RE: For those who got Code Red in the face

I would check quickly for these files,

http://vil.nai.com/vil/virusSummary.asp?virus_k=99177 Presence of the files:

c:\inetpub\scripts\root.exe 
c:\progra~1\common~1\system\MSADC\root.exe 
d:\inetpub\scripts\root.exe 
d:\progra~1\common~1\system\MSADC\root.exe. 

Also make sure your virus protection is up to date, it should let you know if the back door put in by the latest code red is on your machine.

> -----Original Message-----
> From: Jack C. Applewhite [mailto:japplewhite_at_inetprofit.com]
> Sent: Monday, August 06, 2001 6:25 PM
> To: Multiple recipients of list ORACLE-L
> Subject: RE: For those who got Code Red in the face
>
>
> Our webserver got hit a couple of weeks ago. It got cleaned
> up and the
> security patch(es) applied. I thought nothing more about it.
>
> However, I think it or a variant got three of our other Win2k
> servers that
> don't run IIS at all. Yesterday I found a strange process,
> VMGR32.exe,
> chewing up 50% CPU on our production db server. The file, in
> C:\WinNT\System32, was dated 07/30/2001 08:40pm. Another
> file, acer4.exe,
> of exactly the same size, 272KB, had exactly the same
> datetime. Neither
> file shows the usual "Version" tab in the Properties window
> (after right
> click on the file). I searched the Microsoft site and did a
> Google search
> on both, with zero hits. Suspicious...
>
> I checked out
> http://www.net-security.org/text/articles/coverage/code-red/
> but couldn't see any similarities until it suggested running
> netstat -an to
> see if your server was connecting to dozens of random IP
> addresses at port
> :80. I did and ours was!
>
> I changed the service "Remote Administration Service" (which loads
> VMGR32.exe) to Manual and rebooted the servers. The
> connections to random
> IP addresses at port :80 have stopped and VMGR32.exe is no
> longer running as
> a process.
>
> I also installed Win2k Service Pack 2.
>
> I hope I've squashed this worm! Have I? Are the port :80
> connections and
> VMGR32.exe related or have I been chasing the wrong culprit? The NT
> sysadmin at our colocation facility isn't a lot of help (one
> reason we're
> looking to switch pretty soon!), so I'm kind of at a loss.
>
> Any suggestions?
>
> Thanks.
>
> Jack
>
> --------------------------------
> Jack C. Applewhite
> Database Administrator/Developer
> OCP Oracle8 DBA
> iNetProfit, Inc.
> Austin, Texas
> www.iNetProfit.com
> japplewhite_at_inetprofit.com
> (512)327-9068
>
>
> -----Original Message-----
> dgoulet_at_vicr.com
> Sent: Monday, August 06, 2001 2:24 PM
> To: Multiple recipients of list ORACLE-L
>
>
> New worm targets same systems as Code Red
>
> Security analysts warned that a new and potentially dangerous
> worm began
> circulating over the weekend, targeting the same
> Windows-based servers as
> the
> high-profile Code Red worm.
>
> http://computerworld.com/nlt/1%2C3590%2CNAV47_STO62834_NLTAM%2C00.html
> --
>
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> --
> Author: Jack C. Applewhite
> INET: japplewhite_at_inetprofit.com
>
> Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> San Diego, California -- Public Internet access / Mailing Lists
> --------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).
>

--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Anderson, Brian
  INET: andersob_at_mail.dartnet.peachnet.edu

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).