RE: [MLUG] CodeRedII - there's a variant now - (Aka, delete Win2000)

Email address obfuscation in effect -- please click here to turn it off.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: <EMAIL:PROTECTED>
Subject: RE: [MLUG] CodeRedII - there's a variant now - (Aka, delete Win2000)
From: "Deterding, Brent D" <EMAIL:PROTECTED>
Date: Wed, 8 Aug 2001 10:03:51 -0500
Reply-To: EMAIL:PROTECTED
Sender: EMAIL:PROTECTED
Thread-Index: AcEgFL5zOlyH6+Q/RCeaYh+zwqcB4wABsdww
Thread-Topic: [MLUG] CodeRedII - there's a variant now - (Aka, delete Win2000)

The variant acts the same as CRII but makes the patches worthless. ie -
it leaves the trojan and you can't clean it (yet).

If root.exe is in that dir you're hosed. Follow the instructions of
incidents.org and hope you don't have the variant. 

-- Brent

-----Original Message-----
From: Jason McIntosh [mailto:EMAIL:PROTECTED]
Sent: Wednesday, August 08, 2001 9:20 AM
To: security
Cc: mlug
Subject: RE: [MLUG] CodeRedII - there's a variant now - (Aka, delete
Win2000)


Does anyone know on that variant if it does the same thing as CRII?
I've got a Win2K server - don't get me started .  I wanted to patch it,
wasn't allowed, because "that would restart the server" blah blah blah -
anyway, I've got the Harddrive in it set to O:, but, the problem is that
I've found the root.exe file in O:\Inetpub\scripts\ and I'm concerned
that it's already been root kitted.  The side is that that's the only
place I've found it, it has a creation time of last Thursday, the IIS
has been shutdown for about a week and a half, a quick scan lists the
following ports open, some of which I'm really unsure of, etc.  Either
way, I'm scanning it here shortly with nessus.  But, if anyone knows for
sure based on the previous info whether or not it's time to reformat,
whether there is any other option, or whether I'm just worried
needlessly, I'd appreciate it.
Here's the latest network scan for your info:

135/tcp    open        loc-srv                 
139/tcp    open        netbios-ssn             
210/tcp    open        z39.50                  
445/tcp    open        microsoft-ds            
1025/tcp   open        listen                  
1157/tcp   open        unknown                 
1251/tcp   open        unknown                 
1494/tcp   open        citrix-ica              
2512/tcp   open        unknown                 
2513/tcp   open        unknown                 
3372/tcp   open        unknown                 
3389/tcp   open        msrdp                   
6798/tcp   open        unknown  

Thanks!
Jason McIntosh
--
To manage your subscription, go to
http://mlug.missouri.edu/members/edit.php

Archives are available at http://mlug.missouri.edu/list-archives/
--
To manage your subscription, go to http://mlug.missouri.edu/members/edit.php

Archives are available at http://mlug.missouri.edu/list-archives/

Prev by Date: RE: [MLUG] CodeRedII - there's a variant now - (Aka, delete Win2000)
Next by Date: RE: [MLUG] CodeRedII - there's a variant now - READ THIS
Previous by thread: RE: [MLUG] CodeRedII - there's a variant now - (Aka, delete Win2000)
Next by thread: [MLUG] Root Login - rdate sync....
Index(es):
- Date
- Thread