[Dshield] Email Question

Roger A. Grimes roger at banneretcs.com
Thu Jan 6 23:56:03 GMT 2005

Sounds like you got exploited by a Japanese-spam bot or trojan.  Treat
it like you would any other successful exploit.

Take the machine off the Internet.
Backup any data that you need, after verifying that the data is not
Format drive.
Reinstall operating system
Full patching
Reinstall IIS and other apps.
Review what allowed the exploit to be successful in the first place
Prevent the same thing from occurring.
Redeploy server.

NT and IIS 4 can be made as secure as another other web server.

If you don't have the expertise to handle this type of exploit, employ
someone who does, or be prepared to learn a lot quickly.


*Roger A. Grimes, Banneret Computer Security, Computer Security
*CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), CEH, CHFI
*email: roger at banneretcs.com
*cell: 757-615-3355
*Author of Malicious Mobile Code:  Virus Protection for Windows by
*Author of Honeypots for Windows (Apress)


-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Terese Tucker
Sent: Thursday, January 06, 2005 8:51 AM
To: 'list at lists.dshield.org'
Subject: [Dshield] Email Question

Has anyone had an a webserver using IIS (Windows NT) send out emails
that are in Chinese?  I can't seem to get it off the machine.  Any help
would be appreciated.  Thanks.

Terese Tucker
Information Technology Manager
Merit Brass Company
Phone 216-261-9800 ext. 281
Fax      216-261-6646

There are many ways to measure success; not the least of which is the
way your child describes you when talking to a friend.
- Unknown

-------------- Sponsor Message ------------------------------------
SANS Intrusion Immersion Training: Orlando, FL, February 3-9th

send all posts to list at lists.dshield.org To change your subscription
options (or unsubscribe), see:

More information about the list mailing list