robintonat_private (Soeren Ziehe) wrote: > I've got a few questions concerning the "Code Red" worm. > > "Code Red" exploits the IIS vulnerability referenced in > http://www.eeye.com/html/Research/Advisories/AD20010618.html > and CA-2001-13. OK. But how can one exactly determine, if a system has > been compromised? Good question -- right now, "with difficulty" would be the answer. An advanced process viewer may do it -- if you know what the typical number of IIS child threads is, you may be able to spot it from this number being elevated by 100 (or more -- multiple infestations are reputedly possible)... To date, I'd not thought to look into this. > In the full analysis (http://www.eeye.com/html/advisories/codered.zip) > it is said that the worm sets up 100 threads. But in what context are > they running? ... In the same context as IIS or the index server/service. > ... How, if, can they be seen in Task Manager or an other > tool? I would guess IIS.exe taking up more memory and processing power > than normal may be an indication? Yes -- anything that can tell you how many threads or other resources are allocated to what processes and a refined sense of what is "normal". Right now that may not help much (apart from the thread count) as the threads should all be sleeping for 20-something days... > During the sleeping period indications like spreading attempts or attack > attempts on www1.whitehouse.gov cannot be observed to weed out infected > systems. > So how to find dormant "code red" instances? Another good question -- I have no good answer though. > If I'm not mistaken a reboot would clear "code red". > So should anybody reboot and patch? What would be the generic "safe" > answer to customers? I'd suggest patch then reboot would be the slightly more efficient approach. 8-) If someone has not applied the patches from MS01-033, or is not sure, they should apply the patch and reboot. They should do this sooner, rather than later as the longer they leave it the greater (by some completely unknown amount) the threat of their machines being hi-jacked by something else via the exact same exploit. Just because someone has been hit by Code Red does not make them magically immune to the vulnerability... > BTW does anyone know a working security contact for Hotmail? > securityat_private came back as "account disabled". Other obvious > addreses did not result in any reaction. Sorry (but I can't say I'm entirely surprised). -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jul 23 2001 - 14:44:14 PDT