Hi
I
installed a Win2k Advanced server in a kind of test environment on a
public
IP
address last thing yesterday, and it appeared to pick up the codered
worm
overnight.
i got an email from one admin, and an automated message
from a website
i
re-installed 2k serv and applied the IIS patches, I also applied the patches
to
my 2
NT servers which have IIS4 running, albeit on a private
subnet
i
have since noticed LOTS of traffic coming in through our single ADSL
connection
i can
remove our Firewall from the ADSL router, so its connected only to the
web,
but
the traffic continues on the router indicator lights, so it doesnt seem to
be
originating from our network
the
2000 server is the only device on our network providing any kind of
services
to
the internet, and that is currently offline
we
have no way of connecting to the router to check logs, but if I bring the
2000
server online, and run netmon, i get constant entries like the
following;
SRC
MAC Address - FLOW00......
Dest
MAC Address - LOCAL
Protocol - TCP
SRC
Other Address - 213.66.79.235
Dest
Other Address - WIN2KADVSERV
Type
Other Add - IP
do we
still have a problem? or are these other sites with the virus attempting
to
send
it to us?
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm