Re: default.ida

From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 06/04/03


Date: Wed, 4 Jun 2003 13:03:20 -0400


"Erik" <erik@nospam.com> wrote in message
news:15d001c32ab7$972a0100$a501280a@phx.gbl...

> The default.ida is the file that Cod Red exploits. Your
> firewall is probably stopping the attack. Look for the
> 404 error, which would mean that your are OK. If it's
> getting a 200, then you may want to look at the server,
> which could be compromised.

Good advice, with a few additions:

Note that .IDA requests is most commonly the Code Red worm, but could also
be other things in addition to code red. I think the exploit can work even
if there is no default.ida file on the server.

Note that an IIS buffer overflow like the Index Server exploit probably
being used here does not result in any IIS log entry at all when it is
successful. So, you might see other 404 log entries but still be
compromised.

200 code with IDA indicates that the IDA script mapping has not been deleted
from IIS, but in this case probably indicates that that particular attack
may not have been successful, for the reason above. 200 generally but not
always indicates success.

500 messages generally indicate failure, though 502 messages might be seen
even when some kinds of attacks are successful.

Also, this may not be likely in your case, but keep in mind that a
successful attacker can delete log entries if she wishes.

More information on IIS log error messages and Code Red:

http://securityadmin.info/faq.htm#iislogs2
http://securityadmin.info/faq.htm#iislogs
www.sarc.com
www.cert.org

Things to do to inspect and harden your server:

http://securityadmin.info/faq.htm#hacked
http://securityadmin.info/faq.htm#harden

Generally, hardening IIS against this one particular type of exploit [buffer
overflows] includes installing all patches from www.windowsupdate.com or
similar location, deleting unnecessary files, and either running iislockdown
with URLScan or following a hardening checklist for IIS and/or Windows to
improve vulnerable configuration settings like script mappings.



Relevant Pages

  • Logging mechanism in IIS (was RE: code red---- on system that is already (and has been) patched)
    ... Logging is one of the last steps IIS takes while processing a request. ... in itself prove the success or failure of the attack. ... On the other hand, successful attacks from Nimda, Code Red, Sadmind, etc. ... As your customer might already know, just installing patches does not by ...
    (Focus-Microsoft)
  • RE: Logging mechanism in IIS (was RE: code red---- on system that is already (and has been) patched)
    ... I do not know if this is distributed beyond the Microsoft Course on IIS ... traversal to get to cmd.exe) a successful attack should result in ... as it normally represents the successful execution of the ... As your customer might already know, just installing patches does not ...
    (Focus-Microsoft)
  • Re: Logging mechanism in IIS (was RE: code red---- on system that is already (and has been) patched)
    ... traversal to get to cmd.exe) a successful attack should result in nothing in ... Subject: Logging mechanism in IIS (was RE: code red---- on system that is ... as it normally represents the successful execution of the ... appropriate file permissions, disabling services, etc. Installing patches ...
    (Focus-Microsoft)
  • Re: IIS security alert - new attack?
    ... I'm not exactly sure what type of attack you are speaking of. ... That is very low load for an IIS box. ... the URLScan log files, since I suspect that URLScan is rejecting these ... request (hence the lack of any URI in the IIS log) ...
    (microsoft.public.inetserver.iis.security)
  • Re: I was hacked
    ... Only me noticing that the requests seemed to come from a LAN? ... To secure IIS somewhat, remove all the virtual directories even if they are ... > Do you have some kind of application level firewall on this machine? ... a series of attempts to attack IIS that the IIS log claimed were coming ...
    (microsoft.public.inetserver.iis.security)