You are trying to detect a worm by using a virus disguised as a tool
(anything by Symantec).
The eeyes scan is likely reliable. The Symantec program should be very
carefully and very thoroughly removed (i.e. disinfected) from your
system.
No - I am not a Symantec fan.
-----Original Message-----
From: Zangara, Jim [mailto:[EMAIL PROTECTED]]
Sent: Saturday, August 18, 2001 7:59 PM
To: NT System Admin Issues
Subject: RE: Code Red Got me
Update on my possible code red -
I am getting the same results on a different win2k Server. One time a
scan by the Symantec tools says the worm is in memory then sometimes it
is not - I just rebooted it and have left it's network cable unplugged -
see if that scan comes back positive again - if so I know it is the
scanner and not the server.
FYI - eeyes scan always show it clear.
Jim Zangara, MCSE+I
Special Projects Engineer
Premiere Radio Networks
A Division of Clear Channel Communications
15260 Ventura Blvd Suite 500
Sherman Oaks, CA 91403
Direct: (818) 461-8620
mailto:[EMAIL PROTECTED]
If it pours before seven, it has rained by eleven.
-----Original Message-----
From: Zangara, Jim [mailto:[EMAIL PROTECTED]]
Sent: Saturday, August 18, 2001 3:48 PM
To: NT System Admin Issues
Subject: RE: Code Red Got me
That is what I am talking about. I have to restore the data from last
night - no choice.
So eeyes scanner shows your system as infected? Hmmmm maybe mine really
isn't then because I do not get that - only shows patched.
Did you get the Hacked By Chinese page or does your server have the file
root.exe?
I am assuming as long as these two files are not reloaded your data is
ok - the backdoors it places are system back doors.
Of course all applications will have to be reinstalled.
Jim Zangara, MCSE+I
Special Projects Engineer
Premiere Radio Networks
A Division of Clear Channel Communications
15260 Ventura Blvd Suite 500
Sherman Oaks, CA 91403
Direct: (818) 461-8620
mailto:[EMAIL PROTECTED]
My house is made out of balsa wood, so when I want to scare the
neighborhood kids I lift it over my head and tell them to get out of my
yard or I'll throw it at them. -- Steven Wright
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Saturday, August 18, 2001 3:43 PM
To: NT System Admin Issues
Subject: RE: Code Red Got me
When you guys say backups, you do mean *system* backups that aren't
safe, right? I mean, both my email and sql servers were hit with this
(according to eEye's scanner, which show them both as infected after
application of the MS patch and reboot). I assume I can still load back
my actual *data* (email, database, user files) without restoring any
actual system files, and be safe, right?
My hope is obviously that I won't need to reinstall these servers, but
it doesn't look good.
Evan
-----Original Message-----
From: Zangara, Jim [mailto:[EMAIL PROTECTED]]
Sent: Saturday, August 18, 2001 6:38 PM
To: NT System Admin Issues
Subject: RE: Code Red Got me
I have backups - but since I do not know when - or at this point even IF
I am infected I am loath to trust them.
thanks for the help folks.
Jim Zangara, MCSE+I
Special Projects Engineer
Premiere Radio Networks
A Division of Clear Channel Communications
15260 Ventura Blvd Suite 500
Sherman Oaks, CA 91403
Direct: (818) 461-8620
mailto:[EMAIL PROTECTED]
Everywhere is walking distance if you have the time. -- Steven Wright
-----Original Message-----
From: Joe Casale [mailto:[EMAIL PROTECTED]]
Sent: Saturday, August 18, 2001 3:01 PM
To: NT System Admin Issues
Subject: RE: Code Red Got me
I have never seen, nor know of a way to inject code into the sam w/ out
leaving it useless.
I think you are very safe to do this, where is your pre infection
backup?
He he...
Like one of our other buddies said (K Miller) "...You've been
hacked...Only safe thing is to format, and reinstall..."
Adding back post infection data is not safe, unless you can be 100%
sure.
I think you are but I am not 100% sure either!
jlc
-----Original Message-----
From: Zangara, Jim [mailto:[EMAIL PROTECTED]]
Sent: Saturday, August 18, 2001 1:59 PM
To: NT System Admin Issues
Subject: Code Red Got me
I know I patched this server but I am not taking any more chances.
Hello Folks -
It appears one of my servers got the backdoor worm - I can scan it
sometimes and it shows clean and other times a memory scan shows an
infection. There is no root.exe file anywhere on the server so I am not
totally convinced but I prefer not to take chances.
I have disabled the www service for now and am backing up my data. I am
wondering if there is a way to recover my SAM database without running a
risk of re-infection? I can recreate it but it would add hours to this
and I would prefer not to. Since I do not know when the infection took
place I am not sure of a reliable pre-infection backup so I am not even
going to attempt that route.
Would an ERD made today have the SAM? Should I trust it if it does?
The server is a P111 with 2 gigs of ram Win2k SP2 Sql 7 IIS 5 - web
server - no standalone - no domain.
TIA
Jim
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
