Method to Clean up IIS servers hit by CRv2

From: dmuz (dmuzat_private)
Date: Mon Aug 06 2001 - 11:23:56 PDT

Next message: Ryan Russell: "Re: Bad CodeRed request ?"

Previous message: Derek Kwan: "RE: CodeRedII attempts from Cable/DSL/dial-ups"
Next in thread: Ralph Mellor: "Re: Method to Clean up IIS servers hit by CRv2"
Reply: Ralph Mellor: "Re: Method to Clean up IIS servers hit by CRv2"
Reply: Doug.Barbinat_private: "RE: Method to Clean up IIS servers hit by CRv2"
Reply: Walling, Ken: "RE: Method to Clean up IIS servers hit by CRv2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hey folks,  Isn't this fun? (har..)

So what are people doing to clean out IIS servers hit by CRv2?

So far I've been doing the following:

1. Patch the server.

2. Remove root.exe from the web directories.

3. Remove explorer.exe from c: and/or d:

4. reboot.

My main question is do you need to mess with the registry keys that it
alters? Are these reset on reboot or do you need to set them to some
value? If so what values? Or delete them all together?

Thanks,
dmuz



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Ryan Russell: "Re: Bad CodeRed request ?"
Previous message: Derek Kwan: "RE: CodeRedII attempts from Cable/DSL/dial-ups"
Next in thread: Ralph Mellor: "Re: Method to Clean up IIS servers hit by CRv2"
Reply: Ralph Mellor: "Re: Method to Clean up IIS servers hit by CRv2"
Reply: Doug.Barbinat_private: "RE: Method to Clean up IIS servers hit by CRv2"
Reply: Walling, Ken: "RE: Method to Clean up IIS servers hit by CRv2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 11:30:06 PDT