FW: SANS NewsBites Vol. 3 Num. 32

  • From: "Hugo Caye" <Hugo@xxxxxxxxxxxxx>
  • To: "Lista ISA Server \(E-mail\)" <ISAList@xxxxxxxxxxxxx>
  • Date: Thu, 9 Aug 2001 09:23:36 -0300

-----Original Message-----
From: The SANS Institute [mailto:sans@xxxxxxxx]
Sent: quarta-feira, 8 de agosto de 2001 19:48
To: Hugo Caye
Subject: SANS NewsBites Vol. 3 Num. 32


To:   Hugo Caye (SD569595)
From: Alan for the SANS NewsBites service
Re:   August 8 SANS NewsBites

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


A very busy week.


.. [snip]


Code Red II: Cleaning Up After the Compromise
- ----------------------------------------------
Many people have been asking: "How do I get rid of the Code Red II
worm once it has infected a system?"

Code Red II installs a backdoor that is open to any attacker.
This means that it is impossible to tell what changes may have been
made while the Code Red II backdoor was open. We are facing a public
health problem.  Many people who had unpatched IIS servers had no
knowledge that IIS was running on their systems. An administrator
can remove the Code Red II worm itself, but any additional backdoors
or malicious changes made by follow-on attackers will still remain,
undetected, after the worm is removed.

The only real solution is to reformat the hard drive and reinstall
all the software. For some individuals, this is not an option, the
best short cut is probably to update your antivirus signatures to
detect any Trojans that might be installed on your system and remove
the worm as shown below:

It is possible to remove the worm from the system as described here:
http://archives.neohapsis.com/archives/incidents/2001-08/0107.html

Further, the Privacy Software Corporation is providing a free
tool that will help you remove the worm from an infected server:
http://www.nsclean.com/cr2kill.html


.. [snip]





Other related posts:

  • » FW: SANS NewsBites Vol. 3 Num. 32