User: Dedalous

Re:Is this just the old Unicode exploit?

on New (More) Annoying Microsoft Worm Hits Net

It's something new attacking something old. It looks to me like its trying a few of the old IIS vulnerabilities: directory transversal, and code red II/sadmind backdoors. Some people are saying its affecting fully patched machines, but I don't think that's true. My IIS 5 machines are getting hammered, but not one has been infected (although, if the backdoors were still around, you could still use the root.exe.exploit on a fully patched machine, I think).

MS really need to try to get a better tool out there for detecting and installing patches. Lots of people just don't know the right way to install multiple patches. My suggestion:

1. Run hfnetchk to see what you're missing.
2. Expand each hotfix to a directory with -x option.
3. Install each hotfix (in order) with hotfix.exe -q -m -n -z
4. Run qtrain.exe.
5. Reboot.
6. Run qfecheck to make sure they're all valid.
7. Watch the compromise attempts bounce off you're fully patched server.
8. Repeat next week when someone finds the next gaping security hole in IIS.