[Dshield] Code Red Reinfection After Patch Installed

security@admin.fulgan.com security at admin.fulgan.com
Mon Jul 23 09:24:17 GMT 2001


EEyes has a code red vulnerability scanning tool that you can 7use to
check wether your server really is patched.

Get is  there:
http://www.eeye.com/html/Research/Tools/codered.html

Good luck,
Stephane

Saturday, July 21, 2001, 8:04:05 PM, you wrote:
CFR> Hi

CFR>   I am Freeland Chew, MIS head at ECPI Technical College in Roanoke
CFR> Virginia. 

CFR>   I run a Windows 2000 Exchange server that was compromised by Code Red
CFR> early on the 20th; I assumed because I neglected to reinstall the patch
CFR> after I had installed Service Pack 2.

CFR>   After the compromise was discovered I took the machine of the network,
CFR> rebooted it and reinstalled all patches including the buffer overflow that
CFR> Code Red uses.

CFR>   At least 8 hours later, my log files tell me that the machine has been
CFR> reinfected. 

CFR>   I have double checked and I am sure I installed the correct patch both
CFR> times.  I am a contributer to the www.dshield.org so I pay attention to
CFR> these things and I am quite convinced this reinfection is not an IO (Idiot
CFR> Operator) error.

CFR>   Has anyone else reported anything that suggests the the patch might not be
CFR> fully effective? 

CFR>   Freeland Chew 




CFR> **********************************************************************
CFR> This email and any files transmitted with it are confidential and
CFR> intended solely for the use of the individual or entity to whom they
CFR> are addressed. If you have received this email in error please notify
CFR> the system manager.

CFR> This footnote also confirms that this email message has been swept by
CFR> MIMEsweeper for the presence of computer viruses.

CFR> www.mimesweeper.com
CFR> **********************************************************************

CFR> _______________________________________________
CFR> Dshield mailing list
CFR> Dshield at dshield.org
CFR> To change your subscription options (or unsubscribe), see: http://www1.dshield.org/mailman/listinfo/dshield



-- 
Best regards,
 security                            mailto:security at admin.fulgan.com




More information about the list mailing list