Re: default.ida
From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 06/04/03
- Next message: Karl Levinson [x y] mvp: "Re: URL Username and Passwords"
- Previous message: Ken Reilly: "Re: default.ida"
- In reply to: Erik: "default.ida"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 4 Jun 2003 13:03:20 -0400
"Erik" <erik@nospam.com> wrote in message
news:15d001c32ab7$972a0100$a501280a@phx.gbl...
> The default.ida is the file that Cod Red exploits. Your
> firewall is probably stopping the attack. Look for the
> 404 error, which would mean that your are OK. If it's
> getting a 200, then you may want to look at the server,
> which could be compromised.
Good advice, with a few additions:
Note that .IDA requests is most commonly the Code Red worm, but could also
be other things in addition to code red. I think the exploit can work even
if there is no default.ida file on the server.
Note that an IIS buffer overflow like the Index Server exploit probably
being used here does not result in any IIS log entry at all when it is
successful. So, you might see other 404 log entries but still be
compromised.
200 code with IDA indicates that the IDA script mapping has not been deleted
from IIS, but in this case probably indicates that that particular attack
may not have been successful, for the reason above. 200 generally but not
always indicates success.
500 messages generally indicate failure, though 502 messages might be seen
even when some kinds of attacks are successful.
Also, this may not be likely in your case, but keep in mind that a
successful attacker can delete log entries if she wishes.
More information on IIS log error messages and Code Red:
http://securityadmin.info/faq.htm#iislogs2
http://securityadmin.info/faq.htm#iislogs
www.sarc.com
www.cert.org
Things to do to inspect and harden your server:
http://securityadmin.info/faq.htm#hacked
http://securityadmin.info/faq.htm#harden
Generally, hardening IIS against this one particular type of exploit [buffer
overflows] includes installing all patches from www.windowsupdate.com or
similar location, deleting unnecessary files, and either running iislockdown
with URLScan or following a hardening checklist for IIS and/or Windows to
improve vulnerable configuration settings like script mappings.
- Next message: Karl Levinson [x y] mvp: "Re: URL Username and Passwords"
- Previous message: Ken Reilly: "Re: default.ida"
- In reply to: Erik: "default.ida"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
