Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Code Red

RE: Code Red

From: Anderson, Brian <andersob_at_mail.dartnet.peachnet.edu>
Date: Wed, 08 Aug 2001 07:57:31 -0700
Message-ID: <F001.0036433A.20010808072109@fatcity.com> 






Can read all about sadmind at cert.



http://www.cert.org/advisories/CA-2001-11.html



> -----Original Message-----

> From: Kevin Kostyszyn [mailto:kevin_at_dulcian.com]

> Sent: Wednesday, August 08, 2001 10:11 AM

> To: Multiple recipients of list ORACLE-L

> Subject: RE: Code Red

> 

> 

> Paul,

>       Thanks for the assist, I tried to find the name on line 

> but definatly

> couldn't find it.  Interesting thing though, we don't have 

> Solaris machines

> here, so I am assuming it can exploit the NT weakness on it's own!

> KK

> 

> -----Original Message-----

> Vincent

> Sent: Wednesday, August 08, 2001 5:46 AM

> To: Multiple recipients of list ORACLE-L

> 

> 

> We got that a few weeks ago - exactly the same message on one 

> of our NT

> servers. This was before people were talking about "Code 

> Red". Apparently

> it's known as the "sadmind" virus. It exploits a weakness in Solaris

> security to get into a Solaris server. From there, it sniffs 

> out any NT

> servers (or networked workstations) which are running IIS, 

> and then exploits

> an NT security loophole to replace the default webpage on the 

> NT server with

> that "f*** the US Government" message. Our sysadmins tell me 

> this is well

> documented at all the usual virus information websites. Just 

> look under

> "sadmind".

> 

> ------------------------------------------------------------

> Paul Vincent

> Database Administrator, University of Central England

> ------------------------------------------------------------

> 

> > -----Original Message-----

> > From: Kevin Kostyszyn [mailto:kevin_at_dulcian.com]

> > Sent: 07 August 2001 18:27

> > To: Multiple recipients of list ORACLE-L

> > Subject: RE: Code Red

> >

> >

> > Yeah, that's what I read.  I had applied the patch and I

> > don't have Code red

> > or Code Red II, however it appears that I have something

> > else.  It doesn't

> > seem to have worked but it looks like someone tried to deface

> > our website.

> > It's just a message that says "f--k the us government and

> > f--k poisonbox",

> > not sure what to do with it yet.

> > KK

> >

> > -----Original Message-----

> > Brian

> > Sent: Tuesday, August 07, 2001 12:56 PM

> > To: Multiple recipients of list ORACLE-L

> >

> >

> > The worm is just memory resident, so a reboot should get rid

> > of it, BUT

> > without the patch, you'll get it right back.

> >

> > The problem for the new version is it deposits a trojan

> > backdoor on your

> > server.

> > Mcafee dat 4152 is supposed to find the trojan, I'm sure other virus

> > scanners are releasing versions also.  Check with your

> > anti-virus site.

> >

> > > -----Original Message-----

> > > From: Kevin Kostyszyn [mailto:kevin_at_dulcian.com]

> > > Sent: Tuesday, August 07, 2001 11:56 AM

> > > To: Multiple recipients of list ORACLE-L

> > > Subject: Code Red

> > >

> > >

> > > So does anyone know how to get rid of the virus if you got it?

> > >

> > > Sincerely,

> > > Kevin Kostyszyn

> > > DBA


> > > Dulcian, Inc

> > > www.dulcian.com

> > > kevin_at_dulcian.com

> > >

> > > --

> > > Please see the official ORACLE-L FAQ: http://www.orafaq.com

> > > --

> > > Author: Kevin Kostyszyn

> > >   INET: kevin_at_dulcian.com

> > >

> > > Fat City Network Services    -- (858) 538-5051  FAX: 

> (858) 538-5051

> > > San Diego, California        -- Public Internet access /

> > Mailing Lists

> > > 

> --------------------------------------------------------------------

> > > To REMOVE yourself from this mailing list, send an E-Mail message

> > > to: ListGuru_at_fatcity.com (note EXACT spelling of 

> 'ListGuru') and in

> > > the message BODY, include a line containing: UNSUB ORACLE-L

> > > (or the name of mailing list you want to be removed 

> from).  You may

> > > also send the HELP command for other information (like 

> subscribing).

> > >

> > --

> > Please see the official ORACLE-L FAQ: http://www.orafaq.com

> > --

> > Author: Anderson, Brian

> >   INET: andersob_at_mail.dartnet.peachnet.edu

> >

> > Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051

> > San Diego, California        -- Public Internet access / 

> Mailing Lists

> > --------------------------------------------------------------------

> > To REMOVE yourself from this mailing list, send an E-Mail message

> > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> > the message BODY, include a line containing: UNSUB ORACLE-L

> > (or the name of mailing list you want to be removed from).  You may

> > also send the HELP command for other information (like subscribing).

> >

> > --

> > Please see the official ORACLE-L FAQ: http://www.orafaq.com

> > --

> > Author: Kevin Kostyszyn

> >   INET: kevin_at_dulcian.com

> >

> > Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051

> > San Diego, California        -- Public Internet access / 

> Mailing Lists

> > --------------------------------------------------------------------

> > To REMOVE yourself from this mailing list, send an E-Mail message

> > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> > the message BODY, include a line containing: UNSUB ORACLE-L

> > (or the name of mailing list you want to be removed from).  You may

> > also send the HELP command for other information (like subscribing).

> >

> --

> Please see the official ORACLE-L FAQ: http://www.orafaq.com

> --

> Author: Paul Vincent

>   INET: Paul.Vincent_at_uce.ac.uk

> 

> Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051

> San Diego, California        -- Public Internet access / Mailing Lists

> --------------------------------------------------------------------

> To REMOVE yourself from this mailing list, send an E-Mail message

> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> the message BODY, include a line containing: UNSUB ORACLE-L

> (or the name of mailing list you want to be removed from).  You may

> also send the HELP command for other information (like subscribing).

> 

> -- 

> Please see the official ORACLE-L FAQ: http://www.orafaq.com

> -- 

> Author: Kevin Kostyszyn

>   INET: kevin_at_dulcian.com

> 

> Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051

> San Diego, California        -- Public Internet access / Mailing Lists

> --------------------------------------------------------------------

> To REMOVE yourself from this mailing list, send an E-Mail message

> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> the message BODY, include a line containing: UNSUB ORACLE-L

> (or the name of mailing list you want to be removed from).  You may

> also send the HELP command for other information (like subscribing).

> 


--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Anderson, Brian
  INET: andersob_at_mail.dartnet.peachnet.edu

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Wed Aug 08 2001 - 09:57:31 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US