I found that I have root.exe in my scripts directory but where would explorer.exe be? Wwwroot? In the scripts directory there is poisonbox message (which I was infected with). Does poisonbox add the root.exe too or might I have both?? -----Original Message----- From: Jay Schwarzkopf [mailto:jschwarzkopf@xxxxxxxxxx] Sent: Tuesday, August 07, 2001 1:09 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: blocking Code Red http://www.ISAserver.org If you've seen either iteration of the code red worm in their IIS or ISA logs, check to see if you have "root.exe" in your inetpub\scripts directory, or "explorer.exe" in your root dir. If you have either file, MS recommends rebuilding the server. Unfortunately, I know this first hand. ----- Original Message ----- From: "Jim Harrison" <jim@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Monday, August 06, 2001 5:53 PM Subject: [isalist] Re: blocking Code Red > http://www.ISAserver.org > > > It doesn't; not as such. It simply doesn't recognize it as a valid request > as defined in your publishing rules and refuses it on that basis. > > Jim Harrison > MCP(2K), A+, Network+, PCG > > ----- Original Message ----- > From: "Talley, Scott" <stalley@xxxxxxxxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Monday, August 06, 2001 2:28 PM > Subject: [isalist] blocking Code Red > > > http://www.ISAserver.org > > > Upon examining my ISA logs, I see that it has denied access approx. 20 times > per day to both versions of Code Red queries. My question is.. how does it > identify this request as malicious? > > Thank you, > Scott Talley > The Combined Group > > phone: 972.247.2621 x829 > fax: 972.247.2622 > e-mail: stalley@xxxxxxxxxxxxxxxxx > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: jschwarzkopf@xxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: bryan.andrews@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')