RE: Code Red Got me

[Joe Casale]

Title: Message

That one raised an eyebrow with me as well. Your statement about not being “…comfortable with IIS…” struck me as odd. Part of our job as sysadmins in my opinion is not being pro’s on certain things (…getting ready for flame, he he…) but being intuitive, self learning, and just being able to plain do anything given the hard work @ researching it. Every piece of software has its flaws. A base install of anything on the net is potentially unsafe. Subscribe to the M$ alert, follow sec lists, take a proactive role into learning everything you administer. Part of our job involves you to be constantly learning, I follow the lists and M$’s site religiously, how would I face my customers who pay me to maintain their stuff with an excuse like oh, I forgot to apply a 2 month old patch(Codered), or whoops, I didn’t know! I administer stuff everyday I don’t have a clue about, since I’ve never seen it before! I learn it damn fast! Kev’s point about formatting the server is good, you should research the infection you got and find out the ramifications of you being infected. I don’t know your environment, but if a malicious attacker had full control of your system, could that present any trouble to you? Its hard enough to know what’s happening to a system that is potentially at risk by being on the net, you got lucky. You know that there was a breach, are you ok not doing anything about it? jlc   -----Original Message----- From: Kevin Miller [mailto:[EMAIL PROTECTED]] Sent: Sunday, August 19, 2001 1:02 AM To: NT System Admin Issues Subject: RE: Code Red Got me   you are not comfortable with IIS, but you did not reformat your server after the infection?? what am I missing in this picture?     Kevinm WLKMMAS*TM, QWSZC, VRY+Y, NFH, SAD-VF, DERSDESDFG ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ More letters after my name makes me Smarter. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ please respond back to rent this ad space for your needs -----Original Message----- From: Fausto E. Miranda [mailto:[EMAIL PROTECTED]] Sent: Saturday, August 18, 2001 9:04 PM To: NT System Admin Issues Subject: RE: Code Red Got me have you tried to use the coderedcleanup tool from microsoft.  I have used it succesfully, but because of the goof ups I have unistalled IIS and am now using iPlanet free version until I feel comfortable with IIS again. -----Original Message----- From: Niels Christiansen [mailto:[EMAIL PROTECTED]] Sent: Saturday, August 18, 2001 10:14 PM To: NT System Admin Issues Subject: RE: Code Red Got me You have already heard from a couple of people that the Symantec tool is unreliable. Why do you keep punishing yourself like this?   /\/iels -----Original Message----- From: Zangara, Jim [mailto:[EMAIL PROTECTED]] Sent: Saturday, August 18, 2001 7:59 PM To: NT System Admin Issues Subject: RE: Code Red Got me Update on my possible code red -     I am getting the same results on a different win2k Server.  One time a scan by the Symantec tools says the worm is in memory then sometimes it is not - I just rebooted it and have left it's network cable unplugged - see if that scan comes back positive again - if so I know it is the scanner and not the server.   FYI - eeyes scan always show it clear.     Jim Zangara, MCSE+I Special Projects Engineer Premiere Radio Networks A Division of Clear Channel Communications 15260 Ventura Blvd Suite 500 Sherman Oaks, CA 91403 Direct: (818) 461-8620 mailto:[EMAIL PROTECTED]   If it pours before seven, it has rained by eleven. -----Original Message----- From: Zangara, Jim [mailto:[EMAIL PROTECTED]] Sent: Saturday, August 18, 2001 3:48 PM To: NT System Admin Issues Subject: RE: Code Red Got me That is what I am talking about.  I have to restore the data from last night - no choice.   So eeyes scanner shows your system as infected?  Hmmmm maybe mine really isn't then because I do not get that - only shows patched.   Did you get the Hacked By Chinese page or does your server have the file root.exe?   I am assuming as long as these two files are not reloaded your data is ok - the backdoors it places are system back doors.   Of course all applications will have to be reinstalled.     Jim Zangara, MCSE+I Special Projects Engineer Premiere Radio Networks A Division of Clear Channel Communications 15260 Ventura Blvd Suite 500 Sherman Oaks, CA 91403 Direct: (818) 461-8620 mailto:[EMAIL PROTECTED]   My house is made out of balsa wood, so when I want to scare the neighborhood kids I lift it over my head and tell them to get out of my yard or I'll throw it at them. -- Steven Wright -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Saturday, August 18, 2001 3:43 PM To: NT System Admin Issues Subject: RE: Code Red Got me When you guys say backups, you do mean *system* backups that aren't safe, right? I mean, both my email and sql servers were hit with this (according to eEye's scanner, which show them both as infected after application of the MS patch and reboot). I assume I can still load back my actual *data* (email, database, user files) without restoring any actual system files, and be safe, right?   My hope is obviously that I won't need to reinstall these servers, but it doesn't look good.   Evan   -----Original Message----- From: Zangara, Jim [mailto:[EMAIL PROTECTED]] Sent: Saturday, August 18, 2001 6:38 PM To: NT System Admin Issues Subject: RE: Code Red Got me   I have backups - but since I do not know when - or at this point even IF I am infected I am loath to trust them.   thanks for the help folks.     Jim Zangara, MCSE+I Special Projects Engineer Premiere Radio Networks A Division of Clear Channel Communications 15260 Ventura Blvd Suite 500 Sherman Oaks, CA 91403 Direct: (818) 461-8620 mailto:[EMAIL PROTECTED]   Everywhere is walking distance if you have the time. -- Steven Wright -----Original Message----- From: Joe Casale [mailto:[EMAIL PROTECTED]] Sent: Saturday, August 18, 2001 3:01 PM To: NT System Admin Issues Subject: RE: Code Red Got me I have never seen, nor know of a way to inject code into the sam w/ out leaving it useless. I think you are very safe to do this, where is your pre infection backup? He he... Like one of our other buddies said (K Miller) "...You've been hacked...Only safe thing is to format, and reinstall..." Adding back post infection data is not safe, unless you can be 100% sure. I think you are but I am not 100% sure either! jlc   -----Original Message----- From: Zangara, Jim [mailto:[EMAIL PROTECTED]] Sent: Saturday, August 18, 2001 1:59 PM To: NT System Admin Issues Subject: Code Red Got me   I know I patched this server but I am not taking any more chances. Hello Folks - It appears one of my servers got the backdoor worm - I can scan it sometimes and it shows clean and other times a memory scan shows an infection.  There is no root.exe file anywhere on the server so I am not totally convinced but I prefer not to take chances. I have disabled the www service for now and am backing up my data.  I am wondering if there is a way to recover my SAM database without running a risk of re-infection?  I can recreate it but it would add hours to this and I would prefer not to.  Since I do not know when the infection took place I am not sure of a reliable pre-infection backup so I am not even going to attempt that route.  Would an ERD made today have the SAM?  Should I trust it if it does? The server is a P111 with 2 gigs of ram Win2k SP2 Sql 7 IIS 5 - web server - no standalone - no domain.   TIA Jim http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm