RE: Code Red Sniffer

  • From: "Jim Harrison" <jim@xxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 8 Aug 2001 06:38:23 -0700

You're still infected; only a non-networked rebuild is safe.  Don't plug the
machine back in until you've applied the IIS patch.

Jim Harrison
MCP(2K), A+, Network+, PCG

----- Original Message -----
From: "Javier Gonzalez" <Javier@xxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, August 08, 2001 12:24 AM
Subject: [isalist] RE: Code Red Sniffer


http://www.ISAserver.org


Hi,
My machine is NT4 Sp6a and I've applied the MS patch in June.
I've only found (last week) root.exe within c:\inetpub\scripts  (only in
this folder).
I've deleted this file and restarted the server.

Passing your vbs script I see this results:
************************************************
  Code Red infection search for PDC on 8/8/01 8:56:02 AM
  **  Checking for the bad 'explorer.exe' and 'root.exe' files
  C:\explorer.exe - not found
  C:\inetpub\Scripts\Root.exe - not found
  C:\progra~1\Common~1\System\MSADC\Root.exe - not found
  E:\explorer.exe - not found
  E:\inetpub\Scripts\Root.exe - not found
  E:\progra~1\Common~1\System\MSADC\Root.exe - not found
  **  Checking for the bad Virtual Folders entries
  HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\/C -
not found
  HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\/D -
not found
  **  Checking for the bad System File Checker entry
  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable -
not found

  **  Checking for the rogue Explorer.exe
    Rogue Explorer process - found
  **  you've definitely been infected ! **

** You have one or more definite indications of Code Red V2 on your system.
** You need to flatten this box and start over.  DO NOT connect to a network
** until you have completely rebuilt the system AND installed the security
** patch from Microsoft.
********************************************************************

What can I do if this is true ?

Javier Gonzalez
Madrid (spain)

-----Mensaje original-----
De: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Enviado el: miércoles, 08 de agosto de 2001 08:45
Para: [ISAserver.org Discussion List]
CC: CommuniGate Pro Discussions
Asunto: [isalist] Code Red Sniffer
Importancia: Alta


http://www.ISAserver.org



This is a multi-part message in MIME format..

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 08-2001