CR worm infection attempts

[Craig White]

> -----Original Message-----
> From: plug-discuss-admin@lists.plug.phoenix.az.us
> [mailto:plug-discuss-admin@lists.plug.phoenix.az.us]On Behalf Of Kim
> Allen
> Sent: Saturday, August 11, 2001 9:30 AM
> To: plug-discuss@lists.plug.phoenix.az.us
> Subject: Re: CR worm infection attempts
>
>
> I had sent them a simple message the first time around. When the response
> came and it was obvious they did not believed me I sent them the log
> listings showing all of the attempts from their server. That when they
> sent me a message saying that they have all of the latest enterprise
> lever virus software with updates, all of their servers are behind
> firewalls and they have applied all of the required patches to the IIS
> server (which they also said does not exist on the machine in question).
> Then they informed me that since they do software development if I insist
> on sending email about "my" problem they will be forced to take legal
> action. I was then also told not to believe everything I read or hear in
> the news.
>
----
I believe that the Greeks used to kill the messenger - things haven't
changed much over time. C'est la vie.

Installing the patches AFTER you've been rooted is not even as good as
locking the barn door after the horse is gone. A worm that replaces
explorer.exe on a Windows system cannot be fixed with a 'patch' nor will it
remove all the other files introduced to a compromised system. This said
however, we must concern ourselves with that which we are responsible for
and as for the others, well, I believe that it all goes dormant on the 21st
thru the 31st and by October, it all goes bye bye - saved for the those that
have been rooted - patched or unpatched. Thankfully, they will have little
in their logs to indicate just how much damage has been done, the ignorance
is bliss thing.

Craig