Unfortunately, it's still a guessing game. CR3 is now in the wild, too. I haven't seen the results yet, but they should be very interesting. If you've never seen any activity, you might be ok. Keep running the script over the next few day anyway just to feel better. Jim Harrison MCP(2K), A+, Network+, PCG ----- Original Message ----- From: "Telecomms" <bvSysAdminsS@xxxxxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, August 08, 2001 11:44 AM Subject: [isalist] RE: Code Red Sniffer http://www.ISAserver.org Jim But shouldn't I at least find explorer.exe, or root.exe, or some sort of evidence? If I have an entry in the IIS logs I would have thought there should be some physical evidence already on the Server? I patched the server a week ago, and there were no signs of anything then, like I say only today did something appear and then I got another patch from MS. Does this mean that if anything has happened it is the V3? Saira -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: 08 August 2001 17:18 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Code Red Sniffer http://www.ISAserver.org Keep sniffing at least daily. Code Red hides for at least 24 hours after infection BEFORE it start its games. Jim Harrison MCP(2K), A+, Network+, PCG ----- Original Message ----- From: Telecomms <mailto:bvSysAdminsS@xxxxxxxxxxxxxxxxxxx> To: [ISAserver.org <mailto:isalist@xxxxxxxxxxxxx> Discussion List] Sent: Wednesday, August 08, 2001 08:52 Subject: [isalist] RE: Code Red Sniffer http://www.ISAserver.org <http://www.ISAserver.org> Jim Thanks for the sniffr. I ran it on my system and it came up with nothing found. I had patched my servers last week, but had not yet patched for V3. This morning I found this in the logs: 2001-08-08 11:35:12 217.32.129.249 - 217.32.157.92 80 GET /default.ida XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u90 90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u 9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 - 2001-08-08 11:35:39 217.32.129.91 - 217.32.157.92 80 GET /default.ida XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u90 90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u 9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 - which would lead me to believe that the Server MUST be infected. I cannot find any trace of the files that are supposed to be on my system, neither can the sniffer programme. What caused the entry? Do I really need to rebuild? I am fully patched now, but am not sure what to do next. TIA Saira -----Original Message----- From: Jim Harrison [ mailto:jim@xxxxxxxxxxxx <mailto:jim@xxxxxxxxxxxx> ] Sent: 08 August 2001 07:45 To: [ISAserver.org Discussion List] Cc: CommuniGate Pro Discussions Subject: [isalist] Code Red Sniffer Importance: High http://www.ISAserver.org <http://www.ISAserver.org> This is a multi-part message in MIME format. ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: bvSysAdminsS@xxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')