Our webserver got hit a couple of weeks ago. It got cleaned up and the
security patch(es) applied. I thought nothing more about it.
However, I think it or a variant got three of our other Win2k servers that
don't run IIS at all. Yesterday I found a strange process, VMGR32.exe,
chewing up 50% CPU on our production db server. The file, in
C:\WinNT\System32, was dated 07/30/2001 08:40pm. Another file, acer4.exe,
of exactly the same size, 272KB, had exactly the same datetime. Neither
file shows the usual "Version" tab in the Properties window (after right
click on the file). I searched the Microsoft site and did a Google search
on both, with zero hits. Suspicious...
I checked out
http://www.net-security.org/text/articles/coverage/code-red/
but couldn't see any similarities until it suggested running netstat -an to
see if your server was connecting to dozens of random IP addresses at port
:80. I did and ours was!
I changed the service "Remote Administration Service" (which loads
VMGR32.exe) to Manual and rebooted the servers. The connections to random
IP addresses at port :80 have stopped and VMGR32.exe is no longer running as
a process.
I also installed Win2k Service Pack 2.
I hope I've squashed this worm! Have I? Are the port :80 connections and
VMGR32.exe related or have I been chasing the wrong culprit? The NT
sysadmin at our colocation facility isn't a lot of help (one reason we're
looking to switch pretty soon!), so I'm kind of at a loss.
Any suggestions?
Thanks.
Jack
--------------------------------
Jack C. Applewhite
Database Administrator/Developer
OCP Oracle8 DBA
iNetProfit, Inc.
Austin, Texas
www.iNetProfit.com
[EMAIL PROTECTED]
(512)327-9068
-----Original Message-----
[EMAIL PROTECTED]
Sent: Monday, August 06, 2001 2:24 PM
To: Multiple recipients of list ORACLE-L
New worm targets same systems as Code Red
Security analysts warned that a new and potentially dangerous worm began
circulating over the weekend, targeting the same Windows-based servers as
the
high-profile Code Red worm.
http://computerworld.com/nlt/1%2C3590%2CNAV47_STO62834_NLTAM%2C00.html
--
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Jack C. Applewhite
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
