Have you rebooted the machine to remove the current infection from memory?
If not take it offline, reboot it, reinstall the hotfixes.
-chh2
----- Original Message -----
From: "Steve Polyak" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, August 07, 2001 11:09 AM
Subject: RE: [imail] Code Red II
> Sadly enough the changes that should have occurred by the virus did not
show
> up anywhere.
>
> Steve
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> David Stavert
> Sent: August 7, 2001 9:06 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [imail] Code Red II
>
>
> Patches will not help after the fact. The first thing you need to do is
take
> the server off line. Use the Microsoft and Eeye Websites to see what was
> done and undo the changes. The Eeye.com website shows the the file and
> registry changes that were made and you should be able to use the other
> server for registry reference and for replacement files.
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Steve Polyak
> Sent: Tuesday, August 07, 2001 7:57 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [imail] Code Red II
>
>
> No, I have reinstalled the patch several times now. I have not needed to
> add any additional software to my machine other the yesterday afternoon
with
> IIS Secure.
>
> Steve
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Michael Abbott
> Sent: August 7, 2001 6:46 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [imail] Code Red II
>
>
> Steve,
>
> Is it possible that after you applied the demo version of IIS Secure or
some
> other change to your machine you failed to reapply the patch. I believe
> that many patches as well as service packs must be reapplied after an
> upgrade or change.
>
> Mike
>
>
> ---------- Original Message ----------------------------------
> From: "Steve Polyak" <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> Date: Tue, 7 Aug 2001 06:24:36 -0600
>
> >I have been hit too with a version of Code Red and I have the patch, I
have
> >tested that I am safe using the Norton Code Red test and have also
> installed
> >the demo version of IIS Secure and I am still having my websites
shutdown.
> >I am only usually having web services stopping not the ftp services and
it
> >takes either shortly after a reboot occurs to 2 hours before the failure.
> >This only started on Friday with it getting worse during the weekend. I
> had
> >installed the Microsoft patch at the beginning of the last attack. I
have
> >even removed the .ida filter and my NT events logs are still recording
> >
> >"The server failed to close to the following client connection during
> >shutdown: URL='default.ida'"
> >
> >I am right now trying to move everything across to our secondary server
so
> I
> >can rebuild the infected one. Has anyone else come across the same
> problem?
> >
> >Steve
> >
> >-----Original Message-----
> >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> >Rasmus Aaen
> >Sent: August 7, 2001 6:13 AM
> >To: '[EMAIL PROTECTED]'
> >Subject: RE: [imail] Code Red II
> >
> >
> >It's the same patch... Please Read about it on http://www.eeeye.com
> >
> >>From http://www.eeye.com/html/Research/Advisories/AL20010804.html:
> >
> >[snip]
> >The fix that has been talked about for Code Red is still the same fix
> >for this new worm. INSTALL THE MICROSOFT SECURITY PATCH:
> >http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
> >ity/bulletin/MS01-033.asp
> >
> >[/snip]
> >
> >/Rasmus
> >
> >-----Original Message-----
> >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> >mustafa
> >Sent: 7. august 2001 14:58
> >To: [EMAIL PROTECTED]
> >Subject: Re: [imail] Code Red II
> >
> >
> >This is a new version of Code Red Worm not the old one I got this patch
> >
> >Please Read about it on http://www.eeeye.com
> >
> >Regards
> >Mustafa
> >
> >----- Original Message -----
> >From: "Archer Koch (Win & Ware)" <[EMAIL PROTECTED]>
> >To: <[EMAIL PROTECTED]>
> >Sent: Tuesday, August 07, 2001 1:51 PM
> >Subject: RE: [imail] Code Red II
> >
> >
> >> Start here:
> >>
> >>
> >http://microsoft.com/technet/treeview/default.asp?url=/technet/itsolutio
> >> ns/security/topics/codealrt.asp
> >>
> >> -----Original Message-----
> >> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> >> mustafa
> >> Sent: Tuesday, August 07, 2001 5:43 AM
> >> To: [EMAIL PROTECTED]
> >> Subject: [imail] Code Red II
> >>
> >>
> >> We were hacked by Code Red II virus please advice
> >>
> >> mustafa
> >>
> >>
> >>
> >>
> >>
> >> ______________________________________________________________________
> >> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> >> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> >> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> >> To Manage your Subscription......... http://humankindsystems.com/lists
> >>
> >
> >
> >
> >
> >
> >************************************************************************
> >*************
> >The contents of this email and any attachments are confidential. It is
> >intended for the named recipient(s) only. If you have received this
> >email
> >in error please notify the system manager or the sender immediately and
> >
> >do not disclose the contents to any one or make copies.
> >************************************************************************
> >*************
> >PALTEL E-Safety System scanned this email and found NO viruses,
> >vandals or malicious content.
> >************************************************************************
> >*************
> >Should you need any information or clarifications regarding this system,
> >
> >please do not hesitate to contact our team at the Internet Project
> ><[EMAIL PROTECTED]>.
> >************************************************************************
> >*************
> >
> >
> >
> >
> >______________________________________________________________________
> >The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> >Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> >Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> >To Manage your Subscription......... http://humankindsystems.com/lists
> >
> >
> >
> >
> >______________________________________________________________________
> >The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> >Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> >Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> >To Manage your Subscription......... http://humankindsystems.com/lists
> >
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
