×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Can't seem to shake the CodeRed worm

Can't seem to shake the CodeRed worm

Can't seem to shake the CodeRed worm

(OP)
Hi

Got a CodeRed infected NT4 server.
I have applied the patch availeble from MS and restarted the system.

Problem is that IIS only displays a page containing nothing but <HTML></HTML>

I've checked IIS for what pages it should display and everything looks just fine there, and the files look unaffected too.

Pleaze Help!
-Mats

RE: Can't seem to shake the CodeRed worm

In all honesty - if you have an infected/compromised server, no matter what it is infected/compromised with - your first course of action should be to remove it from the network and rebuilt it from a known, good backup.  Who knows what else might have gotten in through the same hole...

Having said that.... The Code Red worm also defaced your web site, which had a message "Welcome to http://www.worm.com!! Hacked by Chinese".  That page only remains active for 10 hours and then disappears.  I am not sure what it gets replaced with, but either that or the fix from MS probably replaced your default web page with what you have.

Do you have a copy of the original web page -- I'm a little confused about you having checked IIS for what pages it should be displaying... Are you saying IIS is still pointing to index.html or default.htm -- or have you actually checked the page that it points to in a text editor to see what the page is actually supposed to display.

Let us know some more details about exactly what you checked and the results.

Look at
http://www.eeye.com/html/Research/Advisories/AL20010717.html for full details about the worm.
Hope this helps,
Paul

RE: Can't seem to shake the CodeRed worm

(OP)
Thanks for the link, but I managed to solve the problem by myself.

As far as I could determine Code red doesnt write any file at all. But instead holds the code in RAM.

IIS pointed to defalt.asp the whole time, just as it should.

Thanks for the assistanse and the advise.

-Mats

RE: Can't seem to shake the CodeRed worm

MATSHulten, how did you solve the problem?  I have the same situation with code red virus
-brewkim

RE: Can't seem to shake the CodeRed worm

One fix is to boot your system.

Plus their are two (possible 3) Code Reds out there.. Symantec has the 3 fixes for them

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close