Security Incidents mailing list archives
Re: MSIIS servers patched/de-doored, but C and D keep coming back
From: Russell Fulton <r.fulton () auckland ac nz>
Date: Tue, 14 Aug 2001 10:22:20 +1200 (NZST)
On Mon, 13 Aug 2001 16:27:35 -0400 Garreth Jeremiah/Markham/IBM <gjeremia () ca ibm com> wrote:
I have been receiving a number of reports suggesting that on certain devices, after full patching and cleaning - the /C and /D keep coming back after a reboot. Anyone explain what is happening? Is this an IIS thing or a Windows thing?
We had one machine infected by the original Code Red in July. It was patched and rebooted and was fine (despite being exposed to lots of probes) until CR II arrived when it was again compromised. This was a mild disaster since CR II then spread on our internal network behind the firewall. [ yes we had scanned and shutdown/patched *most* of the vulnerable systems regardless of whether they were protected by the firewall or not -- with 1000s of machines that come and go you never get them all :( ] I too would be very interested to know how this happened and if there are any extra precautions one can take. Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- MSIIS servers patched/de-doored, but C and D keep coming back Garreth Jeremiah/Markham/IBM (Aug 13)
- Re: MSIIS servers patched/de-doored, but C and D keep coming back Russell Fulton (Aug 13)
- RE: MSIIS servers patched/de-doored, but C and D keep coming back Mike Horne (Aug 14)
- <Possible follow-ups>
- RE: MSIIS servers patched/de-doored, but C and D keep coming back Garreth Jeremiah/Markham/IBM (Aug 14)
- Re: MSIIS servers patched/de-doored, but C and D keep coming back K P (Aug 14)
- Re: MSIIS servers patched/de-doored, but C and D keep coming back Gary Flynn (Aug 14)
- RE: MSIIS servers patched/de-doored, but C and D keep coming back Krull, Chris (Aug 14)
- RE: MSIIS servers patched/de-doored, but C and D keep coming back Davis, Matt (Aug 14)