Why can't "experts" get it right? (Was Re: Symantec Report)

["Ralph Mellor" <ralph () dimp com>]

> Symantec now has a free tool for code red III.
>
> http://www.sarc.com/avcenter/venc/data/codered.v3.html

These guys suggest you patch now if you have not already,
*without making it clear that this is a very weak temporary
stop gap for any machine that was not already patched by
mid Friday*.

Basically, any W2K machine that *might* have been running
IIS, that *might* have been not patched before CRII, is very
suspect and should be wiped clean, asap. (After all, if I were
to own a CRII compromised PC, I'd install the patch and would
probably shut down IIS too.)

Although Symantec are clearly being misleading in their "report",
I'm assuming they weren't dumb enough to advise removal of a
detected backdoor by means other than wiping the machine; I
don't know, I didn't download their kit as it makes no difference
to my point about a machine being a backdoor suspect even if
no infection is detected.

However, Cnet went them one better with a story today:

In http://news.cnet.com/news/0-1003-200-6792918.html

they said:

"Fearnow said SANS is working on posting instructions for
removing the back door created by the new worm."

Yeah, right.

SANS actually say on their web site:

    Even if you do not find signs of infection, but your server
    has been left unpatched while [Code Red II] was circulating,
    you should reformat and reinstall.

I guess if one calls those instructions, Cnet's story is correct,
but methinks they just screwed up because they are utterly
clueless.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com