Did the Eeye one when I patched it - showed not vulnerable then and does now - but what about this back door? Does this check for the back door that code red II might have left? The Symantec tool always says the server is not vulnerable and no trojans were present but the memory scan can come up with it present in memory almost 50% of the time - even immediately after a reboot.
Man this sucks - If I ever get my hands on these code red A-Holes....
Jim Zangara, MCSE+I
Special Projects Engineer
Premiere Radio Networks
A Division of Clear Channel Communications
15260 Ventura Blvd Suite 500
Sherman Oaks, CA 91403
Direct: (818) 461-8620
mailto:[EMAIL PROTECTED]
-----Original Message-----
From: Seth M. Kusiak [mailto:[EMAIL PROTECTED]]
Sent: Saturday, August 18, 2001 1:55 PM
To: NT System Admin Issues
Subject: Re: Code Red Got me
From the people who discovered Code Red: http://www.eeye.com/html/Research/Tools/codered.html
qfecheck will tell you if your W2K patches are installed correctly:
http://support.microsoft.com/support/kb/articles/q282/7/84.asp?LN=EN-US&SD=g
n&FR=0&qry=qfecheck&rnk=19&src="DHCS_MSPSS_gn_SRCH&SPR=MSALL"
~Seth
Zangara, Jim writes:
> Actually yes - that is what is giving me the positives.
>
> But the server is kinda funky anyway so a reinstall does not worry me
> too much. I have been working with PSS for a couple of weeks on a
> security problem with it as it is - I can't assign permissions graphically - only by
> using calcs.
>
> Is there any other tool that I can test - any way to know for sure?
>
> An in place upgrade will most likely fix my PSS/Security problem but
> if I am infected it would not help that.
>
> I just want to be sure!!!
>
> Jim Zangara, MCSE+I
> Special Projects Engineer
> Premiere Radio Networks
> A Division of Clear Channel Communications
> 15260 Ventura Blvd Suite 500
> Sherman Oaks, CA 91403
> Direct: (818) 461-8620
> mailto:[EMAIL PROTECTED]
>
>
>
>
> -----Original Message-----
> From: Seth M. Kusiak [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, August 18, 2001 1:39 PM
> To: NT System Admin Issues
> Subject: Re: Code Red Got me
>
>
> Your not using the Norton's FixCRed.exe are you? because if you are,
> the
> tool DOES NOT give accurate results.
>
> It told me that a server with IIS NOT EVEN INSTALLED was infected (in
> memory). What a crappy tool.
>
> ~Seth
>
>
> Zangara, Jim writes:
>
>> I know I patched this server but I am not taking any more chances.
>>
>> Hello Folks -
>>
>> It appears one of my servers got the backdoor worm - I can scan it
>> sometimes and it shows clean and other times a memory scan shows an
>> infection. There is no root.exe file anywhere on the server so I am
>> not totally convinced but I prefer not to take chances.
>>
>> I have disabled the www service for now and am backing up my data. I
>> am wondering if there is a way to recover my SAM database without
>> running a risk of re-infection? I can recreate it but it would add
>> hours to this and I would prefer not to. Since I do not know when the
>> infection took place I am not sure of a reliable pre-infection backup so I
> am not even going to
>> attempt that route.
>>
>> Would an ERD made today have the SAM? Should I trust it if it does?
>>
>> The server is a P111 with 2 gigs of ram Win2k SP2 Sql 7 IIS 5 - web
>> server - no standalone - no domain.
>>
>>
>> TIA
>>
>> Jim
>>
>>
>> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>>
>
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm