Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Can't seem to shake the CodeRed worm

Status
Not open for further replies.
MatsHulten

MatsHulten

Programmer
Dec 29, 2000
180
0
0
SE
Hi

Got a CodeRed infected NT4 server.
I have applied the patch availeble from MS and restarted the system.

Problem is that IIS only displays a page containing nothing but <HTML></HTML>

I've checked IIS for what pages it should display and everything looks just fine there, and the files look unaffected too.

Pleaze Help!
-Mats
 
Sort by date Sort by votes
In all honesty - if you have an infected/compromised server, no matter what it is infected/compromised with - your first course of action should be to remove it from the network and rebuilt it from a known, good backup. Who knows what else might have gotten in through the same hole...

Having said that.... The Code Red worm also defaced your web site, which had a message &quot;Welcome to Hacked by Chinese&quot;. That page only remains active for 10 hours and then disappears. I am not sure what it gets replaced with, but either that or the fix from MS probably replaced your default web page with what you have.

Do you have a copy of the original web page -- I'm a little confused about you having checked IIS for what pages it should be displaying... Are you saying IIS is still pointing to index.html or default.htm -- or have you actually checked the page that it points to in a text editor to see what the page is actually supposed to display.

Let us know some more details about exactly what you checked and the results.

Look at
for full details about the worm.
Hope this helps,
Paul
 
Upvote 0 Downvote
Thanks for the link, but I managed to solve the problem by myself.

As far as I could determine Code red doesnt write any file at all. But instead holds the code in RAM.

IIS pointed to defalt.asp the whole time, just as it should.

Thanks for the assistanse and the advise.

-Mats
 
Upvote 0 Downvote
MATSHulten, how did you solve the problem? I have the same situation with code red virus
-brewkim
 
Upvote 0 Downvote
One fix is to boot your system.

Plus their are two (possible 3) Code Reds out there.. Symantec has the 3 fixes for them
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

2ffat
  • Locked
  • News
Lenovo isn't the only one with bad certificates 5
Replies
6
Views
93
2ffat
2ffat
riobogmedacaliaires
  • Locked
  • Question
how to exclude folders in trend officescan 11 client side
Replies
0
Views
39
riobogmedacaliaires
riobogmedacaliaires
2ffat
  • Locked
  • News
CNET/Download.com have cleaned up their act! 4
Replies
5
Views
53
kjv1611
kjv1611
JordanWitthoft
  • Locked
  • Question
Software to check suspicious links
Replies
2
Views
56
MakeItSo
MakeItSo
LonnieJohnson
  • Locked
  • Question
Apps/Tools for seeing potential threats
Replies
1
Views
42
ChrisHirst
ChrisHirst

Part and Inventory Search

Sponsor

Back
Top