Re: NImda/Code Red IIS log analysis questions
From: Adrien de Beaupre (adriendb@-nospam-magi.com)Date: 12/20/01
- Next message: Adrien de Beaupre: "Re: Windows 2000 passwords..."
- Previous message: Jeff Cochran: "Re: Protect Your Computer Against Hacker Intrusion"
- In reply to: Jeff Cochran: "Re: NImda/Code Red IIS log analysis questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Adrien de Beaupre" <adriendb@-nospam-magi.com> Date: Thu, 20 Dec 2001 10:14:31 -0500
It is not a good idea to trust a server that may have been compromised:
Generic quick and dirty incident handling procedure:
Get help.
Take the system off the network.
Backup all data.
Blow away the operating system.
Re-install from scratch.
Apply ALL service packs and hot-fixes.
Harden the server.
Restore data.
Test the server, run a vulnerability assessment
Return server to the network.
Adrien de Beaupre, A+/Network+/MCP/MCSE/MCT
Brainbench MVP for Networking Concepts
http://www.brainbench.com
"The problem with trouble-shooting is, sometimes trouble shoots back!"
<Jeff Cochran> wrote in message
news:3c22d7c4.235910501@news.supernews.com...
> >That first URL was "/scripts/root.exe?/c+dir /c+dir 200 -" and the
> >result was 200, meaning the request was succesful. What happened
> >here? What did IIS do? What action occurs when root.exe is run with
> >those specific parameters ? Is this harmful, did something bad
> >happen? Should I reformat my machine?
>
> Try here:
>
> http://www.iisfaq.com/
>
> Jeff
- Next message: Adrien de Beaupre: "Re: Windows 2000 passwords..."
- Previous message: Jeff Cochran: "Re: Protect Your Computer Against Hacker Intrusion"
- In reply to: Jeff Cochran: "Re: NImda/Code Red IIS log analysis questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
