RE: code red---- on system that is already (and has been) patched

From: Dill, Stephen (SDill@MassMutual.com)
Date: 03/03/03

  • Next message: Mike Heitz: "RE: code red---- on system that is already (and has been) patched" 
    From: "Dill, Stephen" <SDill@MassMutual.com>
To: "'Mike Heitz'" <mikeheitz@upshotmail.com>, "Sandy Ryan" <sryan@seewolf.com>, focus-ms@securityfocus.com
Date: Mon, 3 Mar 2003 17:24:42 -0500

    In a nutshell, if a 200 reply was logged for a "code red" request, then your
    server received the request and processed it as a vulnerable system should.

    Symantec has a little utility (I don't work for them. Just a happy user.)
    that will check for the vulnerabiltiy and if found to be vulnerable, look
    for the worm.

    http://www.sarc.com/avcenter/fixcodered.zip

    If system is found to be vulnerable, I suggest disconnect, clean (if
    infected), patch, reboot, check again, and if everything looks good,
    reconnect.

    -----Original Message-----
    From: Mike Heitz [mailto:mikeheitz@upshotmail.com]
    Sent: Monday, March 03, 2003 2:30 PM
    To: Sandy Ryan; focus-ms@securityfocus.com
    Subject: RE: code red---- on system that is already (and has been)
    patched

    I'm not 100% sure Sandy, but when I see Code Red hits (my server is
    patched, and patched on top of patched...) I see a 404 reply instead of
    a 200...

    mike heitz ** sr it manager ** UPSHOT
    312-943-0900 x5190

    -----Original Message-----
    From: Sandy Ryan [mailto:sryan@seewolf.com]
    Sent: Monday, March 03, 2003 10:47 AM
    To: focus-ms@securityfocus.com
    Subject: code red---- on system that is already (and has been) patched

    well - I doubt that the log is right - because I think the 200 implies

    that its not infected - by when my customer sees his report - and path

    taken through the site he sees worm.com

    here's the log (simplified to get through the moderator)

    GET /default.ida

    NN----NN%u9090%u6858%ucbd3%u7801...%u9090%u9090%u8190%u00c3%u0003%u8b00%

    u531b%u53ff%u0078%u0000%u00=a 200 0 206 4039 266 HTTP/1.0 [you know the

    url]- - -

    ------------------------------------------------------------------------------
    This e-mail transmission may contain information that is proprietary, privileged and/or confidential and is intended exclusively for the person(s) to whom it is addressed. Any use, copying, retention or disclosure by any person other than the intended recipient or the intended recipient's designees is strictly prohibited. If you are not the intended recipient or their designee, please notify the sender immediately by return e-mail and delete all copies.

    ==============================================================================

  • Next message: Mike Heitz: "RE: code red---- on system that is already (and has been) patched"