Re: Code Red Sniffer
- From: "admin" <admin@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 8 Aug 2001 08:55:59 -0700
Hi Jim,
SP6a - I think !
ta
Richard
----- Original Message -----
From: "Jim Harrison" <jim@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, August 08, 2001 8:38 AM
Subject: [isalist] Re: Code Red Sniffer
> http://www.ISAserver.org
>
>
> The script isn't looking for "multiple" explorer processes, although it is
> aware of them. What it is looking for specifically is a single-thread
> explorer process.
> What NT4 SP are you running?
> There may be a bug in that part of the script or your WMI support may be
> lacking; I'll look into it deeper on my end.
>
> Jim Harrison
> MCP(2K), A+, Network+, PCG
>
>
> ----- Original Message -----
> From: "admin" <admin@xxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Wednesday, August 08, 2001 07:45
> Subject: [isalist] Re: Code Red Sniffer
>
>
> http://www.ISAserver.org
>
>
> Ok,
>
> I really hope this isn't a stupid question, but here goes. I installed the
> patches (nt4 and win2k) around the 17th of last month and also removed the
> associations for .ida etc. The checker from symantec said that everything
> was ok. Then I ran the sniffer and got the results below from my nt4/iis4
> systems. Does anyone know under what valid circumstances you can have
> multiple exporer tasks running ?
>
> Many TIA
>
> Richard
>
> Code Red infection search for NT5NEW on 8/8/01 7:03:30 AM
>
>
> ** Checking for the bad 'explorer.exe' and 'root.exe' files
> C:\explorer.exe - not found
>
> C:\inetpub\Scripts\Root.exe - not found
>
> C:\progra~1\Common~1\System\MSADC\Root.exe - not found
>
> D:\explorer.exe - not found
>
> D:\inetpub\Scripts\Root.exe - not found
>
> D:\progra~1\Common~1\System\MSADC\Root.exe - not found
>
> E:\explorer.exe - not found
>
> E:\inetpub\Scripts\Root.exe - not found
>
> E:\progra~1\Common~1\System\MSADC\Root.exe - not found
>
> F:\explorer.exe - not found
>
> F:\inetpub\Scripts\Root.exe - not found
>
> F:\progra~1\Common~1\System\MSADC\Root.exe - not found
>
> G:\explorer.exe - not found
>
> G:\inetpub\Scripts\Root.exe - not found
>
> G:\progra~1\Common~1\System\MSADC\Root.exe - not found
>
> H:\explorer.exe - not found
>
> H:\inetpub\Scripts\Root.exe - not found
>
> H:\progra~1\Common~1\System\MSADC\Root.exe - not found
>
> J:\explorer.exe - not found
>
> J:\inetpub\Scripts\Root.exe - not found
>
> J:\progra~1\Common~1\System\MSADC\Root.exe - not found
>
> K:\explorer.exe - not found
>
> K:\inetpub\Scripts\Root.exe - not found
>
> K:\progra~1\Common~1\System\MSADC\Root.exe - not found
>
> ** Checking for the bad Virtual Folders entries
> HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\/C -
> not found
>
> HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\/D -
> not found
>
> ** Checking for the bad System File Checker entry
> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable -
not
> found
>
> ** Checking for the rogue Explorer.exe
> Rogue Explorer process - found
> ** you've definitely been infected ! **
>
>
> ** You have one or more definite indications of Code Red V2 on your
system.
> ** You need to flatten this box and start over. DO NOT connect to a
network
> ** until you have completely rebuilt the system AND installed the security
> ** patch from Microsoft.
>
> ----------------- EOM ---------------
>
>
> > http://www.ISAserver.org
> >
> >
> >
> > This is a multi-part message in MIME format.
> >
>
>
> --------------------------------------------------------------------------
--
> ----
>
>
> > Hello weary Code Red battlers,
> >
> > I've created a script that searches your system to sniff out the Code
Red
> > worm. Since I had to help a hapless friend who's web farm was
destroying
> > itself, I had to make the search a little more streamlined.
> >
> > It does:
> > 1. find the (presently) known droppings Code Red leaves in its wake
> > 2. leave a log file on your system as
"C:\CodeRed_insp_<MachName>.log"
> > 3. tell you if definitely identifies Code Red
> > It DOES NOT:
> > 1. say that Code Red is NOT on your system
> > 2. attempt to clean Code Red from your system; this is a
> box-flattening
> > worm
> >
> > Since Code Red is known to sleep for at least 24 hours before trashing
> your
> > box, you should run this script at least daily for the next several days
> to
> > see if anything new shows up.
> >
> > It ain't much, but it's something, anyway... Good luck to all.
> >
> >
> > Jim Harrison
> > MCP(2K), A+, Network+, PCG
> >
> >
>
>
> --------------------------------------------------------------------------
--
> ----
>
>
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> admin@xxxxxxxxxxx
> > To unsubscribe send a blank email to $subst('Email.Unsub')
> >
>
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
admin@xxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
Other related posts:
