On eeye.com there is a full analysis including the probe signature which
you could capture with a sniffer.
"Zangara, Jim"
<jzangara@premiere To: "NT System Admin Issues"
radio.com> <[EMAIL PROTECTED]>
cc:
08/18/2001 10:43 Subject: RE: Code Red Got me - one
more quick
PM thing
Please respond to
"NT System Admin
Issues"
What could I check to see if my server is sending out these broadcasts to
infect others? I have these guys isolated so it should be easy to see the
traffic. I have a Fluke and logging enabled on the websites.
w2k IIS5
thanks.
-----Original Message-----
From: Zangara, Jim [mailto:[EMAIL PROTECTED]]
Sent: Saturday, August 18, 2001 10:26 PM
To: NT System Admin Issues
Subject: RE: Code Red Got me
I not "comfortable" with any product - MS, Symantec, or otherwise. I
don't
trust any of them and always try to get a second opinion when dealing
with
critical things - hence my problems.
I am still testing the situation on these servers because I am not
positive
there has been an infection. I am punishing my self but I do not want
to
take a chance that can be avoided. But I also do not want to disrupt
operations of the site and to get a hold of users to reset passwords
if I
can avoid it.
I have duplicated the problem on another box that is totally hose-able
without a second thought - so it has been rebooted and unplugged from
the
network. It is hosting a copy of the websites the other one had. I am
going to leave it running and isolated to see if the tool from
Symantec will
generate a positive again. If so then I will feel confident that these
are
false.
The main server has had an in place upgrade of Advanced Server which
solved a couple of other issues that server was having; as stated in
my
first post, I already had a trouble ticket open with PSS regarding
problems
assigning permissions. Re-service packed and re-hot fixed. Will
monitor it
and decide what to do based on the test server results.
I will play around with that clean MS up tool on the test server if it
proves infected. Might be fun. If the Big one is infected a format and
reinstall will be my only option. Can't chance that one.
Thought this problem was fairly interesting and appreciate the help
but I
will shut up if you guys want.
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm