RE: Infected with code red II ?

From: Tom Love (tlove@pretendceo.com)
Date: 08/18/01

• Previous message: Jon Zobrist: "RE: Blocking a remote static IP in Windows 2000"
• In reply to: Joe Lyman: "Re: Infected with code red II ?"
• Next in thread: akomolafe: "Re: Infected with code red II ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Tom Love" <tlove@pretendceo.com>
To: "Joe Lyman" <JLyman@graphicproducts.com>
Subject: RE: Infected with code red II ?
Date: Fri, 17 Aug 2001 19:41:14 -0400
Message-ID: <MBEIIKNLHFLGGEPKCINOOEHBDBAA.tlove@pretendceo.com>

Ours always return 400. Note that we never had the ida mapping in IIS, and
we applied MS01-33 (? I think that was it) the day it came out in May.

2001-08-17 02:35:05 64.180.98.116 - HFDWS01 10.0.0.19 80 GET /default.ida
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u90
90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u
9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 400 121 - -

-----Original Message-----
From: Joe Lyman [mailto:JLyman@graphicproducts.com]
Sent: Friday, August 17, 2001 4:17 PM
To: imran@netwave.ca; deji@prontomail.com; focus-virus@securityfocus.com
Cc: focus-ms@securityfocus.com
Subject: Re: Infected with code red II ?

We patched the day the security advisory was released. Our servers have
always returned 200- examine the following:

2001-08-02 02:50:35 IPHERE - IPHERE GET /default.ida
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u90
90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u
9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 171 4039 62
HTTP/1.0 - - -

2001-08-17 00:26:25 IPHERE - IPHERE GET /default.ida
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u90
90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u
9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 171 3818 234
HTTP/1.0 - - -

The end user/worm gets a page that states:

"File . Error 0x80040e14 caught while processing query "

I'll assume our servers are safe, but can anyone confirm that their patch
(but otherwise unmodified) servers do in fact return anything other than a
200 range reply? Thanks.

-Joseph Lyman
Graphic Products, Inc.
503-644-5572 ex 5662
800-788-5572 Toll Free
jlyman@graphicproducts.com

>>> "akomolafe" <deji@prontomail.com> 08/17/01 10:36AM >>>
The 200 looks like the request got in. That is the way I would read it. To
be certain, look in your IIS log and try to match the date/time in your IIS
log with the ones in your firewall log. Did the request reach the IIS
server?

I would also manually investigate the IIS server for tell-tale signs of the
Code-RedII just to be sure.

It seems to me that you are publishing your web service by IP addresses. I
would suggest you do it by FQDN instead. That way, your firewall will not be
passing requests that just happen to hit your IP.

Good luck.
----- Original Message -----
From: "Imran@netwave.ca" <imran@netwave.ca>
To: <focus-virus@securityfocus.com>
Cc: <focus-ms@securityfocus.com>
Sent: Thursday, August 16, 2001 4:43 PM
Subject: Infected with code red II ?

> The following is a sample from my IIS 4.0 server (I get the same activity
on
> my IIS 5.0). I have patched the server and I ran the coderedscanner on my
> server and it showed that the server is clean. I read on this list that a
> return code of 200 indicates success and if the server is virus proof it
> should return an error code ... can someone please confirm this and what
> error code should be returned. What should the log look like if the
> infection is cleaned up and this is just a probe?
>
> best regards
> Imran.
>
>
> 2001-08-15 09:34:31 BOARDD2 - WEB1 999.999.999.999 GET /default.ida
>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u90
>
90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u
> 9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200
> 2001-08-15 09:57:52 BOARDD2 - WEB1 999.999.999.999 GET /default.ida
>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u90
>
90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u
> 9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200
> 2001-08-15 10:14:51 BOARDD2 - WEB1 999.999.999.999 GET /default.ida
>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u90
>
90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u
> 9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200
> 2001-08-15 11:32:32 BOARDD2 - WEB1 999.999.999.999 GET /default.ida
>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%
>

---

• Previous message: Jon Zobrist: "RE: Blocking a remote static IP in Windows 2000"
• In reply to: Joe Lyman: "Re: Infected with code red II ?"
• Next in thread: akomolafe: "Re: Infected with code red II ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Page Cannot Be Displayed Errors ... In WFetch, for Advanced Request, change to "Add Headers" and write: ... > directly on the web server, ... >>> Where can I get the IIS 6.0 Resource Kit, and how do I use WFetch? ... (microsoft.public.inetserver.iis) Re: Performance question (IIS 6) ... The delay on the first request is due to interaction between IIS process ... You can do this yourself by making a request to the necessary application ... Turn off all the application pool recycling parameters except maybe the ... until you reboot the server. ... (microsoft.public.inetserver.iis) Re: Page Cannot Be Displayed Errors ... not IIS, but something else. ... >>> directly on the web server, ... >>>>> I have done some additional checking in the logs. ... >>>>> either the request isn't even getting to IIS at this point, ... (microsoft.public.inetserver.iis) Re: Page Cannot Be Displayed Errors ... "Jesse" wrote in message ... >> In WFetch, for Advanced Request, change to "Add Headers" and write: ... >>> directly on the web server, ... >>>>> Where can I get the IIS 6.0 Resource Kit, and how do I use WFetch? ... (microsoft.public.inetserver.iis) [NT] Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise ... This patch eliminates a newly discovered vulnerability affecting Internet ... in IIS 4.0 and 5.0, and could likewise be used to overrun heap memory on ... allowing code to be run on the server. ... * Microsoft has long recommended disabling HTR functionality unless there ... (Securiteam)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-ms  > 2001-08