[Dshield] Re: Dshield digest, Vol 1 #193 - 14 msgs

Josh Josh at raintreeinc.com
Thu Aug 9 15:48:36 GMT 2001

Date: Wed, 08 Aug 2001 16:28:03 -0500
To: dshield at dshield.org
From: "Jonathan G. Lampe" <jonathan at stdnet.com>
Subject: Re: [Dshield] Short story/Code Red question
Reply-To: dshield at dshield.org

>Now the question. I called the user to advise he was infected. He had a
>vanilla W2k machine and didn't bother to patch it since he didn't think IIS
>was on. I've read it's on by default. But, not the whole IIS package, I
>can't believe that.... Haven't tried it myself.... What's the real answer?

None of my installations of W2k Pro had IIS installed unless I specifically
installed it after the original installation of the OS, but it's been a
while since I did an install, and I have the time-consuming but beneficial
habit of doing custom installations of everything I install whenever I get
the chance -- perhaps I just don't like labelling myself as either Typical
or Recommended for Most Users :-) -- so I might have just turned it off.
Anyway, if memory serves, IIS does not install by default with w2k pro.

Josh Tolley

>On m$ w2k SERVER or ADVANCEDSERVER IIS is indeed installed by
>default.  (You need to UNCHECK a box during the install to not install
>IIS.)  The good news is that IIS does not seem to install by default on w2k
>WORKSTATION, er.. PROFESSIONAL.  (Anyone know about m$ Personal Web Server
>or whatever the limited variant of IIS is?)
>When you install IIS you generally get an admin and a sample area by
>default, but these are (I think) restricted to access out of the
>box.  (Finally?!)  Unfortunately however the wwwroot area is public and
>available to the whole world, and if you can get to that...well you know
>the rest.
>BTW, ALL shipping extensions (including .ida and .idq) are turned on by
>default - that's the other half of the reason that Code Red is as
>successful as it is.  If you look back on the posts, you'll even see a
>cautionary tale from a reader who decided to plug his IIS box into the
>network before config'ing.  (Less than five minutes after plugging in his
>brand new machine was attacking other boxes.)
>- Jonathan Lampe - Standard Networks, Inc. - 608.227.6100 -
>jonathan at stdnet.com -

More information about the list mailing list