Re: Code Red Sniffer

yesss, it's the best of the best, shutdown the server and stay looking at
the clouds hearing as the soft country music floods your brain....  like the
mine after 12 hours seeing codered codered codereddd.
javierrrr :-|

-----Mensaje original-----
De: Shayne Lebrun [mailto:slebrun@xxxxxxxxxxx]
Enviado el: miércoles, 08 de agosto de 2001 18:32
Para: [ISAserver.org Discussion List]
Asunto: [isalist] Re: Code Red Sniffer


http://www.ISAserver.org


"Option to permaently disable IIS on machine"

Almost as good as the Outlook Security Patch. :-)

-----Original Message-----
From: Javier Gonzalez [mailto:Javier@xxxxxxxxxx]
Sent: Wednesday, August 08, 2001 12:26 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Code Red Sniffer


http://www.ISAserver.org


and, as I said, the new tool from Microsoft to eliminate CodeRed
from:  http://www.microsoft.com/downloads/release.asp?ReleaseID=31878
but I passed it and the Jim's tools reports the same information.


-----Mensaje original-----
De: David Dellanno [mailto:david@xxxxxxxxxx]
Enviado el: miércoles, 08 de agosto de 2001 18:22
Para: [ISAserver.org Discussion List]
Asunto: [isalist] Re: Code Red Sniffer


http://www.ISAserver.org


CodeRed is now up to III , 

'THE TOOL ONLY ELIMINATES THE EFFECTS OF THE CODE RED II WORM. IT DOES
NOT
ELIMINATE THE EFFECT OF OTHER VARIANTS OF THE WORM.' 


I'll wait for Jim to see if there is an answer between the discrepancy
in
the results of the 'rogue explorer' between Symantec's 'CRDetect.exe'
and
Big Jim's 'CodeRed Sniffer'. 
  
-----Original Message-----
From: Javier Gonzalez [mailto:Javier@xxxxxxxxxx]
Sent: Wednesday, August 08, 2001 11:55 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Code Red Sniffer


http://www.ISAserver.org


even with 
from:  http://www.microsoft.com/downloads/release.asp?ReleaseID=31878
applied, too...
is to go mad.
Javier

-----Mensaje original-----
De: David Dellanno [mailto:david@xxxxxxxxxx]
Enviado el: miércoles, 08 de agosto de 2001 17:36
Para: [ISAserver.org Discussion List]
Asunto: [isalist] Re: Code Red Sniffer

Hi Jim, very interesting.....  


I ran your script with the results:

Code Red infection search for SOFTPROBDC on 8/8/01 9:16:15 AM
  **  Checking for the bad 'explorer.exe' and 'root.exe' files
C:\explorer.exe - not found
C:\inetpub\Scripts\Root.exe - not found
C:\progra~1\Common~1\System\MSADC\Root.exe - not found
  **  Checking for the bad Virtual Folders entries
HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\/C
-
not found
HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\/D
-
not found
  **  Checking for the bad System File Checker entry
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable -
not
found

  **  Checking for the rogue Explorer.exe

Rogue Explorer process - found
        **  you've definitely been infected ! **

** You have one or more definite indications of Code Red V2 on your
system.
** You need to flatten this box and start over.  DO NOT connect to a
network
** until you have completely rebuilt the system AND installed the
security
** patch from Microsoft.

Then I ran the Symantec's 'CRDetect.exe' on the system tha with the
results:


'Your computer does not appear to be Vunerable to the CodeRed Worm'.


Is this right?


-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Wednesday, August 08, 2001 9:59 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Code Red Sniffer


http://www.ISAserver.org


I think that's trying to be a bit too general.

Both variants exploit a buffer vulnerability known to exist in NT4 and
W2K.
Both variants propagate themselves to other machines.
Both variants run hidden outside the IIS process space, making a reboot
necessary to stop them
CR2 copies a fake "Explorer.exe" and copies "cmd.exe" to "root.exe" to
your
drive; these can affect NT4 as well.
CR2 creates virtual folders under the default web site; this affects
both
NT4 and W2K.
CR2 on the other hand, takes some actions that are specific to W2K, such
as
modifying the SFCDisable regkey.

The differences between the NT4 and W2K damage are so slight as to be
irrelevant.  Check any machine running IIS 4.0 or higher.  Apparently,
WXP
is immune (probably a redesign of the IIS space).

Jim Harrison
MCP(2K), A+, Network+, PCG

----- Original Message -----
From: "Jeremy Pullicino" <jeremyp@xxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, August 08, 2001 6:55 AM
Subject: [isalist] Re: Code Red Sniffer


http://www.ISAserver.org


Code Red II only affects W2K

The origincal Code Red and it's variants work on NT4

Jeremy.

-----Original Message-----
From: Jeremy Lake [mailto:jeremy.lake@xxxxxxxxxxxxxxxxxx]
Sent: Wednesday, August 08, 2001 3:42 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Code Red Sniffer


http://www.ISAserver.org


NAI are saying Code Red only effects W2K, not NT4 is this true?

Jez

-----Original Message-----
From: David Dellanno [mailto:david@xxxxxxxxxx]
Sent: 08 August 2001 14:42
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Code Red Sniffer


http://www.ISAserver.org


Interesting, I have found two boxes that were infected - rogue explorer
found, both NT4SP6a, IIS 4.0 and both had the MS security patch
installed
and are behind ISA2000.  Oh no...not the rebuild...not the rebuild!

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Wednesday, August 08, 2001 9:37 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Code Red Sniffer


http://www.ISAserver.org


Symantec has instructions on their site for "eradication" of the Code
Red
worm, but I've found those to be a bit unreliable. It's not totally
their
fault; Code Red is actually a hidden process running on your machine
that
sleeps most of the time, so "making it gone" is very difficult. You can
use
task mangler to stop the single-thread "explorer" process, but it'll
just
come back again later.  You have to rebuild the box while it's unplugged
from any network until you get the MS security patch installed or you
stand
a good chance of getting reinfected.

Jim Harrison
MCP(2K), A+, Network+, PCG

----- Original Message -----
From: "Network Administrator" <shivi@xxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, August 08, 2001 12:23 AM
Subject: [isalist] Re: Code Red Sniffer


http://www.ISAserver.org


Hi JIm,
    Just ran your codered sniffer, and found the Rogue explorer.exe in
some
machins. what is the work around for that??

thanks a lot
shivi

Shivanthan Balendra Network Administrator Arabian Network Information
Services W.L.L., P.O.Box 10141, Manama, Bahrain. Tel Off: ?298444 Fax
Off: ?
311551 Email: shivi@xxxxxxxxxxx Web : www.arabian.net
----- Original Message -----
From: "Jim Harrison" <jim@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Cc: "CommuniGate Pro Discussions" <CGatePro@xxxxxxxxxxxxxxxx>
Sent: Wednesday, August 08, 2001 9:45 AM
Subject: [isalist] Code Red Sniffer


> http://www.ISAserver.org
>
>
>
> This is a multi-part message in MIME format.
>
>


------------------------------------------------------------------------
----
----


> Hello weary Code Red battlers,
>
> I've created a script that searches your system to sniff out the Code
> Red worm.  Since I had to help a hapless friend who's web farm was
> destroying itself,  I had to make the search a little more
> streamlined.
>
> It does:
>     1. find the (presently) known droppings Code Red leaves in its
wake
>     2. leave a log file on your system as
"C:\CodeRed_insp_<MachName>.log"
>     3. tell you if definitely identifies Code Red
> It DOES NOT:
>     1. say that Code Red is NOT on your system
>     2. attempt to clean Code Red from your system; this is a
box-flattening
> worm
>
> Since Code Red is known to sleep for at least 24 hours before trashing
your
> box, you should run this script at least daily for the next several
> days
to
> see if anything new shows up.
>
> It ain't much, but it's something, anyway...  Good luck to all.
>
>
> Jim Harrison
> MCP(2K), A+, Network+, PCG
>
>


------------------------------------------------------------------------
----
----


> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
shivi@xxxxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
>


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')



------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
david@xxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jeremy.lake@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')


This message is intended only for the use of the person(s) ("The
intended
recipient(s)") to whom it is addressed. It may contain information that
is
privileged and confidential within the meaning of applicable law. If you
are
not the intended recipient, please contact the sender as soon as
possible.
The views expressed in this communication are not necessarily those held
by
Quantum Information Systems Limited.



------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jeremyp@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')






GFI - Security & communications products for Windows NT/2000
http://www.gfi.com

**********************************************************
This mail was content checked for malicious code or viruses
by Mail essentials. Mail essentials for Exchange/SMTP is an
email security, content checking & anti-virus gateway that
removes all types of email-borne threats before they can affect
your email users. Spam, viruses, dangerous attachments & offensive
content can be removed before they reach your mail server.
In addition it has server-based email encryption, disclaimers
and other email features.
***********************************************************

In addition to Mail essentials, GFI also produces the FAXmaker
fax server product range & LANguard internet access control &
intrusion detection. For more information on our products please
visit http://www.gfi.com



------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')



------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
david@xxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
javier@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
david@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
javier@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
slebrun@xxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
javier@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


Other related posts: