Code Red Symptoms 1

[Faheem786]

Hi

I use Windows 2000 Advanced Server and in the Month July my server was attacked by Code-Red worm 2 (with the message 'hacked by Chinese'). I installed the Service Pack 2 and the patch files for removing the Code-Red from Microsoft site.

The problem now is I still seeing in the log files the following script running. I would like to know whether the worm is comletely removed and how to avoid seeing the code in the log files. Pls let me know.

************************************************************
127.0.0.0 80 GET /default.ida XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 404 -
************************************************************

Thanks in advance
Faheem

 

[tlcscousin]

check for the new worm that came out this week.

http://www.zdnet.com/products/stories/reviews/0,4161,2811488,00.html

 

[paulwood]

When you're sure the worm is gone, consider using the Microsoft IIS lockdown tool which (finally) closes the vulnerabilities that many worms use

http://www.microsoft.com/technet/tr...chnet/itsolutions/security/tools/locktool.asp

 

[bMike]

I've installed the IIS lockdown tool... but what about the URL filter utility? I've installed it too and I can't seem to find where you can actually use and configure options for it?

 

[cnd2kdotcom]

I've closed everything off I could find, used the lockdown tool and everything. Now that still shows up in my logs, but next to it, is a beautiful little 3 number code... 404

sweet...It's being denied from outside attacks...

 

[Crundy]

Make sure you remove all the backdoors code red II leaves, or you'll get infected with Nimda, as well as leave your server open to attack from hackers.

See thread96-131514 <--&quot;Didn't your code work? You must have made a mistake when you pasted it.&quot; - Mark Hazen-->

If this post was useful to you, click the link below

 

[pearsos]

Once you have patched the box and restarted you can scan subnets with free tools available @

http://www.eeye.com/html/

 

[jaeddy]

You'll always see things in your logs- infected machines are trying to connect to your server and exploit any weaknesses. The problem here is that if you were hit with Code Red II, back doors were installed. Nimda attempts to exploit these. More to the point: once infected with Code Red II the ONLY way to be ABSOLUTELY certain your machine is no longer compromised is to do a COMPLETE REFORMAT AND REINSTALL. If you have back-ups it is vital to restore only from archives made BEFORE your machine was initially attacked. One of the basic rules of network security is:

ONCE YOUR SERVER HAS BEEN COMPROMISED IT IS NO LONGER YOUR SERVER.

Sorry for the caps, but it's an important point to remember. You cannot be certain an infected machine has not been &quot;visited&quot; and had further, more insidious back doors or trojans installed. To assume anything less that total compromise is to invite further problems.

 

[cnd2kdotcom]

I Love you guys....errr hehe oops... It's like home here.

I can't tell my wife about all this stuff she just stares at me like when you whine at a dog to make it howl..hehe