Re: Code Red hits

From: Michael Tavares (miketavares@mediaone.net)
Date: 08/01/01

Previous message: Marc Maiffret: "RE: http://www.worm.com/default.ida? requests"
In reply to: Portnoy, Gary: "RE: Code Red hits"
Next in thread: Bryan Willis: "RE: Code Red hits"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Message-ID: <005501c11ac8$c7aab780$1aaa0dd0@stream.com>
From: "Michael Tavares" <miketavares@mediaone.net>
To: <incidents@securityfocus.com>
Subject: Re: Code Red hits
Date: Wed, 1 Aug 2001 16:30:12 -0400

This brings up an interesting point. I was scanning the logs on one of my
servers and came across a several attempts, every other attempt is 200,
while the rest are 400's. Below is 1 of each. The box is patched (and has
been since MS released the patch). I have confirmed the patch with the Code
Red Scanner posted by eeye. Anyone care to explain why this is?

2001-08-01 08:38:24 210.50.3.34 - 2xx.xxx.xxx.xxx GET /default.ida
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u90
90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u
9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 400 0 470

2001-08-01 12:02:14 211.194.153.141 - 208.xxx.xxx.xxx GET /default.ida
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u90
90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u
9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 171 4039

----- Original Message -----
From: Portnoy, Gary <gportnoy@belenosinc.com>
To: 'Powers, James L.' <JLPowers@cmhmetro.net>;
<incidents@securityfocus.com>
Sent: Wednesday, August 01, 2001 1:57 PM
Subject: RE: Code Red hits

> James,
>
> The HTTP code says 200, meaning successful.. Double check the patches on
the
> boxes to make sure you aren't contributing....
>
> -Gary-
>
> -----Original Message-----
> From: Powers, James L. [mailto:JLPowers@cmhmetro.net]
> Sent: Wednesday, August 01, 2001 1:30 PM
> To: incidents@securityfocus.com
> Subject: Code Red hits
>
>
>
> Time is GMT. We are using eyeball scanners on our log files.
>
> 2001-08-01 17:06:02 209.27.247.5 - GET /default.ida
>
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
>
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
>
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u90
>
90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u
> 9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 171 4039 94
> 80 HTTP/1.0 - - -
>
> 2001-08-01 17:12:50 203.232.75.19 - GET /default.ida
>
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
>
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
>
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u90
>
90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u
> 9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 171 4039
578
> 80 HTTP/1.0 - - -
>
>
>
>
> --------------------------------------------------------------------------

-- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com >

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

Previous message: Marc Maiffret: "RE: http://www.worm.com/default.ida? requests"
In reply to: Portnoy, Gary: "RE: Code Red hits"
Next in thread: Bryan Willis: "RE: Code Red hits"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: Code Red hits
... Subject: Code Red hits ... Double check the patches on the ... For more information on this free incident handling, management ... and tracking system please see: http://aris.securityfocus.com ...
(Incidents)
RE: Code Red hits
... Subject: Code Red hits ... For more information on this free incident handling, management ... and tracking system please see: http://aris.securityfocus.com ...
(Incidents)
Re: Whats on udp/2002 ?
... Sorry, very stupid question. ... > At least something very interesting, according to our fw logs. ... For more information on this free incident handling, management ... and tracking system please see: http://aris.securityfocus.com ...
(Incidents)
RE: New Worm Variant?
... Subject: New Worm Variant? ... Checking back through my logs, I haven't had a NIMDA instance yet looking ... For more information on this free incident handling, management ... and tracking system please see: http://aris.securityfocus.com ...
(Incidents)