Re: Code Red II

From: Microsoft.com (cshuey@directvinternet.com)
Date: 06/05/02 

From: "Microsoft.com" <cshuey@directvinternet.com>
Date: Tue, 4 Jun 2002 22:39:19 -0400

Actually, that is an Index server buffer overflow attack. It's okay if it
comes back with a 200 as long as the patches have been applied.

"Greg" <greg@infoline-la.org> wrote in message
news:9d3501c20c04$99ae88b0$a4e62ecf@tkmsftngxa06...
> I was recently going through my IIS log files on my
> Exchange server and discovered an entry that has me a
> little concerned.
>
> 2002-05-12 00:49:07 61.177.246.127 - 64.166.120.147 80
> GET /default.ida
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%
> u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%
> ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%
> u53ff%u0078%u0000%u00=a 200 -
>
> What concerns me is the 200 at the end. This means that
> the command is successful. I have installed the
> recommended patches months ago. I have also found no
> other signs on the virus and I can't seem find any
> information that sheds any light on my situation. The
> entry hasn't shown up in the log in since May 19 and
> there are 1 to 4 entries everytime it appears. It
> doesn't show up eveyday and it seems to disappear for 15
> or 20 days and comes back for a few more.
>
> If anyone has any information that could be helpful
> please let me know.

Relevant Pages

  • Re: INFOZIP >2Gb
    ... thanks for the info on the patches. ... Entry too big to split, read, or write (Poor compression ... For IBM-MAIN subscribe / signoff / archive access instructions, ... send email to listserv@xxxxxxxxxxx with the message: GET IBM-MAIN INFO ...
    (bit.listserv.ibm-main)
  • [PATCH 1/4] swap: Split up try_to_unuse()
    ... These patches are a based on a patch by Nick Piggin and some of my own ... Scan swap_map from current position to next entry still in use. ...
    (Linux-Kernel)
  • Re: [SLE] Whats latest way to kickstart YOU in 10.1? (follow up)
    ... Lew Wolfgang wrote: ... to see the available patches, ... itself after a fresh install on a dual Opteron box. ... Source/ and it had picked up a "YUM" entry all on its own ...
    (SuSE)
  • Re: [PATCH 09/15] wistron_btns: Add Acer TravelMate 240 key mappings.
    ... > If this is scheduled for entry, then I'll just let it go from there. ... > Just wanted to make sure we weren't holding any patches back from the ... Please read the FAQ at http://www.tux.org/lkml/ ...
    (Linux-Kernel)
  • [PATCH 3/4] swap: Add try_to_unuse_page_entry()
    ... These patches are a based on a patch by Nick Piggin and some of my own ... Scan swap_map from current position to next entry still in use. ...
    (Linux-Kernel)
Quantcast