[Dshield] Short story/Code Red question

Jonathan G. Lampe jonathan at stdnet.com
Wed Aug 8 21:28:03 GMT 2001


>Now the question. I called the user to advise he was infected. He had a
>vanilla W2k machine and didn't bother to patch it since he didn't think IIS
>was on. I've read it's on by default. But, not the whole IIS package, I
>can't believe that.... Haven't tried it myself.... What's the real answer?

On m$ w2k SERVER or ADVANCEDSERVER IIS is indeed installed by 
default.  (You need to UNCHECK a box during the install to not install 
IIS.)  The good news is that IIS does not seem to install by default on w2k 
WORKSTATION, er.. PROFESSIONAL.  (Anyone know about m$ Personal Web Server 
or whatever the limited variant of IIS is?)

When you install IIS you generally get an admin and a sample area by 
default, but these are (I think) restricted to 127.0.0.1 access out of the 
box.  (Finally?!)  Unfortunately however the wwwroot area is public and 
available to the whole world, and if you can get to that...well you know 
the rest.

BTW, ALL shipping extensions (including .ida and .idq) are turned on by 
default - that's the other half of the reason that Code Red is as 
successful as it is.  If you look back on the posts, you'll even see a 
cautionary tale from a reader who decided to plug his IIS box into the 
network before config'ing.  (Less than five minutes after plugging in his 
brand new machine was attacking other boxes.)

- Jonathan Lampe - Standard Networks, Inc. - 608.227.6100 - 
jonathan at stdnet.com -



- Jonathan G. Lampe
- Product Manager, Standard Networks, Inc.
- 608.227.6100 (jonathan at stdnet.com)




More information about the list mailing list