RE: Code Red Got me

[Joe Casale]

Title: Code Red Got me

I have never seen, nor know of a way to inject code into the sam w/ out leaving it useless. I think you are very safe to do this, where is your pre infection backup? He he… Like one of our other buddies said (K Miller) “…You’ve been hacked…Only safe thing is to format, and reinstall…” Adding back post infection data is not safe, unless you can be 100% sure. I think you are but I am not 100% sure either! jlc   -----Original Message----- From: Zangara, Jim [mailto:[EMAIL PROTECTED]] Sent: Saturday, August 18, 2001 1:59 PM To: NT System Admin Issues Subject: Code Red Got me   I know I patched this server but I am not taking any more chances. Hello Folks - It appears one of my servers got the backdoor worm - I can scan it sometimes and it shows clean and other times a memory scan shows an infection.  There is no root.exe file anywhere on the server so I am not totally convinced but I prefer not to take chances. I have disabled the www service for now and am backing up my data.  I am wondering if there is a way to recover my SAM database without running a risk of re-infection?  I can recreate it but it would add hours to this and I would prefer not to.  Since I do not know when the infection took place I am not sure of a reliable pre-infection backup so I am not even going to attempt that route.  Would an ERD made today have the SAM?  Should I trust it if it does? The server is a P111 with 2 gigs of ram Win2k SP2 Sql 7 IIS 5 - web server - no standalone - no domain.   TIA Jim http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm