From Paul.Vincent@uce.ac.uk Wed, 08 Aug 2001 01:34:45 -0700 From: Paul Vincent Date: Wed, 08 Aug 2001 01:34:45 -0700 Subject: RE: Code Red Message-ID: MIME-Version: 1.0 Content-Type: text/plain We got that a few weeks ago - exactly the same message on one of our NT servers. This was before people were talking about "Code Red". Apparently it's known as the "sadmind" virus. It exploits a weakness in Solaris security to get into a Solaris server. From there, it sniffs out any NT servers (or networked workstations) which are running IIS, and then exploits an NT security loophole to replace the default webpage on the NT server with that "f*** the US Government" message. Our sysadmins tell me this is well documented at all the usual virus information websites. Just look under "sadmind". ------------------------------------------------------------ Paul Vincent Database Administrator, University of Central England ------------------------------------------------------------ > -----Original Message----- > From: Kevin Kostyszyn [mailto:kevin@dulcian.com] > Sent: 07 August 2001 18:27 > To: Multiple recipients of list ORACLE-L > Subject: RE: Code Red > > > Yeah, that's what I read. I had applied the patch and I > don't have Code red > or Code Red II, however it appears that I have something > else. It doesn't > seem to have worked but it looks like someone tried to deface > our website. > It's just a message that says "f--k the us government and > f--k poisonbox", > not sure what to do with it yet. > KK > > -----Original Message----- > Brian > Sent: Tuesday, August 07, 2001 12:56 PM > To: Multiple recipients of list ORACLE-L > > > The worm is just memory resident, so a reboot should get rid > of it, BUT > without the patch, you'll get it right back. > > The problem for the new version is it deposits a trojan > backdoor on your > server. > Mcafee dat 4152 is supposed to find the trojan, I'm sure other virus > scanners are releasing versions also. Check with your > anti-virus site. > > > -----Original Message----- > > From: Kevin Kostyszyn [mailto:kevin@dulcian.com] > > Sent: Tuesday, August 07, 2001 11:56 AM > > To: Multiple recipients of list ORACLE-L > > Subject: Code Red > > > > > > So does anyone know how to get rid of the virus if you got it? > > > > Sincerely, > > Kevin Kostyszyn > > DBA > > Dulcian, Inc > > www.dulcian.com > > kevin@dulcian.com > > > > -- > > Please see the official ORACLE-L FAQ: http://www.orafaq.com > > -- > > Author: Kevin Kostyszyn > > INET: kevin@dulcian.com > > > > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 > > San Diego, California -- Public Internet access / > Mailing Lists > > -------------------------------------------------------------------- > > To REMOVE yourself from this mailing list, send an E-Mail message > > to: ListGuru@fatcity.com (note EXACT spelling of 'ListGuru') and in > > the message BODY, include a line containing: UNSUB ORACLE-L > > (or the name of mailing list you want to be removed from). You may > > also send the HELP command for other information (like subscribing). > > > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.com > -- > Author: Anderson, Brian > INET: andersob@mail.dartnet.peachnet.edu > > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 > San Diego, California -- Public Internet access / Mailing Lists > -------------------------------------------------------------------- > To REMOVE yourself from this mailing list, send an E-Mail message > to: ListGuru@fatcity.com (note EXACT spelling of 'ListGuru') and in > the message BODY, include a line containing: UNSUB ORACLE-L > (or the name of mailing list you want to be removed from). You may > also send the HELP command for other information (like subscribing). > > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.com > -- > Author: Kevin Kostyszyn > INET: kevin@dulcian.com > > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 > San Diego, California -- Public Internet access / Mailing Lists > -------------------------------------------------------------------- > To REMOVE yourself from this mailing list, send an E-Mail message > to: ListGuru@fatcity.com (note EXACT spelling of 'ListGuru') and in > the message BODY, include a line containing: UNSUB ORACLE-L > (or the name of mailing list you want to be removed from). You may > also send the HELP command for other information (like subscribing). > -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Paul Vincent INET: Paul.Vincent@uce.ac.uk Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru@fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).