I tried to send the log entry for you to look at, but the AV on the Exchange
list kicks it out. Can you tell me what to look for in the log entry to
determine if it was successful or not? I thought you only saw the
ida.xxxxxxxxxxxxxx entry if it *was* successful.
TIA
Chris
---------------------------------------------------------
I was thinking about how people seem to read the Bible a whole lot more as
they get older, then it dawned on me...they were cramming for their
finals...
---------------------------------------------------------
----- Original Message -----
From: "Andy David" <[EMAIL PROTECTED]>
To: "Exchange Discussions" <[EMAIL PROTECTED]>
Sent: Monday, August 20, 2001 1:16 PM
Subject: RE: Code red
> But he's apparently seeing it in the logs as well.
> Chris, What do the w3svc logs say? Is the attack successful or not?
> You can test your server here:
> http://www.eeye.com/html/Research/Tools/codered.html
>
>
>
>
> Andy David
> J Muller International
>
>
>
>
> -----Original Message-----
> From: Bill Kuhn - MCSE [mailto:[EMAIL PROTECTED]]
> Sent: Monday, August 20, 2001 1:02 PM
> To: Exchange Discussions
> Subject: RE: Code red
>
>
> Get rid of the Symantec scanner. My dead grandma has a better chance of
> telling you accurately whether you have Code Red.
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Chris Haaker
> Sent: Monday, August 20, 2001 11:56 AM
> To: ExchangeList@swynk
> Subject: OT: Code red
>
>
> anyone have an idea that has been working with code red?
>
> I have a win2k server that was infected. I re-formatted all hard drives,
> re-installed OS w/SP2 built-in and patched for CR. Within about 10
> minutes I
> was infected again according to the w3svc log and the symantec scanner
> for
> code red.
>
> disconnected from network and did same as above. Ran the patch from a
> floppy. re-connected to the network, ran the new MS Security scanner at:
> www.microsoft.com/technet/mpsa/start.asp and applied all hotfixes there
> as
> well. Note: I ran the CR hotfix and rebooted before I ever attached to
> the
> network. 1 hour later CR shows up in the w3svc log again and symantec
> scanner says I am infected again.
>
> Ideas?
>
> ---------------------------------------------------------
> I was thinking about how people seem to read the Bible a whole lot more
> as
> they get older, then it dawned on me...they were cramming for their
> finals...
> ---------------------------------------------------------
>
>
> _________________________________________________________________
> List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
> Archives: http://www.swynk.com/sitesearch/search.asp
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin: [EMAIL PROTECTED]
>
> _________________________________________________________________
> List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
> Archives: http://www.swynk.com/sitesearch/search.asp
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin: [EMAIL PROTECTED]
>
> _________________________________________________________________
> List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
> Archives: http://www.swynk.com/sitesearch/search.asp
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin: [EMAIL PROTECTED]
>
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
