Re: Code Red Sniffer
- From: Scott Sandeman <sandeman@xxxxxxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 08 Aug 2001 08:06:02 -0400
Thanks Jim.....
Although I had already updated all our servers more than a week prior to the
"hit"... I ran your script. It seems that I was not as thorough as I had
initially thought. I had neglected to do one NT 4 machine. Thanks to you,
things are back to normal.
-- Scott
> http://www.ISAserver.org
>
>
>
> This is a multi-part message in MIME format.
>
> Hello weary Code Red battlers,
>
> I've created a script that searches your system to sniff out the Code Red
> worm. Since I had to help a hapless friend who's web farm was destroying
> itself, I had to make the search a little more streamlined.
>
> It does:
> 1. find the (presently) known droppings Code Red leaves in its wake
> 2. leave a log file on your system as "C:\CodeRed_insp_<MachName>.log"
> 3. tell you if definitely identifies Code Red
> It DOES NOT:
> 1. say that Code Red is NOT on your system
> 2. attempt to clean Code Red from your system; this is a box-flattening
> worm
>
> Since Code Red is known to sleep for at least 24 hours before trashing your
> box, you should run this script at least daily for the next several days to
> see if anything new shows up.
>
> It ain't much, but it's something, anyway... Good luck to all.
>
>
> Jim Harrison
> MCP(2K), A+, Network+, PCG
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> sandeman@xxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
Other related posts:
