IssuesSubject: RE:
Code Red Got me
have you tried to use the coderedcleanup tool from microsoft. I
have used it succesfully, but because of the goof ups I have unistalled IIS
and am now using iPlanet free version until I feel comfortable with IIS
again.
-Original Message
If using IIS 4.0, be sure you aren't using the native HTTP redirects. The
malformed URLs sent by Code Red probes causes Web services to shut down
when implementing this configuration even if your server is not infected.
Eeye's tool does not detect this as a security hole.
If you're using these r
Title: RE: Code Red Got me
Thanks
folks -
Netstat shows just what I would expect it to - I ran it with the
interval set to one second and I see only a couple of connections - this is the
servers slowest time - and they stay connected for a while - So I am assuming
they are valid web
Title: RE: Code Red Got me
Run netstat.
See if the machine is connecting a lot of
different arbitrary other ips through port 80.
jlc
-Original Message-
From: Zangara, Jim
[mailto:[EMAIL PROTECTED]]
Sent: Saturday, August 18, 2001
11:43 PM
To: NT System Admin Issues
Subject
, Jim"
<[EMAIL PROTECTED]>
cc:
08/18/2001 10:43 Subject: RE: Code Red Got me - one
more quick
Title: RE: Code Red Got me
What
could I check to see if my server is sending out these broadcasts to infect
others? I have these guys isolated so it should be easy to see the
traffic. I have a Fluke and logging enabled on the
websites.
w2k
IIS5
thanks.
-Original Message
Title: RE: Code Red Got me
I not "comfortable" with any product - MS, Symantec, or otherwise. I don't
trust any of them and always try to get a second opinion when dealing with
critical things - hence my problems.
I am still testing the situation on these servers because I
PROTECTED]]
Sent: Sunday, August 19, 2001 1:02 AM
To: NT System Admin Issues
Subject: RE: Code Red Got me
you are not comfortable
with IIS, but you did not reformat your server after the infection?? what am I
missing in this picture?
Kevinm WLKMMAS*TM, QWSZC, VRY+Y,
NFH, SAD-VF
[mailto:[EMAIL PROTECTED]]Sent: Saturday, August 18,
2001 10:14 PMTo: NT System Admin IssuesSubject: RE:
Code Red Got me
You have already heard from a couple of people that the Symantec tool
is unreliable. Why do you keep punishing yourself like
this?
/\/iels
[mailto:[EMAIL PROTECTED]]Sent: Saturday, August 18,
2001 10:14 PMTo: NT System Admin IssuesSubject: RE: Code
Red Got me
You
have already heard from a couple of people that the Symantec tool is
unreliable. Why do you keep punishing yourself like this?
/\/iels
-
From: Zangara, Jim [mailto:[EMAIL PROTECTED]]
Sent: Saturday, August 18, 2001 7:59 PM
To: NT System Admin Issues
Subject: RE: Code Red Got me
Update on my possible code red -
I am getting the same results on a different win2k Server. One time a
scan by the Symantec tools says the worm is in
Admin IssuesSubject: RE: Code Red
Got me
Update on
my possible code red -
I am
getting the same results on a different win2k Server. One time a scan by
the Symantec tools says the worm is in memory then sometimes it is not - I
just rebooted it and have left it's network
irect: (818) 461-8620
mailto:[EMAIL PROTECTED]
If it pours before seven,
it has rained by eleven.
-Original Message-From: Zangara, Jim
[mailto:[EMAIL PROTECTED]] Sent: Saturday, August 18, 2001
3:48 PMTo: NT System Admin IssuesSubject: RE: Code Red
Got me
That is
what
7;ll throw it at them. -- Steven Wright
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Saturday, August 18, 2001 3:43 PMTo: NT System
Admin IssuesSubject: RE: Code Red Got me
When you guys say backups,
you do mean *system* backups t
]]
Sent: Saturday, August 18, 2001
6:38 PM
To: NT System Admin Issues
Subject: RE: Code Red Got me
I have backups - but since I do not know when - or at this point
even IF I am infected I am loath to trust them.
thanks for the help folks.
Jim
Zangara, MCSE+I
Special Projects Engineer
IssuesSubject: RE: Code Red Got
me
I have never seen,
nor know of a way to inject code into the sam w/ out
leaving it useless.
I think you are very
safe to do this, where is your pre infection
backup?
He he...
Like one of our other
buddies said (K Miller) "...Y
Title: Code Red Got me
I have never seen, nor know of a way to
inject code into the sam w/ out leaving it useless.
I think you are very safe to do this,
where is your pre infection backup?
He he…
Like one of our other buddies said (K
Miller) “…You’ve been hacked…Only safe thing is to
fo
ks, CA 91403
> Direct: (818) 461-8620
> mailto:[EMAIL PROTECTED]
>
>
>
>
> -Original Message-
> From: Seth M. Kusiak [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, August 18, 2001 1:55 PM
> To: NT System Admin Issues
> Subject: Re: Code Red Got me
>
Title: RE: Code Red Got me
Did the Eeye one when I patched it - showed not vulnerable then and does now - but what about this back door? Does this check for the back door that code red II might have left? The Symantec tool always says the server is not vulnerable and no trojans were present
IL PROTECTED]
>
>
>
>
> -Original Message-
> From: Seth M. Kusiak [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, August 18, 2001 1:39 PM
> To: NT System Admin Issues
> Subject: Re: Code Red Got me
>
>
> Your not using the Norton's FixCRed.exe
Title: RE: Code Red Got me
Actually yes - that is what is giving me the positives.
But the server is kinda funky anyway so a reinstall does not worry me too much. I have been working with PSS for a couple of weeks on a security problem with it as it is - I can't assign permis
Your not using the Norton's FixCRed.exe are you? because if you are, the
tool DOES NOT give accurate results.
It told me that a server with IIS NOT EVEN INSTALLED was infected (in
memory). What a crappy tool.
~Seth
Zangara, Jim writes:
> I know I patched this server but I am not taking a
22 matches
Mail list logo
