RV: Re: Code Red Sniffer

  • From: Javier Gonzalez <Javier@xxxxxxxxxx>
  • To: "'isalist@xxxxxxxxxxxxx'" <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 8 Aug 2001 17:52:47 +0200

I'm dreaming too, I've applied the patch in June, my server isn't slow down
or stopped.
I've found only one of symptoms: root.exe in \inetpub\scripts
only in this folder.
Javier.

-----Mensaje original-----
De: David Dellanno [mailto:david@xxxxxxxxxx]
Enviado el: miércoles, 08 de agosto de 2001 16:27
Para: [ISAserver.org Discussion List]
Asunto: [isalist] Re: Code Red Sniffer

So, I'm not dreaming... even with the MS security patch installed there are
systems being infected with the worm?

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Wednesday, August 08, 2001 9:47 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Code Red Sniffer


http://www.ISAserver.org


Trust me; I know the feeling.  Our entire test lab is undergoing a total
rebuild (takes the rest of the week at least).  I got the job of being "worm
central" because we weren't hit.  Our testbed is physically isolated from
the corp net and has been behind an ISA for over a year.

Jim Harrison
MCP(2K), A+, Network+, PCG

----- Original Message -----
From: "David Dellanno" <david@xxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, August 08, 2001 6:41 AM
Subject: [isalist] Re: Code Red Sniffer


http://www.ISAserver.org


Interesting, I have found two boxes that were infected - rogue explorer
found, both NT4SP6a, IIS 4.0 and both had the MS security patch installed
and are behind ISA2000.  Oh no...not the rebuild...not the rebuild!

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Wednesday, August 08, 2001 9:37 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Code Red Sniffer


http://www.ISAserver.org


Symantec has instructions on their site for "eradication" of the Code Red
worm, but I've found those to be a bit unreliable.
It's not totally their fault; Code Red is actually a hidden process running
on your machine that sleeps most of the time, so "making it gone" is very
difficult.
You can use task mangler to stop the single-thread "explorer" process, but
it'll just come back again later.  You have to rebuild the box while it's
unplugged from any network until you get the MS security patch installed or
you stand a good chance of getting reinfected.

Jim Harrison
MCP(2K), A+, Network+, PCG

----- Original Message -----
From: "Network Administrator" <shivi@xxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, August 08, 2001 12:23 AM
Subject: [isalist] Re: Code Red Sniffer


http://www.ISAserver.org


Hi JIm,
    Just ran your codered sniffer, and found the Rogue explorer.exe in some
machins.
what is the work around for that??

thanks a lot
shivi

Shivanthan Balendra Network Administrator Arabian Network Information
Services W.L.L., P.O.Box 10141, Manama, Bahrain. Tel Off: ?298444 Fax Off: ?
311551 Email: shivi@xxxxxxxxxxx Web : www.arabian.net
----- Original Message -----
From: "Jim Harrison" <jim@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Cc: "CommuniGate Pro Discussions" <CGatePro@xxxxxxxxxxxxxxxx>
Sent: Wednesday, August 08, 2001 9:45 AM
Subject: [isalist] Code Red Sniffer


> http://www.ISAserver.org
>
>
>
> This is a multi-part message in MIME format.
>
>


----------------------------------------------------------------------------
----


> Hello weary Code Red battlers,
>
> I've created a script that searches your system to sniff out the Code Red
> worm.  Since I had to help a hapless friend who's web farm was destroying
> itself,  I had to make the search a little more streamlined.
>
> It does:
>     1. find the (presently) known droppings Code Red leaves in its wake
>     2. leave a log file on your system as "C:\CodeRed_insp_<MachName>.log"
>     3. tell you if definitely identifies Code Red
> It DOES NOT:
>     1. say that Code Red is NOT on your system
>     2. attempt to clean Code Red from your system; this is a
box-flattening
> worm
>
> Since Code Red is known to sleep for at least 24 hours before trashing
your
> box, you should run this script at least daily for the next several days
to
> see if anything new shows up.
>
> It ain't much, but it's something, anyway...  Good luck to all.
>
>
> Jim Harrison
> MCP(2K), A+, Network+, PCG
>
>


----------------------------------------------------------------------------
----


> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
shivi@xxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')



------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
david@xxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')



------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
david@xxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
javier@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


Other related posts: