[unisog] Re: Code Red(s) being confused with sadmind/IIS worm?

Anne Bennett anne at alcor.concordia.ca
Fri Aug 10 15:01:20 GMT 2001

Patrick Stokes:
> I have found the same thing. We realized yesterday afternoon that a rogue
> laptop on our network was running a out of the box 2k install. It had been
> infected with code red II. It didn't take us long however to discover that
> it also had been hit with the sadmind/IIS worm much earlier and had gone
> unnoticed.

In my remote scans for machines with /scripts/root.exe, I've been
"exploiting" the backdoor to get a directory listing, with "/TC" to
get file creation times.  Most of what I've found has been dated last
May, pointing to a likely sadmind (how does one pronounce that,
anyway?) infection at that time.

In the case of the double infections you found, was there a way to
detect the "new infection" based only on the file times of
/scripts/root.exe, or did Code Red II's copy to root.exe not result in
any detectable change there?

I'm just wondering if my scans might be reporting "pre-Code-Red-II"
infections when in some cases they should be reporting double
infections.  (I can't *believe* the volatility of the IIS servers in
my domain -- this week they've been appearing and disappearing at the
rate of two per day.)

Ms. Anne Bennett, Senior Analyst, IITS, Concordia University, Montreal H3G 1M8
anne at alcor.concordia.ca                                        +1 514 848-7606

More information about the unisog mailing list