From the people who discovered Code Red:
http://www.eeye.com/html/Research/Tools/codered.html
qfecheck will tell you if your W2K patches are installed correctly:
http://support.microsoft.com/support/kb/articles/q282/7/84.asp?LN=EN-US&SD=g
n&FR=0&qry=qfecheck&rnk=19&src=DHCS_MSPSS_gn_SRCH&SPR=MSALL
~Seth
Zangara, Jim writes:
> Actually yes - that is what is giving me the positives.
>
> But the server is kinda funky anyway so a reinstall does not worry me too
> much. I have been working with PSS for a couple of weeks on a security
> problem with it as it is - I can't assign permissions graphically - only by
> using calcs.
>
> Is there any other tool that I can test - any way to know for sure?
>
> An in place upgrade will most likely fix my PSS/Security problem but if I am
> infected it would not help that.
>
> I just want to be sure!!!
>
> Jim Zangara, MCSE+I
> Special Projects Engineer
> Premiere Radio Networks
> A Division of Clear Channel Communications
> 15260 Ventura Blvd Suite 500
> Sherman Oaks, CA 91403
> Direct: (818) 461-8620
> mailto:[EMAIL PROTECTED]
>
>
>
>
> -----Original Message-----
> From: Seth M. Kusiak [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, August 18, 2001 1:39 PM
> To: NT System Admin Issues
> Subject: Re: Code Red Got me
>
>
> Your not using the Norton's FixCRed.exe are you? because if you are, the
> tool DOES NOT give accurate results.
>
> It told me that a server with IIS NOT EVEN INSTALLED was infected (in
> memory). What a crappy tool.
>
> ~Seth
>
>
> Zangara, Jim writes:
>
>> I know I patched this server but I am not taking any more chances.
>>
>> Hello Folks -
>>
>> It appears one of my servers got the backdoor worm - I can scan it
>> sometimes and it shows clean and other times a memory scan shows an
>> infection. There is no root.exe file anywhere on the server so I am
>> not totally convinced but I prefer not to take chances.
>>
>> I have disabled the www service for now and am backing up my data. I
>> am wondering if there is a way to recover my SAM database without
>> running a risk of re-infection? I can recreate it but it would add
>> hours to this and I would prefer not to. Since I do not know when the
>> infection took place I am not sure of a reliable pre-infection backup so I
> am not even going to
>> attempt that route.
>>
>> Would an ERD made today have the SAM? Should I trust it if it does?
>>
>> The server is a P111 with 2 gigs of ram Win2k SP2 Sql 7 IIS 5 - web
>> server - no standalone - no domain.
>>
>>
>> TIA
>>
>> Jim
>>
>>
>> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>>
>
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
