Re: blocking Code Red

  • From: "Andrews, Bryan (COX-Atlanta)" <Bryan.Andrews@xxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Tue, 7 Aug 2001 08:27:36 -0400

I found that I have root.exe in my scripts directory but where would
explorer.exe be? Wwwroot? 

In the scripts directory there is poisonbox message (which I was
infected with). Does poisonbox add the root.exe too or might I have
both??


 -----Original Message-----
From:   Jay Schwarzkopf [mailto:jschwarzkopf@xxxxxxxxxx] 
Sent:   Tuesday, August 07, 2001 1:09 AM
To:     [ISAserver.org Discussion List]
Subject:        [isalist] Re: blocking Code Red

http://www.ISAserver.org


If you've seen either iteration of the code red worm in their IIS or ISA
logs, check to see if you have "root.exe" in your inetpub\scripts
directory,
or "explorer.exe" in your root dir.  If you have either file, MS
recommends
rebuilding the server.  Unfortunately, I know this first hand.



----- Original Message -----
From: "Jim Harrison" <jim@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Monday, August 06, 2001 5:53 PM
Subject: [isalist] Re: blocking Code Red


> http://www.ISAserver.org
>
>
> It doesn't; not as such.  It simply doesn't recognize it as a valid
request
> as defined in your publishing rules and refuses it on that basis.
>
> Jim Harrison
> MCP(2K), A+, Network+, PCG
>
> ----- Original Message -----
> From: "Talley, Scott" <stalley@xxxxxxxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Monday, August 06, 2001 2:28 PM
> Subject: [isalist] blocking Code Red
>
>
> http://www.ISAserver.org
>
>
> Upon examining my ISA logs, I see that it has denied access approx. 20
times
> per day to both versions of Code Red queries.  My question is..  how
does
it
> identify this request as malicious?
>
> Thank you,
> Scott Talley
> The Combined Group
>
> phone:  972.247.2621 x829
> fax:    972.247.2622
> e-mail: stalley@xxxxxxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe send a blank email to
$subst('Email.Unsub')
>
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
jschwarzkopf@xxxxxxxxxx
> To unsubscribe send a blank email to
$subst('Email.Unsub')


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
bryan.andrews@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')




Other related posts: