Just a question on CODERED which I suspected it hit (but didn't
infect, and that, I am not quite sure of my explanation; that's why
I'd like your comments) my server. It has an ISDN dial-up to the
Lately I noticed my server, an SB S4.5 SP6a, became slower
and slower. I also found my internet services were stopped
periodically. I read the posts in that newsgroup and I immediately
applied the security patch since those problems, as I read, were
caused by CODERED worm. Now it is working as well as in the
very beginning of its story :-).
I expected some clue of the attack (such as the backdoor that
the worm leaves in the registry and the /scripts, as I read from
the description f-secure made on the worm) but I didn't find any
of them: no root.exe in /inetpub/scripts, no registry altered...
I wondered if I kept a more or less secure server because IIS
services are running under a specific account, which I didn't
grant any rights at all... Am I right when I say the worm cannot
gather administration rights since its attack will only run under
that specific account ?
If so, it could explain why there was no root.exe copied: IUSR_xx
has no rights at all (not even read access) on my hard disks
but in the inetpub folder. Nor has it rights to read nor write into
the registry. Indeed I spent a lot of time checking the server
security and users rights after setup.
I also setup inet folders not the standard way: they are not located
in C:\inetpub but in another folder structure on another drive. I
supposed that also saved me from being infected the clever way ;-)
as I know some viruses may be real dummies as well (besides I
though CODERED could not be very large since it takes profit
from a buffer overflow and the buffer might not be that large, so the
worm, I thought, had to make assumptions)...
What do you think ? do I have cleverly secured my system or am
I just lucky for my system is a French version of SBS ? I just
Thanks a lot for your remarks and comments. They are welcome.