|
|
|
|
|
|
|
|
|
||
|
|
||
|
Be a Commerce Partner |
In the Aftermath of Code Red
One member of the ISP-NT list complains about what may be a common problem: a customer who's installed the IIS patch is still infected with Code Red. Do you see what's wrong with this picture?
| [August 22, 2001] |
 |
On the ISP-NT list in August, AK complained,
"One of my colo customers has a Windows 2000 box that keeps getting reinfected by Code Red. He says he installed the hotfix and has checked the box for vulnerability, but he still gets reports from outside sources that his box was recently (after date of hotfix and reboot) infected. How is this possible?"
There was some confusion as to the actual nature of Code Red infection:
[AC offered] "Just because it appears in his web logs does not mean he is infected. The logs will still show each Code Red attempt, as it would for any other web access. Unless he is seeing his services stop, it should be okay."
[JO added] "If you know the box is clean, what he is probably getting are residual attack reports. Some people are just now bothering to check their logs after watching CNN, then mailing the IP owner of their IDA requests."
[JB asked] "What happens once you are infected? We're working fine, but a client called me yesterday asking us to 'prove' to him that we are not infected; his consultant apparently told him to do that."
Others suggested that it's pretty easy to tell:
[JC offered] "The symptoms are that your IIS server crashes every two minutes. You don't really get infected per se; you get used. Once you apply the patch, they can't use you anymore."
[PB agreed] "Once you are infected, outside sources can take full control of your machine. Verify the presence of idq.dll in your machine; if it's not present, you are not at risk. If it is present and you haven't patched yet, apply the hotfix, reboot, and run a check for Code Red 3 virus on the machine: see Microsoft Security Bulletin MS01-033 or Symantec's Antivirus Center.
If you are not sure whether you're at risk or not, run eEye Code Red Scanner against your server."
Still others explained that there's a difference between prevention and cleaning:
[JM observed] "The hotfix only fixes the vulnerability of IIS, not the infection itself. In all likelihood, the machine was infected just once, before he applied the patch the first time—but it's still infected, and it's attacking other machines."
[RW added] "Maybe the box is being cleaned and then set up in the same fashion as before. There may be a backdoor to reinfect him."
[RD agreed] "Code Red II actually installs a backdoor on the system after it is compromised, so rebooting it does not clean the system. I had one system that got hit by Code Red II, and there was a root.exe file on the server. I deleted the file, removed index server, and locked down the default website and all system directories, and I haven't had a problem with it since."
—End
| Related articles: | |||
| [Aug. 17, 2001] | A Really Big Patch for Microsoft IIS | ||
| [Aug. 10, 2001] | Of Worms Old and New | ||
ISP-Planet's
RSS feed
