Hello, I've got a few questions concerning the "Code Red" worm. "Code Red" exploits the IIS vulnerability referenced in http://www.eeye.com/html/Research/Advisories/AD20010618.html and CA-2001-13. OK. But how can one exactly determine, if a system has been compromised? In the full analysis (http://www.eeye.com/html/advisories/codered.zip) it is said that the worm sets up 100 threads. But in what context are they running? How, if, can they be seen in Task Manager or an other tool? I would guess IIS.exe taking up more memory and processing power than normal may be an indication? During the sleeping period indications like spreading attempts or attack attempts on www1.whitehouse.gov cannot be observed to weed out infected systems. So how to find dormant "code red" instances? If I'm not mistaken a reboot would clear "code red". So should anybody reboot and patch? What would be the generic "safe" answer to customers? BTW does anyone know a working security contact for Hotmail? securityat_private came back as "account disabled". Other obvious addreses did not result in any reaction. Robinton -- I've asked for kindness and ultimate truth. Still waiting for the answer. -- He who dies with the most toys - still dies. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jul 23 2001 - 06:47:23 PDT