Re: not quite code red?
- From: "Shayne Lebrun" <slebrun@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 8 Aug 2001 10:19:42 -0400
Hmmm. I do think we had that a while ago. Didn't realize it left the
root.exe.
Thanks, this is just what I was looking for!
-----Original Message-----
From: Mircea Dospinescu [mailto:mdospi@xxxxxxxx]
Sent: Wednesday, August 08, 2001 10:14 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: not quite code red?
http://www.ISAserver.org
Hi Shayne,
I had the same problem!
I have also discovered in c:\root 2 files: index.htm and index.asp with
a message for the chinese government.
Eventualy I found out that it was not Red Code but another virus (a
backdoor), named Sadmind Dr.
http://www.symantec.com/avcenter/venc/data/sadmind-iis.html
This one is older than Code Red, it was discovered on May 8,2001.
The protection against Sadmind needs another IIS security patch from
Microsoft:
http://www.microsoft.com/windows2000/downloads/critical/q269862/default.
asp
best regards,
Mircea
----- Original Message -----
From: Shayne <mailto:slebrun@xxxxxxxxxxx> Lebrun
To: [ISAserver.org Discussion List] <mailto:isalist@xxxxxxxxxxxxx>
Sent: Wednesday, August 08, 2001 4:13 PM
Subject: [isalist] not quite code red?
http://www.ISAserver.org
Here's a thing.
Doing a routine check to make sure code red didn't make it past our
firewall, and patches, and stuff, I found a copy of root.exe in
inetpub/scripts of one of my servers. But no other signs of CR. No
explorer.exe, no regsitry settings, no virtual roots, no threads, no
wierd processes. Just root.exe. And according to the oldest backup we
have, which is July 17th, it was there. First I saw of code red 1 was
the 19th of July.
Now, this box be old, and wasn't under IT control for a while. Does
anybody know of any other IIS exploits that tend to drop a root.exe into
inetpub/scripts? I'm pretty sure there are some....
Shayne Lebrun
Senior Systems Administrator
Veredex Logistics
slebrun@xxxxxxxxxxx
Office: (905) 282-1515 x 242
Pager: page_shayne@xxxxxxxxxxx
From a Sun Microsystems bug report (#4102680):
"Workaround: don't pound on the mouse like a wild monkey."
Want to hold up a bank in Latin?
"Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum
immane mittam."
(I have a catapult. Give me all the money, or I will fling an enormous
rock
at your head.)
"Lawyers are like chemical weapons. Everybody gets screwed if they're
let
out."
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
mdospi@xxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
<mailto:$subst('Email.Unsub')>
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
slebrun@xxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
slebrun@xxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
