One of the main issues to fix this is to turn off the Indexing Service. Go
to the control panel, find the Indexing Service, stop it and disable it
from starting. This with the patch fixed the problems I have with the Code
Red worm.
Steve
"Chad Heugel" <[EMAIL PROTECTED]>@hksi.net on 08/07/2001 01:29:40 PM
Please respond to [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
To: <[EMAIL PROTECTED]>
cc:
Subject: Re: [imail] Code Red II
Have you rebooted the machine to remove the current infection from memory?
If not take it offline, reboot it, reinstall the hotfixes.
-chh2
----- Original Message -----
From: "Steve Polyak" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, August 07, 2001 11:09 AM
Subject: RE: [imail] Code Red II
> Sadly enough the changes that should have occurred by the virus did not
show
> up anywhere.
>
> Steve
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> David Stavert
> Sent: August 7, 2001 9:06 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [imail] Code Red II
>
>
> Patches will not help after the fact. The first thing you need to do is
take
> the server off line. Use the Microsoft and Eeye Websites to see what was
> done and undo the changes. The Eeye.com website shows the the file and
> registry changes that were made and you should be able to use the other
> server for registry reference and for replacement files.
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Steve Polyak
> Sent: Tuesday, August 07, 2001 7:57 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [imail] Code Red II
>
>
> No, I have reinstalled the patch several times now. I have not needed to
> add any additional software to my machine other the yesterday afternoon
with
> IIS Secure.
>
> Steve
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Michael Abbott
> Sent: August 7, 2001 6:46 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [imail] Code Red II
>
>
> Steve,
>
> Is it possible that after you applied the demo version of IIS Secure or
some
> other change to your machine you failed to reapply the patch. I believe
> that many patches as well as service packs must be reapplied after an
> upgrade or change.
>
> Mike
>
>
> ---------- Original Message ----------------------------------
> From: "Steve Polyak" <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> Date: Tue, 7 Aug 2001 06:24:36 -0600
>
> >I have been hit too with a version of Code Red and I have the patch, I
have
> >tested that I am safe using the Norton Code Red test and have also
> installed
> >the demo version of IIS Secure and I am still having my websites
shutdown.
> >I am only usually having web services stopping not the ftp services and
it
> >takes either shortly after a reboot occurs to 2 hours before the
failure.
> >This only started on Friday with it getting worse during the weekend. I
> had
> >installed the Microsoft patch at the beginning of the last attack. I
have
> >even removed the .ida filter and my NT events logs are still recording
> >
> >"The server failed to close to the following client connection during
> >shutdown: URL='default.ida'"
> >
> >I am right now trying to move everything across to our secondary server
so
> I
> >can rebuild the infected one. Has anyone else come across the same
> problem?
> >
> >Steve
> >
> >-----Original Message-----
> >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> >Rasmus Aaen
> >Sent: August 7, 2001 6:13 AM
> >To: '[EMAIL PROTECTED]'
> >Subject: RE: [imail] Code Red II
> >
> >
> >It's the same patch... Please Read about it on http://www.eeeye.com
> >
> >>From http://www.eeye.com/html/Research/Advisories/AL20010804.html:
> >
> >[snip]
> >The fix that has been talked about for Code Red is still the same fix
> >for this new worm. INSTALL THE MICROSOFT SECURITY PATCH:
> >http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
> >ity/bulletin/MS01-033.asp
> >
> >[/snip]
> >
> >/Rasmus
> >
> >-----Original Message-----
> >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> >mustafa
> >Sent: 7. august 2001 14:58
> >To: [EMAIL PROTECTED]
> >Subject: Re: [imail] Code Red II
> >
> >
> >This is a new version of Code Red Worm not the old one I got this patch
> >
> >Please Read about it on http://www.eeeye.com
> >
> >Regards
> >Mustafa
> >
> >----- Original Message -----
> >From: "Archer Koch (Win & Ware)" <[EMAIL PROTECTED]>
> >To: <[EMAIL PROTECTED]>
> >Sent: Tuesday, August 07, 2001 1:51 PM
> >Subject: RE: [imail] Code Red II
> >
> >
> >> Start here:
> >>
> >>
> >http://microsoft.com/technet/treeview/default.asp?url=/technet/itsolutio
> >> ns/security/topics/codealrt.asp
> >>
> >> -----Original Message-----
> >> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> >> mustafa
> >> Sent: Tuesday, August 07, 2001 5:43 AM
> >> To: [EMAIL PROTECTED]
> >> Subject: [imail] Code Red II
> >>
> >>
> >> We were hacked by Code Red II virus please advice
> >>
> >> mustafa
> >>
> >>
> >>
> >>
> >>
> >> ______________________________________________________________________
> >> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> >> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> >> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> >> To Manage your Subscription......... http://humankindsystems.com/lists
> >>
> >
> >
> >
> >
> >
> >************************************************************************
> >*************
> >The contents of this email and any attachments are confidential. It is
> >intended for the named recipient(s) only. If you have received this
> >email
> >in error please notify the system manager or the sender immediately and
> >
> >do not disclose the contents to any one or make copies.
> >************************************************************************
> >*************
> >PALTEL E-Safety System scanned this email and found NO viruses,
> >vandals or malicious content.
> >************************************************************************
> >*************
> >Should you need any information or clarifications regarding this system,
> >
> >please do not hesitate to contact our team at the Internet Project
> ><[EMAIL PROTECTED]>.
> >************************************************************************
> >*************
> >
> >
> >
> >
> >______________________________________________________________________
> >The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> >Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> >Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> >To Manage your Subscription......... http://humankindsystems.com/lists
> >
> >
> >
> >
> >______________________________________________________________________
> >The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> >Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> >Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> >To Manage your Subscription......... http://humankindsystems.com/lists
> >
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
