Security Incidents mailing list archives
Re: Method to Clean up IIS servers hit by CRv2
From: "Ralph Mellor" <ralph () dimp com>
Date: Mon, 6 Aug 2001 13:27:22 -0500
So far I've been doing the following: 1. Patch the server. 2. Remove root.exe from the web directories. 3. Remove explorer.exe from c: and/or d: 4. reboot. My main question is do you need to mess with the registry keys that it alters? Are these reset on reboot or do you need to set them to some value? If so what values? Or delete them all together?
If you want to be sure the machine is clean you need to wipe it and start from scratch. Unlike CR1, CR2 leaves a back door, and you don't know what other things have been done using that backdoor. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Method to Clean up IIS servers hit by CRv2 dmuz (Aug 06)
- Re: Method to Clean up IIS servers hit by CRv2 Ralph Mellor (Aug 06)
- <Possible follow-ups>
- RE: Method to Clean up IIS servers hit by CRv2 Doug . Barbin (Aug 06)
- RE: Method to Clean up IIS servers hit by CRv2 Walling, Ken (Aug 07)