Re: blocking Code Red

  • From: David Dellanno <david@xxxxxxxxxx>
  • To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 8 Aug 2001 15:07:43 -0400 

I do understand in general, but never actually witness a demonstration of
it.  This would be my weakest link (good-bye!) ;)
-----Original Message-----
From: Jay [mailto:jschwarzkopf@xxxxxxxxxx]
Sent: Wednesday, August 08, 2001 3:04 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: blocking Code Red


http://www.ISAserver.org


Poor choice of words. Vocabulary was never my strength. But I'm sure you
understand the concept of a privileged process superseding NTFS permissions.
Or do you?





----- Original Message -----
From: "David Dellanno" <david@xxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, August 07, 2001 3:02 PM
Subject: [isalist] Re: blocking Code Red


> http://www.ISAserver.org
>
>
> That's interesting, have you been able to moot NTFS permission?
>
> -----Original Message-----
> From: Jay Schwarzkopf [mailto:jschwarzkopf@xxxxxxxxxx]
> Sent: Tuesday, August 07, 2001 2:58 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: blocking Code Red
>
>
> http://www.ISAserver.org
>
>
> The idq.dll runs as system level, so once its compromised, NTFS
permissions
> are moot.
>
> The explorer.exe will be either in the c:\ or d:\ root directory.
>
> ----- Original Message -----
> From: "David Dellanno" <david@xxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Tuesday, August 07, 2001 10:41 AM
> Subject: [isalist] Re: blocking Code Red
>
>
> > http://www.ISAserver.org
> >
> >
> > explorer.exe should be located under \WINNT directory.  But if the
hacker
> > can get through your NTFS permissions and access an application on the
> > server, don't you think we have a bigger security hole to consider?
> >
> > -----Original Message-----
> > From: Andrews, Bryan (COX-Atlanta) [mailto:Bryan.Andrews@xxxxxxx]
> > Sent: Tuesday, August 07, 2001 8:28 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Re: blocking Code Red
> >
> >
> > http://www.ISAserver.org
> >
> >
> > I found that I have root.exe in my scripts directory but where would
> > explorer.exe be? Wwwroot?
> >
> > In the scripts directory there is poisonbox message (which I was
> > infected with). Does poisonbox add the root.exe too or might I have
> > both??
> >
> >
> >  -----Original Message-----
> > From: Jay Schwarzkopf [mailto:jschwarzkopf@xxxxxxxxxx]
> > Sent: Tuesday, August 07, 2001 1:09 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Re: blocking Code Red
> >
> > http://www.ISAserver.org
> >
> >
> > If you've seen either iteration of the code red worm in their IIS or ISA
> > logs, check to see if you have "root.exe" in your inetpub\scripts
> > directory,
> > or "explorer.exe" in your root dir.  If you have either file, MS
> > recommends
> > rebuilding the server.  Unfortunately, I know this first hand.
> >
> >
> >
> > ----- Original Message -----
> > From: "Jim Harrison" <jim@xxxxxxxxxxxx>
> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > Sent: Monday, August 06, 2001 5:53 PM
> > Subject: [isalist] Re: blocking Code Red
> >
> >
> > > http://www.ISAserver.org
> > >
> > >
> > > It doesn't; not as such.  It simply doesn't recognize it as a valid
> > request
> > > as defined in your publishing rules and refuses it on that basis.
> > >
> > > Jim Harrison
> > > MCP(2K), A+, Network+, PCG
> > >
> > > ----- Original Message -----
> > > From: "Talley, Scott" <stalley@xxxxxxxxxxxxxxxxx>
> > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > > Sent: Monday, August 06, 2001 2:28 PM
> > > Subject: [isalist] blocking Code Red
> > >
> > >
> > > http://www.ISAserver.org
> > >
> > >
> > > Upon examining my ISA logs, I see that it has denied access approx. 20
> > times
> > > per day to both versions of Code Red queries.  My question is..  how
> > does
> > it
> > > identify this request as malicious?
> > >
> > > Thank you,
> > > Scott Talley
> > > The Combined Group
> > >
> > > phone:  972.247.2621 x829
> > > fax:    972.247.2622
> > > e-mail: stalley@xxxxxxxxxxxxxxxxx
> > >
> > >
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion List as:
> > > jim@xxxxxxxxxxxx
> > > To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> > >
> > >
> > >
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion List as:
> > jschwarzkopf@xxxxxxxxxx
> > > To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> >
> >
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> > bryan.andrews@xxxxxxx
> > To unsubscribe send a blank email to $subst('Email.Unsub')
> >
> >
> >
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> > david@xxxxxxxxxx
> > To unsubscribe send a blank email to $subst('Email.Unsub')
> >
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> jschwarzkopf@xxxxxxxxxx
> > To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> david@xxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
jschwarzkopf@xxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
david@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 08-2001