Patches will not help after the fact. The first thing you need to do is take
the server off line. Use the Microsoft and Eeye Websites to see what was
done and undo the changes. The Eeye.com website shows the the file and
registry changes that were made and you should be able to use the other
server for registry reference and for replacement files.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Steve Polyak
Sent: Tuesday, August 07, 2001 7:57 AM
To: [EMAIL PROTECTED]
Subject: RE: [imail] Code Red II
No, I have reinstalled the patch several times now. I have not needed to
add any additional software to my machine other the yesterday afternoon with
IIS Secure.
Steve
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Michael Abbott
Sent: August 7, 2001 6:46 AM
To: [EMAIL PROTECTED]
Subject: RE: [imail] Code Red II
Steve,
Is it possible that after you applied the demo version of IIS Secure or some
other change to your machine you failed to reapply the patch. I believe
that many patches as well as service packs must be reapplied after an
upgrade or change.
Mike
---------- Original Message ----------------------------------
From: "Steve Polyak" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Date: Tue, 7 Aug 2001 06:24:36 -0600
>I have been hit too with a version of Code Red and I have the patch, I have
>tested that I am safe using the Norton Code Red test and have also
installed
>the demo version of IIS Secure and I am still having my websites shutdown.
>I am only usually having web services stopping not the ftp services and it
>takes either shortly after a reboot occurs to 2 hours before the failure.
>This only started on Friday with it getting worse during the weekend. I
had
>installed the Microsoft patch at the beginning of the last attack. I have
>even removed the .ida filter and my NT events logs are still recording
>
>"The server failed to close to the following client connection during
>shutdown: URL='default.ida'"
>
>I am right now trying to move everything across to our secondary server so
I
>can rebuild the infected one. Has anyone else come across the same
problem?
>
>Steve
>
>-----Original Message-----
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
>Rasmus Aaen
>Sent: August 7, 2001 6:13 AM
>To: '[EMAIL PROTECTED]'
>Subject: RE: [imail] Code Red II
>
>
>It's the same patch... Please Read about it on http://www.eeeye.com
>
>>From http://www.eeye.com/html/Research/Advisories/AL20010804.html:
>
>[snip]
>The fix that has been talked about for Code Red is still the same fix
>for this new worm. INSTALL THE MICROSOFT SECURITY PATCH:
>http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
>ity/bulletin/MS01-033.asp
>
>[/snip]
>
>/Rasmus
>
>-----Original Message-----
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
>mustafa
>Sent: 7. august 2001 14:58
>To: [EMAIL PROTECTED]
>Subject: Re: [imail] Code Red II
>
>
>This is a new version of Code Red Worm not the old one I got this patch
>
>Please Read about it on http://www.eeeye.com
>
>Regards
>Mustafa
>
>----- Original Message -----
>From: "Archer Koch (Win & Ware)" <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Sent: Tuesday, August 07, 2001 1:51 PM
>Subject: RE: [imail] Code Red II
>
>
>> Start here:
>>
>>
>http://microsoft.com/technet/treeview/default.asp?url=/technet/itsolutio
>> ns/security/topics/codealrt.asp
>>
>> -----Original Message-----
>> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
>> mustafa
>> Sent: Tuesday, August 07, 2001 5:43 AM
>> To: [EMAIL PROTECTED]
>> Subject: [imail] Code Red II
>>
>>
>> We were hacked by Code Red II virus please advice
>>
>> mustafa
>>
>>
>>
>>
>>
>> ______________________________________________________________________
>> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
>> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
>> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
>> To Manage your Subscription......... http://humankindsystems.com/lists
>>
>
>
>
>
>
>************************************************************************
>*************
>The contents of this email and any attachments are confidential. It is
>intended for the named recipient(s) only. If you have received this
>email
>in error please notify the system manager or the sender immediately and
>
>do not disclose the contents to any one or make copies.
>************************************************************************
>*************
>PALTEL E-Safety System scanned this email and found NO viruses,
>vandals or malicious content.
>************************************************************************
>*************
>Should you need any information or clarifications regarding this system,
>
>please do not hesitate to contact our team at the Internet Project
><[EMAIL PROTECTED]>.
>************************************************************************
>*************
>
>
>
>
>______________________________________________________________________
>The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
>Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
>Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
>To Manage your Subscription......... http://humankindsystems.com/lists
>
>
>
>
>______________________________________________________________________
>The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
>Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
>Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
>To Manage your Subscription......... http://humankindsystems.com/lists
>
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
