Here is a fix for the Red Code worm:
1) Find the systems's ip addresses (the squid access.log appears fine)
2) Figure out whether it's Code Red version 1 or 2:
to do it, look in the systems' filesystem for a file named root.exe
Case 1) No root.exe
Congratulations, it's Code Red 1.
Cure:
1) Stop IIS.
2a) If it's not necessary to run it, disable it and don't
start it ever again. Reboot (just for safety). You're cured.
2b) If you really have to run IIS, apply the hotfix from Microsoft:
WinNT4: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833
Win2000: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800.
Reboot. You're cured.
Case 2) You have a root.exe
It's Code Red 2. You're in a bit of more trouble, but you'll manage.
Cure:
1) Stop IIS.
2) Remove all instances of root.exe
3) attrib -s -h -r c:\explorer.exe
if you have a d: drive
attrib -s -h -r c:\explorer.exe
4) del c:\explorer.exe
if you have a d: drive
del d:\explorer.exe
5) if you fail to remove either, open up the Task Manager, and
locate processes named explorer.exe. There should be two, one using
a couple of megs of RAM and one using about 500k. Kill the smaller
one,
then repeat 4.
6) Stop IIS.
7a) If you don't need IIS running on that server, disable it,
the WWW publishing service and the FTP publishing service and don't
start them ever again (at least until Win2k SP3). Reboot. You're
cured.
7b) If you need IIS, apply the same hotfix as above. Reboot. You're cured.
This is not, I repeat this is NOT a problem with Squid. It's a bug in MS-IIS
4.0
and 5.0 in conjunction with MS-Indexing service.
-- /kinkieReceived on Tue Aug 07 2001 - 04:52:30 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:29 MST