Brian:
Apply the patch again. Restart again.
Make certain that the last thing that you did was apply the patch.
I had some unusual behavior from my server after applying the patch, and
had to re-apply.
All seems to be OK so far.
Adolph Santorine
Schedule Star
At 09:26 AM 8/8/2001 -0500, you wrote:
>I seem to be having a similar issue. The server runs just fine for less
>than a day, then (and its typically in the middle of the night this
>happens), the inetinfo process thread-count and current-connected-users
>starts to climb. It just climbs slowly, then one or more sites will lock
>up. I'm all patched, and I can't detect any of the signs of a backdoor that
>have been noted here. Any ideas?
>
>
>----- Original Message -----
>From: "Tony Gray - System Administrator" <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Sent: Tuesday, August 07, 2001 3:26 PM
>Subject: RE: [IMail Forum] New CodeRed like virus
>
>
> > Do a filesystem search for:
> > explorer.exe
> > root.exe
> > cmd.exe
> >
> > See if you find any in a folder other than C:\winnt\ Finding them in
>other
> > locations indicates that Code Red II might have hit your machine. See:
> > http://www.sarc.com/avcenter/venc/data/codered.v3.html
> >
> > - Tony
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of Domain
> > Administrator
> > Sent: Tuesday, August 07, 2001 11:51 AM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [IMail Forum] New CodeRed like virus
> >
> >
> > I am having the EXACT same problems... and I KNOW I have the patch on ALL
>my
> > servers.
> >
> > I have noticed that the "CodeRed" attack IS different this time...
> >
> > Last time it was: GET /default.ida NNNNNNN...
> >
> > This time it is: GET /default.ida XXXXXXXX...
> >
> > Sure would like to figure it out!
> >
> >
> > ----- Original Message -----
> > From: "Steve Polyak" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Monday, August 06, 2001 3:37 PM
> > Subject: [IMail Forum] New CodeRed like virus
> >
> >
> > > Has anyone been running into what seems to be a CodeRed Virus. I have
>my
> > > IIS web services stopping anywhere from a minute to an hour after
>reboot.
> > > FTP services seem to be unaffected. I have the patches installed from
> > > Microsoft since the last attack and have installed it a number of times
> > > since. I have tested the server using the CodeRed test from Norton and
>it
> > > says everything is ok. I do see the new Code Red getting logged into my
> > log
> > > files as GET /default.ida XXXXXXXX and so forth but the server does not
> > > really seem to crash. But when I try to restart the computer or restart
> > web
> > > services the Events log says Also I have noticed that sometimes when
> > > Inetinfo.exe Dr. Watson's the computer with blue screen and reboot.
>Also
> > > sometimes I will see my SQL 7 server which is on the same machine become
> > > busy. I have the latest Norton installed and up to date and also have
>now
> > > install IIS Secure and the problem still occurs. It only started on
> > Friday
> > > like this and I am running out of ideas. Anyone else been having the
>same
> > > problem? I have had one server do it a couple time in the last couple
> > days
> > > and it did run SQL 7 at one point. The other servers seem to be fine.
> > >
> > > Thanks
> > >
> > > Steve
> > >
> > >
> > > Please visit http://www.ipswitch.com/support/mailing-lists.html
> > > to be removed from this list.
> > >
> > > An Archive of this list is available at:
> > > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
> > >
> > >
> >
> >
> > Please visit http://www.ipswitch.com/support/mailing-lists.html
> > to be removed from this list.
> >
> > An Archive of this list is available at:
> > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
> >
> >
> > Please visit http://www.ipswitch.com/support/mailing-lists.html
> > to be removed from this list.
> >
> > An Archive of this list is available at:
> > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
> >
>
>
>Please visit http://www.ipswitch.com/support/mailing-lists.html
>to be removed from this list.
>
>An Archive of this list is available at:
>http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
