[40505] in North American Network Operators' Group
RE: Code Red 2 cleanup; reporting..
daemon@ATHENA.MIT.EDU (Tim Devries)
Fri Aug 10 11:26:32 2001
Message-ID: <05924A4A9DEDAD46A21EE3C8C64B090D2EDF05@cheetah.zoo.q9networks.com>
From: Tim Devries <Tim.Devries@Q9.com>
To: 'Roeland Meyer' <rmeyer@mhsc.com>, "'up@3.am'" <up@3.am>,
nanog@merit.edu
Date: Fri, 10 Aug 2001 11:23:11 -0400
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C121B0.62053CCE"
Errors-To: owner-nanog-outgoing@merit.edu
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C121B0.62053CCE
Content-Type: text/plain;
charset="iso-8859-1"
-----Original Message-----
From: Roeland Meyer [mailto:rmeyer@mhsc.com]
Sent: Friday, August 10, 2001 11:22 AM
To: 'up@3.am'; nanog@merit.edu
Subject: RE: Code Red 2 cleanup; reporting..
> From: up@3.am [mailto:up@3.am]
> Sent: Friday, August 10, 2001 8:09 AM
>
> On Fri, 10 Aug 2001, Roeland Meyer wrote:
>
> > Win2K boxen are ALWAYS running IIS. It doesn't matter
> whether you have Pro
> > or Server. ALL Win2K systems need to run the patch. MSFT
> chose to integrate
> > much of the IIS stuff into DLLs with other system critical
> stuff. As a
> > result, IIS can't be completely removed without killing off
> other critical
> > functions. Yes, what they proved in court is even more true
> with Win2K than
> > with Win98 (Duh! MSFT didn't lie, but they didn't tell the
> whole truth
> > either). WinXP is even more in that direction, from all reports.
>
> I admit to knowing very little about Win2k, but on the only box I've
> installed Win2k on, it doesn't *appear* to be running:
>
> Port State Protocol Service
> 135 open tcp loc-srv
> 139 filtered tcp netbios-ssn
> 445 open tcp microsoft-ds
> 1025 open tcp list
>
> ...unless it runs on one of those 3 other open ports? This was Win2k
> Client, not server, BTW...perhaps you mean every Win2k Server?
Win2k proffesional can run IIS. Goto add remove programs -->add/remove
windows components ---> IIS.
You probably did not select the component on the install.
So I guess that means that not every w2k box is vulnerable.
Tim
------_=_NextPart_001_01C121B0.62053CCE
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2650.12">
<TITLE>RE: Code Red 2 cleanup; reporting.. </TITLE>
</HEAD>
<BODY>
<BR>
<BR>
<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Roeland Meyer [<A =
HREF=3D"mailto:rmeyer@mhsc.com">mailto:rmeyer@mhsc.com</A>]</FONT>
<BR><FONT SIZE=3D2>Sent: Friday, August 10, 2001 11:22 AM</FONT>
<BR><FONT SIZE=3D2>To: 'up@3.am'; nanog@merit.edu</FONT>
<BR><FONT SIZE=3D2>Subject: RE: Code Red 2 cleanup; reporting.. </FONT>
</P>
<BR>
<BR>
<P><FONT SIZE=3D2>> From: up@3.am [<A =
HREF=3D"mailto:up@3.am">mailto:up@3.am</A>]</FONT>
<BR><FONT SIZE=3D2>> Sent: Friday, August 10, 2001 8:09 AM</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> On Fri, 10 Aug 2001, Roeland Meyer =
wrote:</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> > Win2K boxen are ALWAYS running IIS. It =
doesn't matter </FONT>
<BR><FONT SIZE=3D2>> whether you have Pro</FONT>
<BR><FONT SIZE=3D2>> > or Server. ALL Win2K systems need to run =
the patch. MSFT </FONT>
<BR><FONT SIZE=3D2>> chose to integrate</FONT>
<BR><FONT SIZE=3D2>> > much of the IIS stuff into DLLs with other =
system critical </FONT>
<BR><FONT SIZE=3D2>> stuff. As a</FONT>
<BR><FONT SIZE=3D2>> > result, IIS can't be completely removed =
without killing off </FONT>
<BR><FONT SIZE=3D2>> other critical</FONT>
<BR><FONT SIZE=3D2>> > functions. Yes, what they proved in court =
is even more true </FONT>
<BR><FONT SIZE=3D2>> with Win2K than</FONT>
<BR><FONT SIZE=3D2>> > with Win98 (Duh! MSFT didn't lie, but they =
didn't tell the </FONT>
<BR><FONT SIZE=3D2>> whole truth</FONT>
<BR><FONT SIZE=3D2>> > either). WinXP is even more in that =
direction, from all reports.</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> I admit to knowing very little about Win2k, but =
on the only box I've</FONT>
<BR><FONT SIZE=3D2>> installed Win2k on, it doesn't *appear* to be =
running:</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> Port =
State Protocol Service</FONT>
<BR><FONT SIZE=3D2>> 135 =
open =
tcp loc-srv</FONT>
<BR><FONT SIZE=3D2>> 139 =
filtered =
tcp netbios-ssn</FONT>
<BR><FONT SIZE=3D2>> 445 =
open =
tcp microsoft-ds</FONT>
<BR><FONT SIZE=3D2>> 1025 =
open =
tcp list</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> ...unless it runs on one of those 3 other open =
ports? This was Win2k</FONT>
<BR><FONT SIZE=3D2>> Client, not server, BTW...perhaps you mean =
every Win2k Server?</FONT>
</P>
<P><FONT SIZE=3D2>Win2k proffesional can run IIS. Goto add remove =
programs -->add/remove windows components ---> IIS.</FONT>
<BR><FONT SIZE=3D2>You probably did not select the component on the =
install.</FONT>
<BR><FONT SIZE=3D2>So I guess that means that not every w2k box is =
vulnerable.</FONT>
</P>
<P><FONT SIZE=3D2>Tim</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C121B0.62053CCE--