Install the cumulative IIS patch before connecting your server to the
Internet again.
http://www.microsoft.com/technet/security/bulletin/MS01-044.asp
The original version of Code Red can be cleaned by rebooting... Do a search
on your HD for ROOT.EXE, if you find it (likely in the \inetpub\scripts
directory) then you're likely infected with Code Red II... Search MS's site
for their removal tool (sorry, don't have the URL handy).
JoeP
-----Original Message-----
From: Fabrig, Amado [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 20, 2001 1:02 PM
To: Exchange Discussions
Subject: RE: Code red
have you applied the security patch?
> -----Original Message-----
> From: Chris Haaker [SMTP:[EMAIL PROTECTED]]
> Sent: Monday, August 20, 2001 10:56 AM
> To: Exchange Discussions
> Subject: OT: Code red
>
> anyone have an idea that has been working with code red?
>
> I have a win2k server that was infected. I re-formatted all hard
> drives, re-installed OS w/SP2 built-in and patched for CR. Within
> about 10 minutes I was infected again according to the w3svc log and
> the symantec scanner for code red.
>
> disconnected from network and did same as above. Ran the patch from a
> floppy. re-connected to the network, ran the new MS Security scanner
> at: www.microsoft.com/technet/mpsa/start.asp and applied all hotfixes
> there as well. Note: I ran the CR hotfix and rebooted before I ever
> attached to the network. 1 hour later CR shows up in the w3svc log
> again and symantec scanner says I am infected again.
>
> Ideas?
>
> ---------------------------------------------------------
> I was thinking about how people seem to read the Bible a whole lot
> more as they get older, then it dawned on me...they were cramming for
> their finals...
> ---------------------------------------------------------
>
>
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
