Getting probed by Code Red
Anybody here getting probed yet? My server at home got hit 4 times today (that I know of). I just started playing with ODBC logging to SQL so I could generate reports regarding usage, when I noticed this nice new parameters field that I have never bothered with before.
Anybody here getting probed yet? My server at home got hit 4 times today (that I know of). I just started playing with ODBC logging to SQL so I could generate reports regarding usage, when I noticed this nice new "parameters" field that I have never bothered with before. Well, the reason why I noticed is that there are a bunch of "N"s followed by a specific series of characters. In addition, all four IPs were IIS boxes (1 from Spain, 2 from The Netherlands, and 1 from South Korea), all four were looking for the same file, and all four passed the same amount of info (via the parameter string, I imagine). I just wondered how many others have been swept here.
Participate on our website and join the conversation
This topic is archived. New comments cannot be posted and votes cannot be cast.
Responses to this topic
I got Win2k at home and grabbed that patch ASAP. I guess it's nowhere near as bad as for a server--which I have no clue how bad it must be for you guys.
Whew! Disaster avoided...for now. ;(
Whew! Disaster avoided...for now. ;(
No reboot eh? You lucky bastard
I've been patching 50+ servers and only a few Win2kSP1 managed to take the patch without reboot.
All with NT4 and Wink2SP2 I had to reboot.
The funny thing is that I was thinking about patching about 10 but when I ran the CodeRed-scanner it was over 50 boxes with IIS running 8)
If any of you want the app I was talking about send me a mail. Just type a range of ip:s and the app will scan them for unpatched IIS-boxes, great for a large network.
/Toby
I've been patching 50+ servers and only a few Win2kSP1 managed to take the patch without reboot.
All with NT4 and Wink2SP2 I had to reboot.
The funny thing is that I was thinking about patching about 10 but when I ran the CodeRed-scanner it was over 50 boxes with IIS running 8)
If any of you want the app I was talking about send me a mail. Just type a range of ip:s and the app will scan them for unpatched IIS-boxes, great for a large network.
/Toby
Quote:Cool, I thought I was going crazy for a moment there.
Now it's me feeling like that, wondering why I had to reboot
I got the option to reboot later but did'nt wait. Anyway I have checked them all after reboot and the patch worked so it's safe....for now
Clutch you got mail...
Waddy, thats strange. Have you stopped the IIS-service, not that should matter it should install anyway...
/Toby
Now it's me feeling like that, wondering why I had to reboot
I got the option to reboot later but did'nt wait. Anyway I have checked them all after reboot and the patch worked so it's safe....for now
Clutch you got mail...
Waddy, thats strange. Have you stopped the IIS-service, not that should matter it should install anyway...
/Toby
While we're in the subject of pathing..
Go this site and dowload the trail *NOW* !!
This is one of the best products I have ever used and I'll keep telling that to my boss until I get money for licenses
And no, I don't work for them
http://www.stbernard.com/products/updateexpert/products_updateexpert.asp
/Toby
Go this site and dowload the trail *NOW* !!
This is one of the best products I have ever used and I'll keep telling that to my boss until I get money for licenses
And no, I don't work for them
http://www.stbernard.com/products/updateexpert/products_updateexpert.asp
/Toby
Be warned! I too downloaded the Microsoft patch from their site the first day they offered it, but unfortunately, they came out with another one down the road because the first one didn't work. Go figure, here I was thinking, "Yeah, go ahead with your Code Red crap" and it turned out that I wasn't protected. Oh well. Just wanted to give a heads up!
i get over 200 hits a day by it on my megabytemike.com server... damn that thing to hell... but i hate IIS and dont use it so it h as not caused any problems yet except for the annoying norton antivirus popping up every 5 seconds "YOU GOT THE CODE RED WORM!!!!!" lol so annoying...
how we rid of this thing anyway without restarting? i have an uptime of 47 days and i'd like to keep it that way.
how we rid of this thing anyway without restarting? i have an uptime of 47 days and i'd like to keep it that way.
Install the patch, then reboot. That should clear it out and keep it from coming back. In addition, if you are infected you are generating a ton of traffic and would be in fact, part of the problem rather than the solution.
Also, CRII "installs" a backdoor that allows people to use your server for other tasks, and there are automated tools out there that will scan for these servers that are infected. So, it would be prudent to install the patch and reboot.
Also, CRII "installs" a backdoor that allows people to use your server for other tasks, and there are automated tools out there that will scan for these servers that are infected. So, it would be prudent to install the patch and reboot.
Short answer; it affects Pro as well. Long answer:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-033.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-033.asp
Also, here is a tool for those that have been infected, but you should read the "CAUTIONS" section of this page. It points out that there may be other effects of these worms that may not be easily spotted.
http://www.microsoft.com/technet/treevie...ools/redfix.asp
http://www.microsoft.com/technet/treevie...ools/redfix.asp
Here is a sample from my IIS 5 Log:
2001-09-17 01:34:10 209.39.238.104 - 10.160.20.14 GET /default.ida XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 171 3818 63 HTTP/1.0 - - - -
Does this mean I am infected by the Code Red, or I am just being probbed? I have these sporatically in my IIS Log.
I ran symantec's tool to check and see if I have the code red, but it says it didn't detect it.
I have installed all the patches and such.
TIA
2001-09-17 01:34:10 209.39.238.104 - 10.160.20.14 GET /default.ida XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 171 3818 63 HTTP/1.0 - - - -
Does this mean I am infected by the Code Red, or I am just being probbed? I have these sporatically in my IIS Log.
I ran symantec's tool to check and see if I have the code red, but it says it didn't detect it.
I have installed all the patches and such.
TIA
