RE: Code Red Got me

[ebrastow]

Title: Message

When you guys say backups, you do mean *system* backups that aren’t safe, right? I mean, both my email and sql servers were hit with this (according to eEye’s scanner, which show them both as infected after application of the MS patch and reboot). I assume I can still load back my actual *data* (email, database, user files) without restoring any actual system files, and be safe, right?   My hope is obviously that I won’t need to reinstall these servers, but it doesn’t look good.   Evan   -----Original Message----- From: Zangara, Jim [mailto:[EMAIL PROTECTED]] Sent: Saturday, August 18, 2001 6:38 PM To: NT System Admin Issues Subject: RE: Code Red Got me   I have backups - but since I do not know when - or at this point even IF I am infected I am loath to trust them.   thanks for the help folks.     Jim Zangara, MCSE+I Special Projects Engineer Premiere Radio Networks A Division of Clear Channel Communications 15260 Ventura Blvd Suite 500 Sherman Oaks, CA 91403 Direct: (818) 461-8620 mailto:[EMAIL PROTECTED]   Everywhere is walking distance if you have the time. -- Steven Wright -----Original Message----- From: Joe Casale [mailto:[EMAIL PROTECTED]] Sent: Saturday, August 18, 2001 3:01 PM To: NT System Admin Issues Subject: RE: Code Red Got me I have never seen, nor know of a way to inject code into the sam w/ out leaving it useless. I think you are very safe to do this, where is your pre infection backup? He he... Like one of our other buddies said (K Miller) "...You've been hacked...Only safe thing is to format, and reinstall..." Adding back post infection data is not safe, unless you can be 100% sure. I think you are but I am not 100% sure either! jlc   -----Original Message----- From: Zangara, Jim [mailto:[EMAIL PROTECTED]] Sent: Saturday, August 18, 2001 1:59 PM To: NT System Admin Issues Subject: Code Red Got me   I know I patched this server but I am not taking any more chances. Hello Folks - It appears one of my servers got the backdoor worm - I can scan it sometimes and it shows clean and other times a memory scan shows an infection.  There is no root.exe file anywhere on the server so I am not totally convinced but I prefer not to take chances. I have disabled the www service for now and am backing up my data.  I am wondering if there is a way to recover my SAM database without running a risk of re-infection?  I can recreate it but it would add hours to this and I would prefer not to.  Since I do not know when the infection took place I am not sure of a reliable pre-infection backup so I am not even going to attempt that route.  Would an ERD made today have the SAM?  Should I trust it if it does? The server is a P111 with 2 gigs of ram Win2k SP2 Sql 7 IIS 5 - web server - no standalone - no domain.   TIA Jim http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm