6600
社区成员
- 全部
- 问答
win2000怀疑中了红色代号病毒,请各位诊治
只要拨号上网,modem就开始上传数据,我捕获了部分数据,请各位诊治,如果是红色代号,如何杀除?万分感谢,我的机器名是webserver,ip是192.168.0.1
1 0.020029 XEROX 000000 96D520000200 TCP ....S., len: 0, seq:1073851620-1073851620, ack: 0, win: 8760, src: 3690 dst: 80 WEBSERVER 192.168.242.19 IP
Frame: Base frame properties
Frame: Time of capture = 2001-8-5 16:0:46.505
Frame: Time delta from previous physical frame: 0 microseconds
Frame: Frame number: 1
Frame: Total frame length: 62 bytes
Frame: Capture frame length: 62 bytes
Frame: Frame data: Number of data bytes remaining = 62 (0x003E)
ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol
ETHERNET: Destination address : 96D520000200
ETHERNET: .......0 = Individual address
ETHERNET: ......1. = Locally administered address
ETHERNET: Source address : 000002000000
ETHERNET: .......0 = No routing information present
ETHERNET: ......0. = Universally administered address
ETHERNET: Frame Length : 62 (0x003E)
ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol)
ETHERNET: Ethernet Data: Number of data bytes remaining = 48 (0x0030)
IP: ID = 0x4C74; Proto = TCP; Len: 48
IP: Version = 4 (0x4)
IP: Header Length = 20 (0x14)
IP: Precedence = Routine
IP: Type of Service = Normal Service
IP: Total Length = 48 (0x30)
IP: Identification = 19572 (0x4C74)
IP: Flags Summary = 2 (0x2)
IP: .......0 = Last fragment in datagram
IP: ......1. = Cannot fragment datagram
IP: Fragment Offset = 0 (0x0) bytes
IP: Time to Live = 128 (0x80)
IP: Protocol = TCP - Transmission Control
IP: Checksum = 0x38FA
IP: Source Address = 61.137.133.20
IP: Destination Address = 192.168.242.19
IP: Data: Number of data bytes remaining = 28 (0x001C)
TCP: ....S., len: 0, seq:1073851620-1073851620, ack: 0, win: 8760, src: 3690 dst: 80
TCP: Source Port = 0x0E6A
TCP: Destination Port = Hypertext Transfer Protocol
TCP: Sequence Number = 1073851620 (0x4001ACE4)
TCP: Acknowledgement Number = 0 (0x0)
TCP: Data Offset = 28 (0x1C)
TCP: Reserved = 0 (0x0000)
TCP: Flags = 0x02 : ....S.
TCP: ..0..... = No urgent data
TCP: ...0.... = Acknowledgement field not significant
TCP: ....0... = No Push function
TCP: .....0.. = No Reset
TCP: ......1. = Synchronize sequence numbers
TCP: .......0 = No Fin
TCP: Window = 8760 (0x2238)
TCP: Checksum = 0xEFED
TCP: Urgent Pointer = 0 (0x0)
TCP: Options
TCP: Maximum Segment Size Option
TCP: Option Type = Maximum Segment Size
TCP: Option Length = 4 (0x4)
TCP: Maximum Segment Size = 1460 (0x5B4)
TCP: Option Nop = 1 (0x1)
TCP: Option Nop = 1 (0x1)
TCP: SACK Permitted Option
TCP: Option Type = Sack Permitted
TCP: Option Length = 2 (0x2)
00000: 96 D5 20 00 02 00 00 00 02 00 00 00 08 00 45 00 Õ ...........E.
00010: 00 30 4C 74 40 00 80 06 38 FA 3D 89 85 14 C0 A8 .0Lt@..8ú= .À¨
00020: F2 13 0E 6A 00 50 40 01 AC E4 00 00 00 00 70 02 ò..j.P@.¬ä....p.
00030: 22 38 EF ED 00 00 02 04 05 B4 01 01 04 02 "8ïí.....´....
2 0.030043 XEROX 000000 96D520000200 TCP ....S., len: 0, seq:1078731693-1078731693, ack: 0, win: 8760, src: 3774 dst: 80 WEBSERVER 192.168.157.84 IP
Frame: Base frame properties
Frame: Time of capture = 2001-8-5 16:0:46.515
Frame: Time delta from previous physical frame: 10014 microseconds
Frame: Frame number: 2
Frame: Total frame length: 62 bytes
Frame: Capture frame length: 62 bytes
Frame: Frame data: Number of data bytes remaining = 62 (0x003E)
ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol
ETHERNET: Destination address : 96D520000200
ETHERNET: .......0 = Individual address
ETHERNET: ......1. = Locally administered address
ETHERNET: Source address : 000002000000
ETHERNET: .......0 = No routing information present
ETHERNET: ......0. = Universally administered address
ETHERNET: Frame Length : 62 (0x003E)
ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol)
ETHERNET: Ethernet Data: Number of data bytes remaining = 48 (0x0030)
IP: ID = 0x4C75; Proto = TCP; Len: 48
IP: Version = 4 (0x4)
IP: Header Length = 20 (0x14)
IP: Precedence = Routine
IP: Type of Service = Normal Service
IP: Total Length = 48 (0x30)
IP: Identification = 19573 (0x4C75)
IP: Flags Summary = 2 (0x2)
IP: .......0 = Last fragment in datagram
IP: ......1. = Cannot fragment datagram
IP: Fragment Offset = 0 (0x0) bytes
IP: Time to Live = 128 (0x80)
IP: Protocol = TCP - Transmission Control
IP: Checksum = 0x8DB8
IP: Source Address = 61.137.133.20
IP: Destination Address = 192.168.157.84
IP: Data: Number of data bytes remaining = 28 (0x001C)
TCP: ....S., len: 0, seq:1078731693-1078731693, ack: 0, win: 8760, src: 3774 dst: 80
TCP: Source Port = 0x0EBE
TCP: Destination Port = Hypertext Transfer Protocol
TCP: Sequence Number = 1078731693 (0x404C23AD)
TCP: Acknowledgement Number = 0 (0x0)
TCP: Data Offset = 28 (0x1C)
TCP: Reserved = 0 (0x0000)
TCP: Flags = 0x02 : ....S.
TCP: ..0..... = No urgent data
TCP: ...0.... = Acknowledgement field not significant
TCP: ....0... = No Push function
TCP: .....0.. = No Reset
TCP: ......1. = Synchronize sequence numbers
TCP: .......0 = No Fin
TCP: Window = 8760 (0x2238)
TCP: Checksum = 0xCD45
TCP: Urgent Pointer = 0 (0x0)
TCP: Options
TCP: Maximum Segment Size Option
TCP: Option Type = Maximum Segment Size
TCP: Option Length = 4 (0x4)
TCP: Maximum Segment Size = 1460 (0x5B4)
TCP: Option Nop = 1 (0x1)
TCP: Option Nop = 1 (0x1)
TCP: SACK Permitted Option
TCP: Option Type = Sack Permitted
TCP: Option Length = 2 (0x2)
00000: 96 D5 20 00 02 00 00 00 02 00 00 00 08 00 45 00 Õ ...........E.
00010: 00 30 4C 75 40 00 80 06 8D B8 3D 89 85 14 C0 A8 .0Lu@..¸= .À¨
00020: 9D 54 0E BE 00 50 40 4C 23 AD 00 00 00 00 70 02 T.¾.P@L#....p.
00030: 22 38 CD 45 00 00 02 04 05 B4 01 01 04 02 "8ÍE.....´....
1 0.020029 XEROX 000000 96D520000200 TCP ....S., len: 0, seq:1073851620-1073851620, ack: 0, win: 8760, src: 3690 dst: 80 WEBSERVER 192.168.242.19 IP
Frame: Base frame properties
Frame: Time of capture = 2001-8-5 16:0:46.505
Frame: Time delta from previous physical frame: 0 microseconds
Frame: Frame number: 1
Frame: Total frame length: 62 bytes
Frame: Capture frame length: 62 bytes
Frame: Frame data: Number of data bytes remaining = 62 (0x003E)
ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol
ETHERNET: Destination address : 96D520000200
ETHERNET: .......0 = Individual address
ETHERNET: ......1. = Locally administered address
ETHERNET: Source address : 000002000000
ETHERNET: .......0 = No routing information present
ETHERNET: ......0. = Universally administered address
ETHERNET: Frame Length : 62 (0x003E)
ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol)
ETHERNET: Ethernet Data: Number of data bytes remaining = 48 (0x0030)
IP: ID = 0x4C74; Proto = TCP; Len: 48
IP: Version = 4 (0x4)
IP: Header Length = 20 (0x14)
IP: Precedence = Routine
IP: Type of Service = Normal Service
IP: Total Length = 48 (0x30)
IP: Identification = 19572 (0x4C74)
IP: Flags Summary = 2 (0x2)
IP: .......0 = Last fragment in datagram
IP: ......1. = Cannot fragment datagram
IP: Fragment Offset = 0 (0x0) bytes
IP: Time to Live = 128 (0x80)
IP: Protocol = TCP - Transmission Control
IP: Checksum = 0x38FA
IP: Source Address = 61.137.133.20
IP: Destination Address = 192.168.242.19
IP: Data: Number of data bytes remaining = 28 (0x001C)
TCP: ....S., len: 0, seq:1073851620-1073851620, ack: 0, win: 8760, src: 3690 dst: 80
TCP: Source Port = 0x0E6A
TCP: Destination Port = Hypertext Transfer Protocol
TCP: Sequence Number = 1073851620 (0x4001ACE4)
TCP: Acknowledgement Number = 0 (0x0)
TCP: Data Offset = 28 (0x1C)
TCP: Reserved = 0 (0x0000)
TCP: Flags = 0x02 : ....S.
TCP: ..0..... = No urgent data
TCP: ...0.... = Acknowledgement field not significant
TCP: ....0... = No Push function
TCP: .....0.. = No Reset
TCP: ......1. = Synchronize sequence numbers
TCP: .......0 = No Fin
TCP: Window = 8760 (0x2238)
TCP: Checksum = 0xEFED
TCP: Urgent Pointer = 0 (0x0)
TCP: Options
TCP: Maximum Segment Size Option
TCP: Option Type = Maximum Segment Size
TCP: Option Length = 4 (0x4)
TCP: Maximum Segment Size = 1460 (0x5B4)
TCP: Option Nop = 1 (0x1)
TCP: Option Nop = 1 (0x1)
TCP: SACK Permitted Option
TCP: Option Type = Sack Permitted
TCP: Option Length = 2 (0x2)
00000: 96 D5 20 00 02 00 00 00 02 00 00 00 08 00 45 00 Õ ...........E.
00010: 00 30 4C 74 40 00 80 06 38 FA 3D 89 85 14 C0 A8 .0Lt@..8ú= .À¨
00020: F2 13 0E 6A 00 50 40 01 AC E4 00 00 00 00 70 02 ò..j.P@.¬ä....p.
00030: 22 38 EF ED 00 00 02 04 05 B4 01 01 04 02 "8ïí.....´....
2 0.030043 XEROX 000000 96D520000200 TCP ....S., len: 0, seq:1078731693-1078731693, ack: 0, win: 8760, src: 3774 dst: 80 WEBSERVER 192.168.157.84 IP
Frame: Base frame properties
Frame: Time of capture = 2001-8-5 16:0:46.515
Frame: Time delta from previous physical frame: 10014 microseconds
Frame: Frame number: 2
Frame: Total frame length: 62 bytes
Frame: Capture frame length: 62 bytes
Frame: Frame data: Number of data bytes remaining = 62 (0x003E)
ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol
ETHERNET: Destination address : 96D520000200
ETHERNET: .......0 = Individual address
ETHERNET: ......1. = Locally administered address
ETHERNET: Source address : 000002000000
ETHERNET: .......0 = No routing information present
ETHERNET: ......0. = Universally administered address
ETHERNET: Frame Length : 62 (0x003E)
ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol)
ETHERNET: Ethernet Data: Number of data bytes remaining = 48 (0x0030)
IP: ID = 0x4C75; Proto = TCP; Len: 48
IP: Version = 4 (0x4)
IP: Header Length = 20 (0x14)
IP: Precedence = Routine
IP: Type of Service = Normal Service
IP: Total Length = 48 (0x30)
IP: Identification = 19573 (0x4C75)
IP: Flags Summary = 2 (0x2)
IP: .......0 = Last fragment in datagram
IP: ......1. = Cannot fragment datagram
IP: Fragment Offset = 0 (0x0) bytes
IP: Time to Live = 128 (0x80)
IP: Protocol = TCP - Transmission Control
IP: Checksum = 0x8DB8
IP: Source Address = 61.137.133.20
IP: Destination Address = 192.168.157.84
IP: Data: Number of data bytes remaining = 28 (0x001C)
TCP: ....S., len: 0, seq:1078731693-1078731693, ack: 0, win: 8760, src: 3774 dst: 80
TCP: Source Port = 0x0EBE
TCP: Destination Port = Hypertext Transfer Protocol
TCP: Sequence Number = 1078731693 (0x404C23AD)
TCP: Acknowledgement Number = 0 (0x0)
TCP: Data Offset = 28 (0x1C)
TCP: Reserved = 0 (0x0000)
TCP: Flags = 0x02 : ....S.
TCP: ..0..... = No urgent data
TCP: ...0.... = Acknowledgement field not significant
TCP: ....0... = No Push function
TCP: .....0.. = No Reset
TCP: ......1. = Synchronize sequence numbers
TCP: .......0 = No Fin
TCP: Window = 8760 (0x2238)
TCP: Checksum = 0xCD45
TCP: Urgent Pointer = 0 (0x0)
TCP: Options
TCP: Maximum Segment Size Option
TCP: Option Type = Maximum Segment Size
TCP: Option Length = 4 (0x4)
TCP: Maximum Segment Size = 1460 (0x5B4)
TCP: Option Nop = 1 (0x1)
TCP: Option Nop = 1 (0x1)
TCP: SACK Permitted Option
TCP: Option Type = Sack Permitted
TCP: Option Length = 2 (0x2)
00000: 96 D5 20 00 02 00 00 00 02 00 00 00 08 00 45 00 Õ ...........E.
00010: 00 30 4C 75 40 00 80 06 8D B8 3D 89 85 14 C0 A8 .0Lu@..¸= .À¨
00020: 9D 54 0E BE 00 50 40 4C 23 AD 00 00 00 00 70 02 T.¾.P@L#....p.
00030: 22 38 CD 45 00 00 02 04 05 B4 01 01 04 02 "8ÍE.....´....
...全文
当前发帖距今超过3年,不再开放新的回复
发表回复
RickeyLv 2001-08-09
不用下载那一百多兆的补丁,只要到ms的网站下载一个RedCodeClean(56K),一切搞定,我就是这样的。
wweijie 2001-08-08
解决了:首先安装sp2然后安装微软最新的补丁,再使用最新的杀毒软件查杀木马。
应急的办法是删除Ida映射,方法是在IIS-站点-主目录-属性
谢谢各位
应急的办法是删除Ida映射,方法是在IIS-站点-主目录-属性
谢谢各位
wweijie 2001-08-07
症状如nettips(大藏)说的一样,在有c:\explorer.exe和d:\explorer.exe两个木马程序,c:\explorer.exe不能删除,如何删除该木马?
微软的补丁我已经下载,但它必须首先安装sp1或sp2
微软的补丁我已经下载,但它必须首先安装sp1或sp2
truemichael 2001-08-07
补丁下载地址:
Windows NT 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833
Windows 2000 Professional, Server and Advanced Server:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800
另外最好删除Ida映射,方法是在IIS-站点-主目录-属性
Windows NT 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833
Windows 2000 Professional, Server and Advanced Server:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800
另外最好删除Ida映射,方法是在IIS-站点-主目录-属性
hd506lg 2001-08-06
奇怪奇怪真奇怪!
bibleboy 2001-08-06
gz
wweijie 2001-08-06
感染
现在重装系统之后还这样(我只格式化了系统盘)
现在重装系统之后还这样(我只格式化了系统盘)
阿鹏兄 2001-08-06
gz
nettips 2001-08-06
大家快看看这个帖子:
有了针对中国的“红色代码病毒”了
http://bbs.patching.net/viewdoc.asp?id=2675 & currentpage=1
有了针对中国的“红色代码病毒”了
http://bbs.patching.net/viewdoc.asp?id=2675 & currentpage=1
wa19801 2001-08-06
这好象就是红色代码病毒!到microsoft 去下载一个补丁!去这里看看!
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-033.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-033.asp
zwbrush 2001-08-06
呵呵,停掉IIS服务试试..
原来我的也是这样的,我把IIS服务反安装了,,,结果就好了...
原来我的也是这样的,我把IIS服务反安装了,,,结果就好了...
zjlsct 2001-08-06
据说红色代码不感染中文版的系统嘛
wmx111 2001-08-06
gz
playingmygame 2001-08-05
关注
