thing?
Luckily the completely firewall free Powerbook has NEVER caught a virus, worm, or trojan of any kind. <insert Mac smiley here>
Strange, I am having a problem with my computer shutting down at seeming random times. sometimes it wont for days at a time, other times two or three times in a few hour period. Only when I have a browser or two open though. It never gives a warning. I do not have msblast.ext on my computer or on my startup, so I guess I am safe. I have a firewall- comes with swbell.net.
It looks like I’m not infected, no msblast, virus check comes up clean. But every time I go online my svchost crashes and RPC shuts down. I’ve patched and everything.
Yesterday I worked a 10 hour shift. It was supposed to be 8 hours. Today looks to be more of the same. I removed this freaking virus from 40+ systems yesterday. Here is the best route I have found.
Unplug Your Ethernet Connection from your computer.
Disable System Restore.
Click – Start/Control Panel/System/System Restore(tab). Check “Turn off System Restore” or “Turn off System Restore on all Drives”. Click “Apply” and “Yes”.
Enable XP Firewall.
Click – Start/Control Panel/Network Connections. Right Click on your internet connection and Left Click Properties. Click on Advanced(tab) check “Protect my computer.” Click “OK”
Connect your Ethernet connection and reboot your system.
Download Patch.
Connect to the internet. Go to www.microsoft.com.
Click on “Downloads” located in left hand panel under “Resources”.
Click on “Windows XP Security Patch: Buffer Overrun In RPC Interface Could Allow Code Execution”. If you are running 2000 select 2000 Security patch instead.
Click “Download” in first box to the right. Select “Open” in download dialog box. This will allow auto install. Reboot.
Edit Registry.
Click Start/Run. Enter “regedit” in dialog box and Click “OK”.
Follow the following path - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
In the right hand pane delete both listings “windows auto update” and “msblast.exe”.
Close registry.
Delete any remnants.
Click Start/Search/All Files and Folders. Search for “msblast”. Delete any files found.
Enable System Restore.
Click – Start/Control Panel/System/System Restore(tab). Uncheck “Turn off System Restore” or “Turn off System Restore on all Drives”. Click “Apply” and “Yes”.
Reboot.
When complete download and install Windows Updates. Using IE Click “Tools” then “Windows Updates”
Install a firewall program. A very nice FREE version of ZoneAlarm is located at www.zonealarm.com.
Run updates on your Anti-virus Programs and Run a Full system check. You can get a FREE version of AVG anti-virus program at www.grisoft.com.
It makes me feel like I’m in a safe, warm place. It’s also free and unconditional in it’s love (though it likes you to tell it your email address, shamelessly I lied.)
I’ve been hit 3 times on port 135 in the last 3 minutes. I care not a jot!
