Re: not quite code red?

• From: "Mircea Dospinescu" <mdospi@xxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 8 Aug 2001 17:14:18 +0300

Hi Shayne,

I had the same problem!
I have also discovered in c:\root 2 files: index.htm and index.asp with a 
message for the chinese government.

Eventualy I found out that it was not Red Code but another virus (a backdoor), 
named Sadmind Dr.

http://www.symantec.com/avcenter/venc/data/sadmind-iis.html

This one is older than Code Red, it was discovered on May 8,2001.

The protection against Sadmind needs another IIS security patch from Microsoft:

http://www.microsoft.com/windows2000/downloads/critical/q269862/default.asp

best regards,
Mircea

  ----- Original Message ----- 
  From: Shayne Lebrun 
  To: [ISAserver.org Discussion List] 
  Sent: Wednesday, August 08, 2001 4:13 PM
  Subject: [isalist] not quite code red?


  http://www.ISAserver.org


  Here's a thing.

  Doing a routine check to make sure code red didn't make it past our
  firewall, and patches, and stuff, I found a copy of root.exe in
  inetpub/scripts of one of my servers.  But no other signs of CR.  No
  explorer.exe, no regsitry settings, no virtual roots, no threads, no
  wierd processes.  Just root.exe.  And according to the oldest backup we
  have, which is July 17th, it was there.  First I saw of code red 1 was
  the 19th of July.

  Now, this box be old, and wasn't under IT control for a while.  Does
  anybody know of any other IIS exploits that tend to drop a root.exe into
  inetpub/scripts?  I'm pretty sure there are some....

  Shayne Lebrun 
  Senior Systems Administrator 
  Veredex Logistics 
  slebrun@xxxxxxxxxxx 
  Office: (905) 282-1515 x 242 
  Pager: page_shayne@xxxxxxxxxxx 
  From a Sun Microsystems bug report (#4102680): 
  "Workaround: don't pound on the mouse like a wild monkey." 
  Want to hold up a bank in Latin? 
  "Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum 
  immane mittam." 
  (I have a catapult. Give me all the money, or I will fling an enormous
  rock 
  at your head.) 
  "Lawyers are like chemical weapons.  Everybody gets screwed if they're
  let 
  out." 
   


  ------------------------------------------------------
  You are currently subscribed to this ISAserver.org Discussion List as: 
mdospi@xxxxxxxx
  To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » not quite code red?
• » RE: not quite code red?
• » Re: not quite code red?
• » Re: not quite code red?
• » RE: not quite code red?
• » Re: not quite code red?
• » Re: not quite code red?
• » Re: not quite code red?
• » Re: not quite code red?
• » Re: not quite code red?
• » Re: not quite code red?

1. Home
2. isalist
3. Archive
4. 08-2001

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---