Over the past couple of days some folks at Microsoft have been working on a tool to disinfect Code Red II systems. As discussed on the list the appropriate solution to a Code Red II infection is a full reinstall as the backdoor may have been used to compromise the system further, but this tools provides an alternative to those people not willing to go through a reinstall. You can find the tool at: http://www.microsoft.com/technet/itsolutions/security/tools/redfix.asp I'll reprint Microsoft's warning: * THE TOOL ONLY ELIMINATES THE EFFECTS OF THE CODE RED II WORM. IT DOES NOT ELIMINATE THE EFFECT OF OTHER VARIANTS OF THE WORM. * IF THE WORM HAS INFECTED YOUR SYSTEM, YOUR SYSTEM HAS BEEN OPENED TO ADDITIONAL FORMS OF ATTACK. THIS TOOL ONLY ELIMINATES THE DIRECT EFFECTS OF THE WORM - IT DOES NOT ELIMINATE ANY ADDITIONAL DAMAGE THAT OTHER ATTACKS MAY HAVE CAUSED WHILE YOUR SERVER WAS INFECTED. * WHILE THIS TOOL IS USEFUL IN ELIMINATING THE EFFECTS OF THE CODE RED II WORM ON INTERNAL SERVERS THAT ARE PROTECTED FROM THE INTERNET BY A ROUTER OR FIREWALL, MICROSOFT RECOMMENDS THAT INFECTED INTERNET-FACING SERVERS BE REBUILT ACCORDING TO THE GUIDELINES PUBLISHED ON THE CERT WEB SITE . IN ADDITION, ANY OTHER SERVERS THAT ARE JUDGED TO HAVE BEEN PUT AT RISK BY THEIR PROXIMITY TO INFECTED SERVERS SHOULD ALSO BE REBUILT RATHER THAN BEING PLACED BACK INTO SERVICE. -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 08 2001 - 11:06:05 PDT