Re: Code Red Sniffer

  • From: "Jim Harrison" <jim@xxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 8 Aug 2001 13:07:46 -0700

The smartest move yet!

Jim Harrison
MCP(2K), A+, Network+, PCG

----- Original Message -----
From: "cismic" <cismic@xxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, August 08, 2001 12:07 PM
Subject: [isalist] Re: Code Red Sniffer


http://www.ISAserver.org


Jim,

Thanks for the sniffer!  I actually don't use the index server on my
webs, so I remove irq.dll from all webs or at least the ones in
production.
I also remove some other types from IIS such as .shtml, .hta, .idc,
.printer
And whatever else is not really needed.

Joseph

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]

Symantec has instructions on their site for "eradication" of the Code
Red
worm, but I've found those to be a bit unreliable.
It's not totally their fault; Code Red is actually a hidden process
running
on your machine that sleeps most of the time, so "making it gone" is
very
difficult.
You can use task mangler to stop the single-thread "explorer" process,
but
it'll just come back again later.  You have to rebuild the box while
it's
unplugged from any network until you get the MS security patch installed
or
you stand a good chance of getting reinfected.

Jim Harrison
MCP(2K), A+, Network+, PCG

----- Original Message -----
From: "Network Administrator" <shivi@xxxxxxxxxxx>

Hi JIm,
    Just ran your codered sniffer, and found the Rogue explorer.exe in
some
machins.
what is the work around for that??

thanks a lot
shivi

Shivanthan Balendra Network Administrator Arabian Network Information
Services W.L.L., P.O.Box 10141, Manama, Bahrain. Tel Off: ?298444 Fax
Off: ?
311551 Email: shivi@xxxxxxxxxxx Web : www.arabian.net
----- Original Message -----
From: "Jim Harrison" <jim@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>


> Hello weary Code Red battlers,
>
> I've created a script that searches your system to sniff out the Code
Red
> worm.  Since I had to help a hapless friend who's web farm was
destroying
> itself,  I had to make the search a little more streamlined.
>
> It does:
>     1. find the (presently) known droppings Code Red leaves in its
wake
>     2. leave a log file on your system as
"C:\CodeRed_insp_<MachName>.log"
>     3. tell you if definitely identifies Code Red
> It DOES NOT:
>     1. say that Code Red is NOT on your system
>     2. attempt to clean Code Red from your system; this is a
box-flattening
> worm
>
> Since Code Red is known to sleep for at least 24 hours before trashing
your
> box, you should run this script at least daily for the next several
days
to
> see if anything new shows up.
>
> It ain't much, but it's something, anyway...  Good luck to all.
>
>
> Jim Harrison
> MCP(2K), A+, Network+, PCG
>
>



------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')




Other related posts: