|
ALARM Group ALERT — click for a description of ALARM, The Computing Alert System Alert Number: 062504-02 Alert Date: 06/25/04
Alert Title: Off-Campus IP address blocked (for IIS/IE Exploit Attack)
|
Summary: ITS has blocked access from the University at Albany Enterprise network to IP address 217. 107. 218. 147. This address has been implicated in the IIS/IE Exploit attack as described in Alert 062504-01 (where it was referred to as the "Russian Website") as a potential source of trojan executables (downloadable by infected hosts).Recommended Actions: Infection is still possible and likely. You should follow the recommended actions as described in Alert 062504-01. These recommendations are reprinted below:
Many AntiVirus Software providers have updated their definitions within the last 24 hours to include data relevant to this exploit; The latest Symantec definitions are believed to be effective at catching this infection (referenced as the "JS.Scob" Trojan). Update your Anti-virus software definitions to the latest version IMMEDIATELY. Please verify that your workstations and servers are up-to-date with the necessary patch(es) from Microsoft (especially those addressed by Microsoft Security Bulletin MS04-011). IIS Server managers should check for the presence of compromises using any relevant methods listed below in the resources links. Disabling JavaScript on IE Browsers will prevent infection but this action is left at the discretion of the system administrator since JavaScript is linked to the appearance and functionality of many websites and web-based applications.
ITS Actions: ITS may block IP access to other IP Addresses in an attempt to block the download of the trojan horse executables. An update will be issued if this blockage is put into place.
Resources:
http://www.incidents.org/diary.php?date=2004-06-25http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://securityresponse.symantec.com/avcenter/venc/data/js.scob.trojan.html
http://www.uscert.gov/current/current_activity.html#iis5 (see "IIS 5 Web Server Compromises")
http://www.f-secure.com/v-descs/scob.shtml
http://www.microsoft.com/security/incident/download_ject.mspx
NOTE: PLEASE DO NOT REPLY TO THIS ALERT. Alerts distributed by ALARM are not intended to supplant whatever security measures you are currently following. Technology coordinators, as well as the entire Ualbany computing community should continue to take all necessary precautions against threats to system security and information integrity.
Current Students | New Students | Distance Learners | Faculty | New Faculty | Staff
Training | Schedules / Hours | Forms | FAQs & User Guides | Policies | About ITS | Home
