I have a webserver that gets a very small amount of traffic. I checked the logs today and I see about 20 instances of this worm knocking at my door (GET request for default.ida with a long parameter). Luckily I keep up with MS hotfixes. If nothing else, this will shake a few sysadmins up.



>I love the UT.
>Just happened to us here and lo and behold - i find (what will most likely be) the answer in the good ol' UT.
>Thanks for posting this Mark.
>
>>>>I have a database site using westwind and it works GREAT.
>>>>
>>>>HOWEVER, yesterday someone has "hacked" into the site and every time I try to open ANY westwind page, it gives me a page saying the site has been hacked by the Chineese.
>>>>
>>>>All requests that go through WC.dll get that same page.
>>>>
>>>>The request does show up in westwind, and the PRG has NOT been changed, but te page returned is always the same.
>>>>
>>>>Somehow the WC.dll seems to have been changed, but it is NOT a new copy of the dll so it has NOT been changed.
>>>>
>>>>It is like IIS is sending the request to both wc.dll and something else.
>>>>
>>>>HELP!!!!!!!!!!!!!!!!!!!!
>>>>
>>>>I have turned the siote off, but will turn it back on if anyone wants to see what is going on.
>>>
>>>
>>>Do your server logs show any strange accesses?
>>>
>>>Check the Security event log for strange logon attempts. Check your IIS web-site logs to see what requests were made to your web server. The hackers may have used the 'unicode' bug to execute DOS commands on your server. These should show up if you search for 'CMD' in the log.
>>
>>
>>Hi,
>>
>>As others have noted, you have been hit by a new internet worm program. The link below gives you the full info, including disinfection instructions (basically to install the MS .ida bug patch and reboot).
>>
>>The 'hacked by the chinese' message is caused by the worm hooking in to w3svc.dll and returning the message in response to any GET requests received by your server.
>>
>>http://www.eeye.com/html/advisories/codered.zip