RE: Codered?

[Eric Peeters]

Title: Message

Overnight ? pppffffttttt what are you complaining about...

 

About an hour ago, I was finishing to set up my newest server, to be a replacement firewall for the sort-of DMZ I have. I do all the setting up offline, as always, then I bring it online, with the only job remaining to test the DNS and get the patches from the file server they're stored on. I troubleshoot a DNS issue for about 30 minutes (mistyped a digit and my whole DNS went down, conflict between two primary servers-wannabes) and in the meantime I get infected with Code Red II !!!!!!    (lucky me I had patched all my production servers already, though it was an uphill battle...)

 

Now I am very pissed, and very busy rebuilding my firewall. I've learned a lesson though. Disable *everything* that can be disabled before bringing the server online, patch *everything* that needs to be patched, enable whatever services I need.

 

How's your week-end, folks ?

 

Eric Peeters
Network Administrator
TexLoc Ltd

-----Original Message-----
From: Niki Blowfield [mailto:[EMAIL PROTECTED]]
Sent: Friday, August 24, 2001 8:59 AM
To: NT System Admin Issues
Subject: Codered?

Hi

 

I installed a Win2k Advanced server in a kind of test environment on a public

IP address last thing yesterday, and it appeared to pick up the codered worm

overnight.

 

i got an email from one admin, and an automated message from a website

 

i re-installed 2k serv and applied the IIS patches, I also applied the patches to

my 2 NT servers which have IIS4 running, albeit on a private subnet

 

i have since noticed LOTS of traffic coming in through our single ADSL connection

 

i can remove our Firewall from the ADSL router, so its connected only to the web,

but the traffic continues on the router indicator lights, so it doesnt seem to be

originating from our network

 

the 2000 server is the only device on our network providing any kind of services

to the internet, and that is currently offline

 

we have no way of connecting to the router to check logs, but if I bring the 2000

server online, and run netmon, i get constant entries like the following;

 

SRC MAC Address - FLOW00......

Dest MAC Address - LOCAL

Protocol - TCP

SRC Other Address - 213.66.79.235

Dest Other Address - WIN2KADVSERV

Type Other Add - IP

 

do we still have a problem? or are these other sites with the virus attempting to

send it to us?

http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

http://www.sunbelt-software.com/ntsysadmin_list_charter.htm