[squid-users] [OT] Code Red Worm (was: RE: [squid-users] serious problem - is t his my box compromised)

From: Chemolli Francesco (USI) <ChemolliF@dont-contact.us>
Date: Tue, 7 Aug 2001 13:00:29 +0200

Here is a fix for the Red Code worm:

1) Find the systems's ip addresses (the squid access.log appears fine)
2) Figure out whether it's Code Red version 1 or 2:
        to do it, look in the systems' filesystem for a file named root.exe

Case 1) No root.exe
        Congratulations, it's Code Red 1.
Cure:
1) Stop IIS.
2a) If it's not necessary to run it, disable it and don't
start it ever again. Reboot (just for safety). You're cured.
2b) If you really have to run IIS, apply the hotfix from Microsoft:
WinNT4: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833
Win2000: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800.
Reboot. You're cured.

Case 2) You have a root.exe
        It's Code Red 2. You're in a bit of more trouble, but you'll manage.
Cure:
1) Stop IIS.
2) Remove all instances of root.exe
3) attrib -s -h -r c:\explorer.exe
        if you have a d: drive
                attrib -s -h -r c:\explorer.exe
4) del c:\explorer.exe
        if you have a d: drive
                del d:\explorer.exe
5) if you fail to remove either, open up the Task Manager, and
        locate processes named explorer.exe. There should be two, one using
        a couple of megs of RAM and one using about 500k. Kill the smaller
one,
        then repeat 4.
6) Stop IIS.
7a) If you don't need IIS running on that server, disable it,
        the WWW publishing service and the FTP publishing service and don't
        start them ever again (at least until Win2k SP3). Reboot. You're
cured.
7b) If you need IIS, apply the same hotfix as above. Reboot. You're cured.
        

This is not, I repeat this is NOT a problem with Squid. It's a bug in MS-IIS
4.0
and 5.0 in conjunction with MS-Indexing service.

-- 
	/kinkie 
Received on Tue Aug 07 2001 - 04:52:30 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:29 MST