RE: Infected with code red II ?

From: McCammon, Keith (Keith.McCammon@eadvancemed.com)
Date: 08/17/01


Message-ID: <BB7FD4FF9E440648A731452E5D341FB065443A@hitsexchange01.advance-med.com>
From: "McCammon, Keith" <Keith.McCammon@eadvancemed.com>
To: "'Imran@netwave.ca'" <imran@netwave.ca>, focus-ms@securityfocus.com
Subject: RE: Infected with code red II ?
Date: Fri, 17 Aug 2001 12:38:06 -0400

200 is a HTTP status code. The 2xx series of codes are all success codes of
one type or another; 200 is a "request fulfilled" code. It has nothing to
do with CodeRed, really.

CodeRed exploits a buffer overrun, which permits a malicious user to use a
legitimate service or application in an illegitimate manner. If you apply
the "CodeRed" patch, the buffer overrun on longer exists. However, the
service is still perfectly legitimate, and the application mapping still
exists (maps .ida and .idq extensions to C:\WINNT\System32\idq.dll). As
long as these mappings are in place, a request could return a 2xx code for
success. If you don't use the service at all, Microsoft recommends that you
eradicate the application mappings from IIS altogether. Go to the Web Site
Properties in ISM, and then to Home Directory, and Configuration. Remove
the .ida and .idq mappings. Restart IIS.

Had to crank this out fast. Hope it helps...

--
Keith W. McCammon
Sr. Network Engineer
DynCorp HITS

-----Original Message----- From: Imran@netwave.ca [mailto:imran@netwave.ca] Sent: Thursday, August 16, 2001 7:44 PM To: focus-virus@securityfocus.com Cc: focus-ms@securityfocus.com Subject: Infected with code red II ?

The following is a sample from my IIS 4.0 server (I get the same activity on my IIS 5.0). I have patched the server and I ran the coderedscanner on my server and it showed that the server is clean. I read on this list that a return code of 200 indicates success and if the server is virus proof it should return an error code ... can someone please confirm this and what error code should be returned. What should the log look like if the infection is cleaned up and this is just a probe?

best regards Imran.



Relevant Pages

  • Re: MS Vulnerability? I was hacked!
    ... The DNS server encountered an invalid domain name offset ... can I pull logs of what they did? ... >So that leads me to belive its something in IIS. ... >>gave up after having no success. ...
    (microsoft.public.inetserver.iis.security)
  • Re: MS Vulnerability? I was hacked!
    ... 500 is usually no success but not always. ... sure your server is hardened against them, ... gets tons of these attempts in their IIS logs. ... you may not have followed the IIS hardening checklists out there, ...
    (microsoft.public.inetserver.iis.security)
  • Re: MS Vulnerability? I was hacked!
    ... I was the lat person to access my logs before ... My mail server is clean... ... So that leads me to belive its something in IIS. ... >gave up after having no success. ...
    (microsoft.public.inetserver.iis.security)
  • RE: Infected with code red II ?
    ... The 200 looks like the request got in. ... look in your IIS log and try to match the date/time in your IIS ... I would also manually investigate the IIS server for tell-tale signs of the ... > infection is cleaned up and this is just a probe? ...
    (Focus-Microsoft)
  • Re: Infected with code red II ?
    ... The 200 looks like the request got in. ... look in your IIS log and try to match the date/time in your IIS ... I would also manually investigate the IIS server for tell-tale signs of the ... > infection is cleaned up and this is just a probe? ...
    (Focus-Microsoft)