I do understand in general, but never actually witness a demonstration of it. This would be my weakest link (good-bye!) ;) -----Original Message----- From: Jay [mailto:jschwarzkopf@xxxxxxxxxx] Sent: Wednesday, August 08, 2001 3:04 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: blocking Code Red http://www.ISAserver.org Poor choice of words. Vocabulary was never my strength. But I'm sure you understand the concept of a privileged process superseding NTFS permissions. Or do you? ----- Original Message ----- From: "David Dellanno" <david@xxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Tuesday, August 07, 2001 3:02 PM Subject: [isalist] Re: blocking Code Red > http://www.ISAserver.org > > > That's interesting, have you been able to moot NTFS permission? > > -----Original Message----- > From: Jay Schwarzkopf [mailto:jschwarzkopf@xxxxxxxxxx] > Sent: Tuesday, August 07, 2001 2:58 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] Re: blocking Code Red > > > http://www.ISAserver.org > > > The idq.dll runs as system level, so once its compromised, NTFS permissions > are moot. > > The explorer.exe will be either in the c:\ or d:\ root directory. > > ----- Original Message ----- > From: "David Dellanno" <david@xxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Tuesday, August 07, 2001 10:41 AM > Subject: [isalist] Re: blocking Code Red > > > > http://www.ISAserver.org > > > > > > explorer.exe should be located under \WINNT directory. But if the hacker > > can get through your NTFS permissions and access an application on the > > server, don't you think we have a bigger security hole to consider? > > > > -----Original Message----- > > From: Andrews, Bryan (COX-Atlanta) [mailto:Bryan.Andrews@xxxxxxx] > > Sent: Tuesday, August 07, 2001 8:28 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] Re: blocking Code Red > > > > > > http://www.ISAserver.org > > > > > > I found that I have root.exe in my scripts directory but where would > > explorer.exe be? Wwwroot? > > > > In the scripts directory there is poisonbox message (which I was > > infected with). Does poisonbox add the root.exe too or might I have > > both?? > > > > > > -----Original Message----- > > From: Jay Schwarzkopf [mailto:jschwarzkopf@xxxxxxxxxx] > > Sent: Tuesday, August 07, 2001 1:09 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] Re: blocking Code Red > > > > http://www.ISAserver.org > > > > > > If you've seen either iteration of the code red worm in their IIS or ISA > > logs, check to see if you have "root.exe" in your inetpub\scripts > > directory, > > or "explorer.exe" in your root dir. If you have either file, MS > > recommends > > rebuilding the server. Unfortunately, I know this first hand. > > > > > > > > ----- Original Message ----- > > From: "Jim Harrison" <jim@xxxxxxxxxxxx> > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > > Sent: Monday, August 06, 2001 5:53 PM > > Subject: [isalist] Re: blocking Code Red > > > > > > > http://www.ISAserver.org > > > > > > > > > It doesn't; not as such. It simply doesn't recognize it as a valid > > request > > > as defined in your publishing rules and refuses it on that basis. > > > > > > Jim Harrison > > > MCP(2K), A+, Network+, PCG > > > > > > ----- Original Message ----- > > > From: "Talley, Scott" <stalley@xxxxxxxxxxxxxxxxx> > > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > > > Sent: Monday, August 06, 2001 2:28 PM > > > Subject: [isalist] blocking Code Red > > > > > > > > > http://www.ISAserver.org > > > > > > > > > Upon examining my ISA logs, I see that it has denied access approx. 20 > > times > > > per day to both versions of Code Red queries. My question is.. how > > does > > it > > > identify this request as malicious? > > > > > > Thank you, > > > Scott Talley > > > The Combined Group > > > > > > phone: 972.247.2621 x829 > > > fax: 972.247.2622 > > > e-mail: stalley@xxxxxxxxxxxxxxxxx > > > > > > > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion List as: > > > jim@xxxxxxxxxxxx > > > To unsubscribe send a blank email to > > $subst('Email.Unsub') > > > > > > > > > > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion List as: > > jschwarzkopf@xxxxxxxxxx > > > To unsubscribe send a blank email to > > $subst('Email.Unsub') > > > > > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion List as: > > bryan.andrews@xxxxxxx > > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > > > > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion List as: > > david@xxxxxxxxxx > > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion List as: > jschwarzkopf@xxxxxxxxxx > > To unsubscribe send a blank email to $subst('Email.Unsub') > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > david@xxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: jschwarzkopf@xxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: david@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')