Security Incidents mailing list archives
RE: MSIIS servers patched/de-doored, but C and D keep coming back
From: "Garreth Jeremiah/Markham/IBM" <gjeremia () ca ibm com>
Date: Mon, 13 Aug 2001 19:17:55 -0400
Thankyou to all who replied. I am recommending that the device be re-built - even before posting. Just needed to see if there was anything special going on. Well here is what I mean - we moved an (apparently) uninfected device into an isolated lan and infected it there. System was cleaned, including all back doors and reg. code. However it appears that the /d and /d affects of virtual rooting the IIS server remain persistent across boots - even though we cleaned them. I am suggestng to the team that the re-image the machein, however I found this very weird. Of all devices tested so far there are approx 6 that have this occur ( mostly French Version of Win2k - not sure if we have an english version that is affected this way ( yes it was patched withthe french patch )). Possible Causes: - decreasing liklihood 1) Another worm/virus 2) Weird interaction between HW/SW and patch ( plus any 3rd party sware ) 3) previously unseen sideffect of CRII 4) CRx Possible Resolution: 1) Check all of those damn "Run/RunOnce/RunExec" registry settings 2) Down the machine - reboot with NTFS capable boot disk - replace system.dat(/da0) and user.dat etc. 3) stop messing around and grab the backup CD. - R.E.L.O.A.D It will be interesting to see if anyone else experiences this problem though. ______________________________ Garreth J Jeremiah. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- MSIIS servers patched/de-doored, but C and D keep coming back Garreth Jeremiah/Markham/IBM (Aug 13)
- Re: MSIIS servers patched/de-doored, but C and D keep coming back Russell Fulton (Aug 13)
- RE: MSIIS servers patched/de-doored, but C and D keep coming back Mike Horne (Aug 14)
- <Possible follow-ups>
- RE: MSIIS servers patched/de-doored, but C and D keep coming back Garreth Jeremiah/Markham/IBM (Aug 14)
- Re: MSIIS servers patched/de-doored, but C and D keep coming back K P (Aug 14)
- Re: MSIIS servers patched/de-doored, but C and D keep coming back Gary Flynn (Aug 14)
- RE: MSIIS servers patched/de-doored, but C and D keep coming back Krull, Chris (Aug 14)
- RE: MSIIS servers patched/de-doored, but C and D keep coming back Davis, Matt (Aug 14)