Re: [cobalt-security] Hacking my Raq4i???

["Kevin D" <kdlists@xxxxxxxxxxxxxxx>]

From: "Carrie Bartkowiak" <ravencarrie@xxxxxxxx>
> There once was a *nix worm that came into your machine, looked around
> to see if you were infected with another worm - and if you were, it
> innoculated you and then went on its merry little way.

The cheese worm, which plugged the bind hole. You can find a full profile
regarding it on www.securityfocus.com.

> Anyone here have that type of knowledge? Let's see, the counter-worm
> could force the box to connect to the M$ site, download and install
> the patch. I don't know how to write a worm, but I do know that many
> worms exist that auto-download/install stuff.
> It probably could be done... (wish I had the knowledge)

Many thorny problems with this one. I've read about it on other lists. What
if your worm mistakenly causes the server to crash (as code red did to many
servers)? What about the cisco router DoS issues, and proxy server problems
that code red caused? Your worm could cause all sorts of fallout. Not to
mention, it would still be illegal.

If someone did do it, they would not be able to install the patch without
rebooting the server. They could unmap the .ida ISAPI extension that is the
cause of the overflow, however, without rebooting. Another caveat would be
that windows NT4 systems and windows 2k systems require different offsets
for the buffer overflow to work correctly. An incorrect buffer overflow
offset would likely crash the IIS services, or even the server. So, your
worm would have to somehow distinguish between NT4 and 2k systems.

Kevin