Re: [squid-users] [OT] Code Red Worm (was: RE: [squid-users] serious problem - is this my box compromised)

From: hari_bhr <hari_bhr@dont-contact.us>
Date: Tue, 7 Aug 2001 17:13:57 +0530

hi all

its not problem with my network
its coming from out side to my access.log
i have acl for http_acccess rules
i have denied all except our network address
after all still i see my access log with new address
how do i control

thanks
----- Original Message -----
From: Chemolli Francesco (USI) <ChemolliF@GruppoCredit.it>
To: 'hari_bhr' <hari_bhr@yahoo.com>; <squid-users@squid-cache.org>
Sent: Tuesday, August 07, 2001 4:30 PM
Subject: [squid-users] [OT] Code Red Worm (was: RE: [squid-users] serious
problem - is this my box compromised)

> Here is a fix for the Red Code worm:
>
> 1) Find the systems's ip addresses (the squid access.log appears fine)
> 2) Figure out whether it's Code Red version 1 or 2:
> to do it, look in the systems' filesystem for a file named root.exe
>
> Case 1) No root.exe
> Congratulations, it's Code Red 1.
> Cure:
> 1) Stop IIS.
> 2a) If it's not necessary to run it, disable it and don't
> start it ever again. Reboot (just for safety). You're cured.
> 2b) If you really have to run IIS, apply the hotfix from Microsoft:
> WinNT4: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833
> Win2000: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800.
> Reboot. You're cured.
>
> Case 2) You have a root.exe
> It's Code Red 2. You're in a bit of more trouble, but you'll manage.
> Cure:
> 1) Stop IIS.
> 2) Remove all instances of root.exe
> 3) attrib -s -h -r c:\explorer.exe
> if you have a d: drive
> attrib -s -h -r c:\explorer.exe
> 4) del c:\explorer.exe
> if you have a d: drive
> del d:\explorer.exe
> 5) if you fail to remove either, open up the Task Manager, and
> locate processes named explorer.exe. There should be two, one using
> a couple of megs of RAM and one using about 500k. Kill the smaller
> one,
> then repeat 4.
> 6) Stop IIS.
> 7a) If you don't need IIS running on that server, disable it,
> the WWW publishing service and the FTP publishing service and don't
> start them ever again (at least until Win2k SP3). Reboot. You're
> cured.
> 7b) If you need IIS, apply the same hotfix as above. Reboot. You're cured.
>
>
>
> This is not, I repeat this is NOT a problem with Squid. It's a bug in
MS-IIS
> 4.0
> and 5.0 in conjunction with MS-Indexing service.
>
> --
> /kinkie
>


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

Received on Tue Aug 07 2001 - 05:12:39 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:30 MST