Security Incidents mailing list archives
RE: Code Red hits
From: Bryan Willis <BWillis () dynamicsdirect com>
Date: Wed, 1 Aug 2001 14:27:34 -0700
A patched system will still show a status code of 200 because a page is displayed saying that the query is invalid. I was seeing the 200's in my logs also, so I removed the .ida and .idq mappings on my sites, removed idq.dll from the system32 directory, made sure index server was uninstalled and made sure the system was patched. When someone tries to exploit the box, they now receive a 404 error. Bryan -----Original Message----- From: Portnoy, Gary [mailto:gportnoy () belenosinc com] Sent: Wednesday, August 01, 2001 10:57 AM To: 'Powers, James L.'; incidents () securityfocus com Subject: RE: Code Red hits James, The HTTP code says 200, meaning successful.. Double check the patches on the boxes to make sure you aren't contributing.... -Gary- -----Original Message----- From: Powers, James L. [mailto:JLPowers () cmhmetro net] Sent: Wednesday, August 01, 2001 1:30 PM To: incidents () securityfocus com Subject: Code Red hits Time is GMT. We are using eyeball scanners on our log files. 2001-08-01 17:06:02 209.27.247.5 - GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u90 90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u 9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 171 4039 94 80 HTTP/1.0 - - - 2001-08-01 17:12:50 203.232.75.19 - GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u90 90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u 9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 171 4039 578 80 HTTP/1.0 - - - ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Code Red hits Powers, James L. (Aug 01)
- <Possible follow-ups>
- RE: Code Red hits Portnoy, Gary (Aug 01)
- Re: Code Red hits Michael Tavares (Aug 01)
- RE: Code Red hits Bryan Willis (Aug 01)
- RE: Code Red hits Dave Salovesh (Aug 01)
- Code Red hits from inside network? Nuno Fernandes (Aug 01)