From the outside to confirm if it's code red or some other variant could be tough. I am not sure off the top of my head what would be the best method. Scanning for root.exe obviously is going to show machines that are infected by both sadmin/unicode and code red. Although the sadmin one defaces index.htm/.asp and default.htm/.asp so you could search for multiple things. I also think that the cr v1 included a specific defacement that could help you determine which worm is the culprit. If my looking at the packet traces from the eeye scanner are correct, they are looking for the server to puke back an error code that matches "0xc0000005", this error is seen on both NT and W2k machines . A patched machine will spit back "Error 0x80040e14 caught while processing query." -dan Christian Kuhtz wrote: > Jacek Lipkowski wrote: > > So, how the heck do you positively confirm CR (v1 & v2) infection then? Seems > all the eEye scanner does is check the response of GET /scripts/root.exe which > according to what you just wrote isn't necessarily indicative of CR. > > Around here, we've had at least one case of suspected false positive (by eEye) > that would confirm that. It had the root.exe backdoor, but it didn't have any > of the other signs of CRv2 (registry, no explorer.exe trojan etc). > > So, how do you positively confirm CRv2 infection from the outside? I haven't > been able to find any conclusive documentation. If I missed it, please give > me a point with a fence post. > > Thanks, > Chris > > -- > Christian Kuhtz <ckat_private> -wk, <ckat_private> -hm > Sr. Architect, Engineering & Architecture, BellSouth.net, Atlanta, GA, U.S. > "I speak for myself only." > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Aug 16 2001 - 15:25:14 PDT