> Symantec now has a free tool for code red III. > > http://www.sarc.com/avcenter/venc/data/codered.v3.html These guys suggest you patch now if you have not already, *without making it clear that this is a very weak temporary stop gap for any machine that was not already patched by mid Friday*. Basically, any W2K machine that *might* have been running IIS, that *might* have been not patched before CRII, is very suspect and should be wiped clean, asap. (After all, if I were to own a CRII compromised PC, I'd install the patch and would probably shut down IIS too.) Although Symantec are clearly being misleading in their "report", I'm assuming they weren't dumb enough to advise removal of a detected backdoor by means other than wiping the machine; I don't know, I didn't download their kit as it makes no difference to my point about a machine being a backdoor suspect even if no infection is detected. However, Cnet went them one better with a story today: In http://news.cnet.com/news/0-1003-200-6792918.html they said: "Fearnow said SANS is working on posting instructions for removing the back door created by the new worm." Yeah, right. SANS actually say on their web site: Even if you do not find signs of infection, but your server has been left unpatched while [Code Red II] was circulating, you should reformat and reinstall. I guess if one calls those instructions, Cnet's story is correct, but methinks they just screwed up because they are utterly clueless. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Aug 07 2001 - 09:22:34 PDT