Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: For those who got Code Red in the face

RE: For those who got Code Red in the face

From: Jack C. Applewhite <japplewhite_at_inetprofit.com>
Date: Mon, 06 Aug 2001 14:53:48 -0700
Message-ID: <F001.003622F9.20010806142526@fatcity.com> 






Our webserver got hit a couple of weeks ago.  It got cleaned up and the
security patch(es) applied.  I thought nothing more about it.



However, I think it or a variant got three of our other Win2k servers that
don't run IIS at all.  Yesterday I found a strange process, VMGR32.exe,
chewing up 50% CPU on our production db server.  The file, in
C:\WinNT\System32, was dated 07/30/2001 08:40pm.  Another file, acer4.exe,
of exactly the same size, 272KB, had exactly the same datetime.  Neither
file shows the usual "Version" tab in the Properties window (after right
click on the file).  I searched the Microsoft site and did a Google search
on both, with zero hits.  Suspicious...



I checked out


 http://www.net-security.org/text/articles/coverage/code-red/
but couldn't see any similarities until it suggested running netstat -an to
see if your server was connecting to dozens of random IP addresses at port
:80.  I did and ours was!



I changed the service "Remote Administration Service" (which loads
VMGR32.exe) to Manual and rebooted the servers.  The connections to random
IP addresses at port :80 have stopped and VMGR32.exe is no longer running as
a process.



I also installed Win2k Service Pack 2.



I hope I've squashed this worm!  Have I?  Are the port :80 connections and
VMGR32.exe related or have I been chasing the wrong culprit?  The NT
sysadmin at our colocation facility isn't a lot of help (one reason we're
looking to switch pretty soon!), so I'm kind of at a loss.



Any suggestions?



Thanks.



Jack





Jack C. Applewhite


Database Administrator/Developer


OCP Oracle8 DBA


iNetProfit, Inc.


Austin, Texas


www.iNetProfit.com


japplewhite_at_inetprofit.com


(512)327-9068





-----Original Message-----


dgoulet_at_vicr.com


Sent: Monday, August 06, 2001 2:24 PM


To: Multiple recipients of list ORACLE-L




New worm targets same systems as Code Red



Security analysts warned that a new and potentially dangerous worm began
circulating over the weekend, targeting the same Windows-based servers as
the


high-profile Code Red worm.



http://computerworld.com/nlt/1%2C3590%2CNAV47_STO62834_NLTAM%2C00.html

--

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Jack C. Applewhite
  INET: japplewhite_at_inetprofit.com

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L


(or the name of mailing list you want to be removed from).  You may

also send the HELP command for other information (like subscribing).


Received on Mon Aug 06 2001 - 16:53:48 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US