Re: Code Red

From: Armando Valdés (avaldes@c-com.net.ve)
Date: 12/30/02 

From: Armando Valdés <avaldes@c-com.net.ve>
Date: Mon, 30 Dec 2002 06:33:53 -0800

Thanks !!.

All client computers (15) were checked and they seen to be
OK. CA does not report any virus, however I am goin review
them again !!..

Now, If a analize the ISA record related to www.worm.com
access it points out a external IP as a source IP !!!.
This makes me think that this is a attack but I am not
sure becuase I supposed that MS patch avoid this (using
the server to connect to worm web page).
I have been watching open ports to check if there is any
unnusual connection but nothing was found.

Thanks again !!!!!

>-----Original Message-----
>If your server is locked down properly (it is, by the
sounds of it), there's
>a chance that one of the client systems is CodeRed-
infected.
>
>Use CodeRed cleanup tool. One is available from Microsoft:
>
>http://www.microsoft.com/technet/security/tools/tools/redf
ix.asp
>
>Also, most antivirus vendors provide cleanup tools. See
Karl's FAQ
>(http://securityadmin.info/faq.htm#5) for worm cleanup
information.
>
>Don't forget - you need to check all client systems too.
>
>Stay secure!
>
>--
>Svyatoslav Pidgorny, MS MVP, MCSE
>-= F1 is the key =-
>
>"Armando Valdés" <avaldes@c-com.net.ve> wrote in message
>news:006b01c2afbc$7ef9ae80$cef82ecf@TK2MSFTNGXA08...
>Hello !.
>
>A W2K Server Sp2, Exchange 2000, ISA2000 and OWA setup and
>running OK (Port 80 open). Fixes related to Code Red Virus
>applied. The patch related to this virus were applied
>recently because ISA2000 reports access to www.worm.com,
>although Index Service was not running and CA Antivirus
>never reported any virus (signed updated). However ISA2000
>still reports access to www.worm.com. web page.
>
>
>
>Is this server being attacked or is compromised? I have
>been looking information about Code Red I and II but is
>not clear (at least I could not find it) if this kind of
>access is because the server is being attacked or the
>server is being used to propagate the virus (worst, server
>has a backdoor open!!).
>
>Excuse my English and thanks in advances.
>
>Armando Valdés
>
>
>
>
>.
>

Relevant Pages

  • Re: Frustrated with Trend CSM!
    ... You must exclude them from Officescan, ... Click on your SBS computer icon, and set the client priveliges to your ... settings for the server versus the clients. ... > "Virus successfully detected, but infected file can neither be cleaned nor ...
    (microsoft.public.windows.server.sbs)
  • Architecture question
    ... Fairly complex, PCU-intensive reports acessed monthly ... DB server and the network, but the super-expensive reports I think are ... too much to ask a central server and the company's network. ... required on the client machines to generate them (rather than a saved ...
    (microsoft.public.dotnet.general)
  • Re: Architecture question
    ... Maybe SQL Server Reporting Services might be the answer. ... Fairly complex, PCU-intensive reports acessed monthly ... > too much to ask a central server and the company's network. ... > required on the client machines to generate them (rather than a saved ...
    (microsoft.public.dotnet.general)
  • Re: Frustrated with Trend CSM!
    ... wonder if what you're seeing inhte reports are viruses that have been caught ... DCS is separate from the actual virus detection pattern ... Trend Damage Cleanup Server ... As for email viruses...Many viruses propagate by sending themselves to ...
    (microsoft.public.windows.server.sbs)
  • Re: HELP! Workstation on SBS Lan keeps losing connection
    ... from the server. ... corner screen...it just reports that it cannot synchronize back to the ...  Email and internet services are cut off at the workstation. ... Processing time: 0ms Original Client IP: 192.168.16.26 ...
    (microsoft.public.windows.server.sbs)