RE: Code Red Got me - one more quick thing

[Dan_Rembolt]

On eeye.com there is a full analysis including the probe signature which
you could capture with a sniffer.


                                                                                       
         
                    "Zangara, Jim"                                                     
         
                    <jzangara@premiere        To:     "NT System Admin Issues"         
         
                    radio.com>                <[EMAIL PROTECTED]>  
         
                                              cc:                                      
         
                    08/18/2001 10:43          Subject:     RE: Code Red Got me - one 
more quick 
                    PM                        thing                                    
         
                    Please respond to                                                  
         
                    "NT System Admin                                                   
         
                    Issues"                                                            
         
                                                                                       
         
                                                                                       
         


What could I check to see if my server is sending out these broadcasts to
infect others?  I have these guys isolated so it should be easy to see the
traffic.  I have a Fluke and  logging enabled on the websites.

w2k IIS5

thanks.


     -----Original Message-----
     From: Zangara, Jim [mailto:[EMAIL PROTECTED]]
     Sent: Saturday, August 18, 2001 10:26 PM
     To: NT System Admin Issues
     Subject: RE: Code Red Got me



     I not "comfortable" with any product - MS, Symantec, or otherwise. I
     don't
     trust any of them and always try to get a second opinion when dealing
     with
     critical things - hence my problems.


     I am still testing the situation on these servers because I am not
     positive
     there has been an infection. I am punishing my self but I do not want
     to
     take a chance that can be avoided. But I also do not want to disrupt
     operations of the site and to get a hold of users to reset passwords
     if I
     can avoid it.


     I have duplicated the problem on another box that is totally hose-able

     without a second thought - so it has been rebooted and unplugged from
     the
     network. It is hosting a copy of the websites the other one had. I am
     going to leave it running and isolated to see if the tool from
     Symantec will
     generate a positive again. If so then I will feel confident that these
     are
     false.


     The main server has had an in place upgrade of Advanced Server which
     solved a couple of other issues that server was having; as stated in
     my
     first post, I already had a trouble ticket open with PSS regarding
     problems
     assigning permissions. Re-service packed and re-hot fixed. Will
     monitor it
     and decide what to do based on the test server results.


     I will play around with that clean MS up tool on the test server if it

     proves infected. Might be fun. If the Big one is infected a format and

     reinstall will be my only option. Can't chance that one.


     Thought this problem was fairly interesting and appreciate the help
     but I
     will shut up if you guys want.


     http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm




http://www.sunbelt-software.com/ntsysadmin_list_charter.htm