Message-ID: <1458789.1075863433415.JavaMail.evans@thyme>
Date: Tue, 31 Jul 2001 11:51:32 -0700 (PDT)
From: j.kaminski@enron.com
To: vkaminski@aol.com
Subject: FW: SECURITY AND BUG NEWS ALERT: Users offer tips on foiling Code
 Red
Cc: vincek@cs.stanford.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Bcc: vincek@cs.stanford.edu
X-From: Kaminski, Vince J </O=ENRON/OU=NA/CN=RECIPIENTS/CN=VKAMINS>
X-To: 'vkaminski@aol.com'
X-cc: 'vincek@cs.stanford.edu'
X-bcc: 
X-Folder: \VKAMINS (Non-Privileged)\Kaminski, Vince J\Sent Items
X-Origin: Kaminski-V
X-FileName: VKAMINS (Non-Privileged).pst



 -----Original Message-----
From: 	NW Security and Bug Patch Alert <Security-BugPatch@bdcimail.com>@ENRON [mailto:IMCEANOTES-NW+20Security+20and+20Bug+20Patch+20Alert+20+3CSecurity-BugPatch+40bdcimail+2Ecom+3E+40ENRON@ENRON.com] 
Sent:	Tuesday, July 31, 2001 11:50 AM
To:	vkamins@enron.com
Subject:	SECURITY AND BUG NEWS ALERT: Users offer tips on foiling Code Red

Users offer tips on foiling Code Red
07/31/01

Dear Wincenty Kaminski,

_______________________________________________________________
Product & Solutions Directory
The "yellow-pages" for network products and solutions,
LinkSmart http://nww1.com/go/ad114.html lets you quickly
find what you need in network specific categories such as
"LAN Test Equipment", "Security", "Network Storage" and
more.

_______________________________________________________________
SECURITY AND BUG NEWS ALERT:
Users offer tips on foiling Code Red

By Jason Meserve

Code Red, the nasty virus that spread to some 250,000 host
machines a couple of weeks ago, could begin another assault
around 8 p.m. EST today, according to an alert from the FBI and
the Computer Emergency Response Team (CERT) Coordination Center
(see http://www.nwfusion.com/news/2001/0730codered.html). And
systems administrators are taking no chances.

For those that do find the virus, which affects Windows NT and
2000 servers running Microsoft Internet Information Server
(IIS), the easiest way to get rid of the problem is to reboot
the infected machine. Because Code Red resides only in memory,
it will be purged when the system shuts down. Once the system
is rebooted, users should install a patch from Microsoft that
fixes the vulnerability Code Red exploits. The proper patches
can be downloaded from:

Windows NT Version 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833

Windows 2000 Professional, Server and Advanced Server:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800

Directions for installing the patch and other information on
the virus is also available from Microsoft at:
http://www.microsoft.com/technet/treeview/default.asp?url=/tech
net/security/bulletin/MS01-033.asp

Anyone running IIS should install the patch listed above.

Bud Nelson, a reader of Network World's Security and Bug Patch
Alert newsletter (http://www.nwfusion.com/newsletters/bug), says
he found the virus on one of his extranet servers and followed
the steps above to rid and protect his machine from future attack.
But he adds, "I am thinking about removing the network cable
tonight."

Greg Missman, owner of SecureTips.com, provides the following
tip to make sure the patch from Microsoft is properly
installed:

Look in your event log for an entry like this one (this is an
NT IIS5 Enhanced log):

2001-07-20 21:22:03 216.68.15.61 - 120.195.68.58 80 GET
/default.idaNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucb
d3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%
u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200
190

(Note: The line will be continuous in the log file.)

This means your IIS server logged a request for default.ida
with the underrun data. If you look right after the data ends
you will see a space and 2 sets of numbers.  "200" is the code
for "OK" and "190" is the size in bytes sent to the remote
host.

A "200" response on this request is very bad and means you
either have not applied the patch or applied it wrong. Reapply
it, then cut and paste the information from the log (everything
after GET) into your own browser pointing it to your own site.
You should get a "414" code after the request in your log
stating that it errored and your server blocked it.

All the hype about Code Red could turn out to be just that -
hype. But the steps for protection are relatively easy, and as
the saying goes, "Better safe than sorry."

_______________________________________________________________
SUBSCRIPTION SERVICES

To subscribe or unsubscribe to any Network World e-mail
newsletters, go to:
http://www.nwwsubscribe.com/news/scripts/notprinteditnews.asp

To unsubscribe from promotional e-mail go to:
http://www.nwwsubscribe.com/ep

To change your e-mail address, go to:
http://www.nwwsubscribe.com/news/scripts/changeemail.asp

Subscription questions? Contact Customer Service by replying to
this message.

Have editorial comments? Write Jeff Caruso, Newsletter Editor,
at: mailto:jcaruso@nww.com

For advertising information, write Jamie Kalbach, Fusion Sales
Manager, at: mailto:jkalbach@nww.com

Copyright Network World, Inc., 2001

------------------------
This message was sent to:  vkamins@enron.com