Re: MSIIS servers patched/de-doored, but C and D keep coming back

[Russell Fulton <r.fulton () auckland ac nz>]

On Mon, 13 Aug 2001 16:27:35 -0400 Garreth Jeremiah/Markham/IBM 
<gjeremia () ca ibm com> wrote:

> I have been receiving a number of reports suggesting that on certain
> devices, after full patching and cleaning - the /C and /D keep coming back
> after a reboot.
>
> Anyone explain what is happening?  Is this an IIS thing or a Windows thing?

We had one machine infected by the original Code Red in July.  It was 
patched and rebooted and was fine (despite being exposed to lots of 
probes) until CR II arrived when it was again compromised.  This was a 
mild disaster since CR II then spread on our internal network behind 
the firewall. 

[ yes we had scanned and shutdown/patched *most* of the vulnerable 
systems regardless of whether they were protected by the firewall or 
not -- with 1000s of machines that come and go you never get them all 
:( ]

I too would be very interested to know how this happened and if there 
are any extra precautions one can take.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com