RE: code red---- on system that is already (and has been) patched

From: Dill, Stephen (SDill@MassMutual.com)
Date: 03/04/03

Next message: Chris Davis: "experiment supports concept of using host header names as securit y layer"

Previous message: H C: "RE: code red---- on system that is already (and has been) patched"
Maybe in reply to: Sandy Ryan: "code red---- on system that is already (and has been) patched"
Next in thread: Chris Davis: "RE: code red---- on system that is already (and has been) patched"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Dill, Stephen" <SDill@MassMutual.com>
To: "'H C'" <keydet89@yahoo.com>, "'Mike Heitz'" <mikeheitz@upshotmail.com>, "Sandy Ryan" <sryan@seewolf.com>, focus-ms@securityfocus.com
Date: Tue, 4 Mar 2003 11:17:32 -0500

The utility is just a quick and easy way to see if a system is vulnerable.
If the app running on the server doesn't use .ida or .idq, then go ahead and
disable them.

-----Original Message-----
From: H C [mailto:keydet89@yahoo.com]
Sent: Tuesday, March 04, 2003 10:58 AM
To: Dill, Stephen; 'Mike Heitz'; Sandy Ryan; focus-ms@securityfocus.com
Subject: RE: code red---- on system that is already (and has been)
patched

Just out of curiosity, why use a utility that you have
to download, when all you have to do is disable the
.ida and .idq script mappings? Are you really using
them?

--- "Dill, Stephen" <SDill@MassMutual.com> wrote:
> In a nutshell, if a 200 reply was logged for a "code
> red" request, then your
> server received the request and processed it as a
> vulnerable system should.
>
> Symantec has a little utility (I don't work for
> them. Just a happy user.)
> that will check for the vulnerabiltiy and if found
> to be vulnerable, look
> for the worm.
>
> http://www.sarc.com/avcenter/fixcodered.zip
>
> If system is found to be vulnerable, I suggest
> disconnect, clean (if
> infected), patch, reboot, check again, and if
> everything looks good,
> reconnect.
>
> -----Original Message-----
> From: Mike Heitz [mailto:mikeheitz@upshotmail.com]
> Sent: Monday, March 03, 2003 2:30 PM
> To: Sandy Ryan; focus-ms@securityfocus.com
> Subject: RE: code red---- on system that is already
> (and has been)
> patched
>
>
> I'm not 100% sure Sandy, but when I see Code Red
> hits (my server is
> patched, and patched on top of patched...) I see a
> 404 reply instead of
> a 200...
>
> mike heitz ** sr it manager ** UPSHOT
> 312-943-0900 x5190
>
> -----Original Message-----
> From: Sandy Ryan [mailto:sryan@seewolf.com]
> Sent: Monday, March 03, 2003 10:47 AM
> To: focus-ms@securityfocus.com
> Subject: code red---- on system that is already (and
> has been) patched
>
>
>
> well - I doubt that the log is right - because I
> think the 200 implies
>
> that its not infected - by when my customer sees his
> report - and path
>
> taken through the site he sees worm.com
>
>
>
> here's the log (simplified to get through the
> moderator)
>
> GET /default.ida
>
>
>
>
NN----NN%u9090%u6858%ucbd3%u7801...%u9090%u9090%u8190%u00c3%u0003%u8b00%
>
> u531b%u53ff%u0078%u0000%u00=a 200 0 206 4039 266
> HTTP/1.0 [you know the
>
> url]- - -
>
>
>
----------------------------------------------------------------------------

--
> This e-mail transmission may contain information
> that is proprietary, privileged and/or confidential
> and is intended exclusively for the person(s) to
> whom it is addressed. Any use, copying, retention or
> disclosure by any person other than the intended
> recipient or the intended recipient's designees is
> strictly prohibited. If you are not the intended
> recipient or their designee, please notify the
> sender immediately by return e-mail and delete all
> copies. 
> 
> 
>
============================================================================
==
> 
__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/
------------------------------------------------------------------------------
This e-mail transmission may contain information that is proprietary, privileged and/or confidential and is intended exclusively for the person(s) to whom it is addressed. Any use, copying, retention or disclosure by any person other than the intended recipient or the intended recipient's designees is strictly prohibited. If you are not the intended recipient or their designee, please notify the sender immediately by return e-mail and delete all copies. 
==============================================================================

Next message: Chris Davis: "experiment supports concept of using host header names as securit y layer"

Previous message: H C: "RE: code red---- on system that is already (and has been) patched"
Maybe in reply to: Sandy Ryan: "code red---- on system that is already (and has been) patched"
Next in thread: Chris Davis: "RE: code red---- on system that is already (and has been) patched"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]