I seem to be having a similar issue. The server runs just fine for less
than a day, then (and its typically in the middle of the night this
happens), the inetinfo process thread-count and current-connected-users
starts to climb. It just climbs slowly, then one or more sites will lock
up. I'm all patched, and I can't detect any of the signs of a backdoor that
have been noted here. Any ideas?
----- Original Message -----
From: "Tony Gray - System Administrator" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, August 07, 2001 3:26 PM
Subject: RE: [IMail Forum] New CodeRed like virus
> Do a filesystem search for:
> explorer.exe
> root.exe
> cmd.exe
>
> See if you find any in a folder other than C:\winnt\ Finding them in
other
> locations indicates that Code Red II might have hit your machine. See:
> http://www.sarc.com/avcenter/venc/data/codered.v3.html
>
> - Tony
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Domain
> Administrator
> Sent: Tuesday, August 07, 2001 11:51 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [IMail Forum] New CodeRed like virus
>
>
> I am having the EXACT same problems... and I KNOW I have the patch on ALL
my
> servers.
>
> I have noticed that the "CodeRed" attack IS different this time...
>
> Last time it was: GET /default.ida NNNNNNN...
>
> This time it is: GET /default.ida XXXXXXXX...
>
> Sure would like to figure it out!
>
>
> ----- Original Message -----
> From: "Steve Polyak" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Monday, August 06, 2001 3:37 PM
> Subject: [IMail Forum] New CodeRed like virus
>
>
> > Has anyone been running into what seems to be a CodeRed Virus. I have
my
> > IIS web services stopping anywhere from a minute to an hour after
reboot.
> > FTP services seem to be unaffected. I have the patches installed from
> > Microsoft since the last attack and have installed it a number of times
> > since. I have tested the server using the CodeRed test from Norton and
it
> > says everything is ok. I do see the new Code Red getting logged into my
> log
> > files as GET /default.ida XXXXXXXX and so forth but the server does not
> > really seem to crash. But when I try to restart the computer or restart
> web
> > services the Events log says Also I have noticed that sometimes when
> > Inetinfo.exe Dr. Watson's the computer with blue screen and reboot.
Also
> > sometimes I will see my SQL 7 server which is on the same machine become
> > busy. I have the latest Norton installed and up to date and also have
now
> > install IIS Secure and the problem still occurs. It only started on
> Friday
> > like this and I am running out of ideas. Anyone else been having the
same
> > problem? I have had one server do it a couple time in the last couple
> days
> > and it did run SQL 7 at one point. The other servers seem to be fine.
> >
> > Thanks
> >
> > Steve
> >
> >
> > Please visit http://www.ipswitch.com/support/mailing-lists.html
> > to be removed from this list.
> >
> > An Archive of this list is available at:
> > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
> >
> >
>
>
> Please visit http://www.ipswitch.com/support/mailing-lists.html
> to be removed from this list.
>
> An Archive of this list is available at:
> http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
>
>
> Please visit http://www.ipswitch.com/support/mailing-lists.html
> to be removed from this list.
>
> An Archive of this list is available at:
> http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
>
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
